Malware Analysis Report

2024-10-19 06:15

Sample ID 220220-kdsadaaed8
Target 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99

Threat Level: Known bad

The file 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 08:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 08:29

Reported

2022-02-20 09:19

Platform

win7-en-20211208

Max time kernel

177s

Max time network

226s

Command Line

"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"

Signatures

Ryuk

ransomware ryuk

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe N/A
File opened for modification C:\Program Files\7-Zip\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
PID 1544 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
PID 1544 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
PID 1544 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
PID 1544 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
PID 1544 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
PID 1544 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
PID 1544 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
PID 1544 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
PID 1544 wrote to memory of 26188 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26188 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26188 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26188 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26196 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26196 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26196 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1544 wrote to memory of 26196 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"

C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe

"C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe" 9 REP

C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe

"C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe

"C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe" 8 LAN

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
N/A 10.127.0.1:7 udp
N/A 10.127.4.12:7 udp
N/A 10.127.4.20:7 udp
N/A 10.127.4.22:7 udp
N/A 10.127.4.24:7 udp
N/A 10.127.4.26:7 udp
N/A 10.127.4.32:7 udp
N/A 10.127.4.36:7 udp
N/A 10.127.4.38:7 udp
N/A 10.127.4.42:7 udp
N/A 10.127.4.44:7 udp
N/A 10.127.4.46:7 udp
N/A 10.127.4.48:7 udp
N/A 10.127.4.50:7 udp
N/A 10.127.4.51:7 udp
N/A 10.127.4.52:7 udp
N/A 10.127.4.53:7 udp
N/A 10.127.4.54:7 udp
N/A 10.127.4.55:7 udp
N/A 10.127.4.56:7 udp
N/A 10.127.4.58:7 udp
N/A 10.127.4.59:7 udp
N/A 10.127.4.60:7 udp
N/A 10.127.4.61:7 udp
N/A 10.127.4.62:7 udp
N/A 10.127.4.63:7 udp
N/A 10.127.4.64:7 udp
N/A 10.127.4.65:7 udp
N/A 10.127.4.66:7 udp
N/A 10.127.4.67:7 udp
N/A 10.127.4.68:7 udp
N/A 10.127.4.69:7 udp
N/A 10.127.4.70:7 udp
N/A 10.127.4.71:7 udp
N/A 10.127.4.72:7 udp
N/A 10.127.4.73:7 udp
N/A 10.127.4.74:7 udp
N/A 10.127.4.75:7 udp
N/A 10.127.4.76:7 udp
N/A 10.127.4.77:7 udp
N/A 10.127.4.78:7 udp
N/A 10.127.4.79:7 udp
N/A 10.127.4.80:7 udp
N/A 10.127.4.81:7 udp
N/A 10.127.4.82:7 udp
N/A 10.127.4.83:7 udp
N/A 10.127.4.84:7 udp
N/A 10.127.4.85:7 udp
N/A 10.127.4.86:7 udp
N/A 10.127.4.87:7 udp
N/A 10.127.4.88:7 udp
N/A 10.127.4.89:7 udp
N/A 10.127.4.90:7 udp
N/A 10.127.4.91:7 udp
N/A 10.127.4.92:7 udp
N/A 10.127.4.93:7 udp
N/A 10.127.4.94:7 udp
N/A 10.127.4.95:7 udp
N/A 10.127.4.96:7 udp
N/A 10.127.4.97:7 udp
N/A 10.127.4.98:7 udp
N/A 10.127.4.99:7 udp
N/A 10.127.4.100:7 udp
N/A 10.127.4.101:7 udp
N/A 10.127.4.102:7 udp
N/A 10.127.4.103:7 udp
N/A 10.127.4.104:7 udp
N/A 10.127.4.105:7 udp
N/A 10.127.4.107:7 udp
N/A 10.127.4.109:7 udp
N/A 10.127.4.111:7 udp
N/A 10.127.4.113:7 udp
N/A 10.127.4.115:7 udp
N/A 10.127.5.92:7 udp
N/A 10.127.5.105:7 udp
N/A 10.127.5.108:7 udp
N/A 10.127.5.129:7 udp
N/A 10.127.5.141:7 udp
N/A 10.127.5.145:7 udp
N/A 10.127.5.149:7 udp
N/A 10.127.5.151:7 udp
N/A 10.127.5.153:7 udp
N/A 10.127.5.155:7 udp
N/A 10.127.5.157:7 udp
N/A 10.127.5.159:7 udp
N/A 10.127.5.161:7 udp
N/A 10.127.5.163:7 udp
N/A 10.127.5.165:7 udp
N/A 10.127.5.167:7 udp
N/A 10.127.5.169:7 udp
N/A 10.127.6.103:7 udp
N/A 10.127.7.12:7 udp
N/A 10.127.7.16:7 udp
N/A 10.127.7.18:7 udp
N/A 10.127.7.20:7 udp
N/A 10.127.7.22:7 udp
N/A 10.127.7.24:7 udp
N/A 10.127.7.26:7 udp
N/A 10.127.7.28:7 udp
N/A 10.127.7.30:7 udp
N/A 10.127.7.32:7 udp
N/A 10.127.7.34:7 udp
N/A 10.127.7.36:7 udp
N/A 10.127.7.118:7 udp
N/A 10.127.7.233:7 udp
N/A 10.127.7.237:7 udp
N/A 10.127.7.241:7 udp
N/A 10.127.7.242:7 udp
N/A 10.127.7.244:7 udp
N/A 10.127.7.245:7 udp
N/A 10.127.7.251:7 udp
N/A 10.127.8.1:7 udp
N/A 10.127.8.2:7 udp
N/A 10.127.8.3:7 udp
N/A 10.127.8.4:7 udp
N/A 10.127.8.5:7 udp
N/A 10.127.8.6:7 udp
N/A 10.127.8.7:7 udp
N/A 10.127.8.8:7 udp
N/A 10.127.8.9:7 udp
N/A 10.127.8.10:7 udp
N/A 10.127.8.11:7 udp
N/A 10.127.8.12:7 udp
N/A 10.127.8.13:7 udp
N/A 10.127.8.14:7 udp
N/A 10.127.8.15:7 udp
N/A 10.127.8.16:7 udp
N/A 10.127.8.17:7 udp
N/A 10.127.8.18:7 udp
N/A 10.127.8.19:7 udp
N/A 10.127.8.20:7 udp
N/A 10.127.8.21:7 udp
N/A 10.127.8.22:7 udp
N/A 10.127.8.23:7 udp
N/A 10.127.8.24:7 udp
N/A 10.127.8.25:7 udp
N/A 10.127.8.26:7 udp
N/A 10.127.8.27:7 udp
N/A 10.127.8.28:7 udp
N/A 10.127.8.29:7 udp
N/A 10.127.8.30:7 udp
N/A 10.127.8.31:7 udp
N/A 10.127.8.32:7 udp
N/A 10.127.8.33:7 udp
N/A 10.127.8.34:7 udp
N/A 10.127.8.35:7 udp
N/A 10.127.8.36:7 udp
N/A 10.127.8.37:7 udp
N/A 10.127.8.38:7 udp
N/A 10.127.8.40:7 udp
N/A 10.127.8.41:7 udp
N/A 10.127.8.42:7 udp
N/A 10.127.8.39:7 udp
N/A 10.127.8.43:7 udp
N/A 10.127.8.44:7 udp
N/A 10.127.8.45:7 udp
N/A 10.127.8.46:7 udp

Files

memory/1544-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\users\Public\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\$Recycle.Bin\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5 7f46d4093208046941ac3f57aa807f80
SHA1 73b2b0ba258b9162ea87301c15beb69bb6840a0e
SHA256 e31c3a9b2228057b58678a691679cdd240b5e43998e0d2fde1081b96144bd115
SHA512 bf6513879f75b682d919cf7755e3c36360731d5c82e2d73b5e106e11d521917739a9e1d8358977a5ff7b1ad66be9c4cd09e7b04785085cab64c8380f200bfb8a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5 ed1448395aa7a8b0a3de40038c010c95
SHA1 ee9867ee9bd89b0eb031bf0c99ceb9bbd68b2a42
SHA256 f453e7a81af34875a67605a0ec9138b2d3eff614dc0327860a6173c2bd1846f1
SHA512 7890e7a2064f689c0f78b9435d2db7533808290e1a56b2530fd359f3c3ed6a0b0bac7d09788bd4c8b482074930a3cab4a0408426a05eaed1659943a9c8e3b964

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5 6d4714f2135663477b765f6945b7a196
SHA1 9dfff18907a124ac453468c96159558617590a8c
SHA256 7b6c99b1c3e9e48387d59785550db57e98be61bf433b909dd906699f70119d37
SHA512 af6caa9c15286367316180918feecb0ff0ebe7b0a948e0183934199c805da711509cdfd5f698274f4048c2de47a3641266b43f52baf15650c555b0cab1bcbff5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5 9afe9bc62c50b2db45decd9a2af05f67
SHA1 d2c07e85b10fb8a6b320e23e2c87da29de4792df
SHA256 7245935794be24f360e03e11a2c185a277e212d3b81c5c86dc83e1b6f78947f5
SHA512 10e57af6adfc702f0daa2c27322ae1acce252ce13d175ad7ae3d6e61593cd315dc7eb961cc9c831b0fdb06f1bd236ee2fc8545015bba0be7ae834a1ca8e956bb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5 3730dfaa6e6f4d1010a2168f3c04b244
SHA1 42eef5ce5b68f664fa03adc31761653289f5bd06
SHA256 cb9950bacde9dd03056a2adcc43737a75e5cd4d315eda6bbaf86c6517beefa50
SHA512 f8b4abae5e7feb476b0b442cafc67c4bb2511cb470000ca443a21ca56dfe739da98dfff7850ca0bb324b37864a7165fa73c58b65273a509261af1e28f66d6b90

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5 6c432ac1c066d3a88a9be1ae4d9bbc5b
SHA1 662eca96469f7ce05ed86ff4039ebb46d63d19cf
SHA256 f001051bc8ed094e6984b637198bf385d3a2d5fdb024669000b18c46ab6fb34b
SHA512 c76baac4bdf366e00d1214a8d872f2576252e40d7da1eeebc49c2865ce2b5f7b00ec58d0531561d78c64a1499b11ef858a6d6db67da2308372eeecc2e8c0ed3f

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 2eac3c51723fbe0a1e4d89694ba71371
SHA1 d843575dc85ff2d99b55cffdac90324b01d8cfdb
SHA256 11b6de4b3544b41776ce1aeae611b8b9bc5d391f7dc23ae87be4cbb752603801
SHA512 8ab7a274fb546ef894a8c320fc9c309e1fe616c951cc34c6bd9cd52a1ee5de7fc8420d67b0685204914f5cb2e3d20ee53a3a648046472ff923e1ef57f403d214

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5 8e826f6def5231f89aeb53de72f703ca
SHA1 60858bb4794a2750780ed16bbd57fd8ee358cad7
SHA256 4a8e01cb2eb6d93ed3ef8a4940e285ed61ec3a27fbedbfad9a234971ebbac8bc
SHA512 fd2f5782ea99c0061e4358fa182bbeaa223a2c73added451c846906c9c6edc943429be21047ef1328dc94e1f5a981c7d656e6392572f900a0e6251cd7416b9b0

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5 2e66a0c34068f7922bf33bdc4da58f3d
SHA1 6e9a52515929b6ea56af6a1f4609d138317af9fe
SHA256 27f0c5d48623b111a3a07bfd5e0b24e05267691c84c55cf0ea4a1e01d0d16ce4
SHA512 c4d2c262a7c68066eb7127afa3bcc1fd279d610bb0b5b1af7939e1919957115aeb2cf2d742e7da858ab5252f42f41f8ad3efb8adfe58dbed25f2a551f2511b50

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 b583fcb6ce03b70885438dd4360429ac
SHA1 312dc428058a72bd978669ccb0754f6c1f6c110d
SHA256 8ccec1d1c459d46e59b1da227897f35a65adc8b387c89191fbe5e3c1c2c7fe78
SHA512 0ec0268dd43e3fc11751f293a3d1c819c5c90b746a998bc7772229fd727776b44ea120fd8a9ababc646e994fb8f0104f3fd9921a53c85f1e671dbda2853fc2ea

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5 6f2f2b3977094bcc55128326a7582ffe
SHA1 3b944f5fd2c055a8ef8bb6ebda6c8a978b558937
SHA256 d99ec186b86d7cfb1b2ec3b8317e9a8002ed5c7d35b7b24d6a58726841d9017d
SHA512 925dd162f415c5e7513cc4b9b4c8a3dfa8ffba4647356ba9c55cb8e9eebcdcf1e413d6c5b41550dec208be58e79ea301efe42e25aa87df5dc2517804cb127cb5

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5 d575603f5688fc18edcd38166f53b024
SHA1 b23025cdb710fd3d1311e563fb89083fced2418c
SHA256 9966624a96d9efbbd7126806012c5fedc95b07758c43fb3fad0fa1dfd98b1ed2
SHA512 92a97d3c25704893b42c18879855f195bb40252b12748855ab6df1f35cb77b7c643fe6cc496d7f0ceed8a01a88d997f43f432b8dd4bc56c92348fa0c568ce407

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5 519563524371a040cc2c0956d847a4c7
SHA1 087c09bc65822b4308ed9d46ffc79008dc7b3497
SHA256 607b7cc3d09b6c5d92240bc33c582d37426ebb06ee03a7ed09ed1f55f9d3c726
SHA512 10d34c94e614378c9ed09877cc930a0b45b61a881fcdbec50eeb30e7c3c64b28f2e53180df5c5d97076aa89a12aeb772cea3d00061b01027785be6d5db5ba8f2

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 161d393e64ee96ce7082496dc06e6160
SHA1 a88dccf4fd214453d49b2d0adf5487f0f56735b7
SHA256 b092b6279c5b12d67e3a2dff382a204f3284de36ec497c589c916c1ae7ae0a91
SHA512 915eda45b7e8aabb52ce546693664f503dffe5e5c20389c10423f875d812bc3a40a69215b87836396871b30f1d6dbf74fbd24238124a3b54c0363e89baf7ad40

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5 f33b55235600426c5df3293b0c09fdf9
SHA1 d2ddad1a7e0006b0af69bc452b3442489a5bb20b
SHA256 5056a0bfd68560fecbbea755f8bb27aa28d4f5c6487b3aed6c1a4fd67278e08f
SHA512 0ae39094a90d554edf6bdb88bf9d2091b538052a730a833dced38715ed137fc2ae40304e65896eb5a1c971c77e307344ddb2b9f01bbca718992326cd839f96c0

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5 4f9fb8b21b580ad65fc8dd62f6e72e04
SHA1 a2d97bd716fd89de4d401555b3b30c5f842ada1d
SHA256 cb0a9e940214cc0bfbbf2847ff48e43c2a4f4d5f949f7956e016656cc2c45bb0
SHA512 459b9c65ebf658f442a2bca4cebc8ddfeeeb8948d7fa6221a371a49a175dc922d8b01cecb8d1f097b17098227499ea0680532d444425f0a9e807c24275cde98f

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 3d1317e5ffccadeeeddd5636edee7021
SHA1 e3f6d89e1b9bae571990a47312bff320853d7a61
SHA256 b62f10cef4f8535ed313841df42121d0c0b5026ed92ffe5a33ab340da6bd2556
SHA512 6738369f75ed85d4e75ec3d3cd90409bf4e92978cfd2733a34253f95d7cd5aa283dde9a30beb74baa79f2b6fac2f7dd908e6292763fe8a572333c8bc2aa7948f

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5 e4053ad64c731b0c9bf70fb7eea73457
SHA1 b6718f9b9f2ced0c8b1c759af1fb685ccf9d77e0
SHA256 f1f78009396815d600665334e11f6fe8135b6e2afab9e248a7c6ba4763a740fa
SHA512 e980d8b8058a619b44d84d1a86678f97cf7f0cdb1cfec547d30599b029de7928ea0f33cfe1af46ce05094216d6fc341cd5331b7e7f0e2280f9ddc9b57124295e

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5 2452d07771d86bb532ebdc74cb49946c
SHA1 c9d9e570e8a9d232bf7df10ebe3ff38507a7d766
SHA256 b9b23436a02988494af4f57c7fdd8ad5c2414a0305ad05a71d957a4f6fb4708c
SHA512 ebd8387b0e16f7669a55c55f7bf76945afbfd5c2fdb129ed1d726dc35866b70c7ef1123feeace3cbcba79b210aa966ef5add6c83c8278ff767017d68d06e6311

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5 06ae9658db490865365c8c546d610f2b
SHA1 7246ace6a5790f3d9d099c4300bd639c0a8963ed
SHA256 c1d2215f2b9606feabd801d9fddb45dcb512d25434d4217aeaa9e4202695501c
SHA512 75aa654744c014f4833cf09a5a1dba2a82f10409dbe7415a47db60bd9bb945bf9981dfec6d0f3a161e140338cdea7bceca9305dc2778a115674a21f60d5342c0

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 cbc4d2558200ae04cb9e86fb4ce9e548
SHA1 5484e331c0def86888b5d5e7b156aa019687c392
SHA256 6af13cfadb53c41bb4d391eba9b8246b7f196290b95654e03595129bf649bc0a
SHA512 9d27e1650b3b63d6d106657c8da21b840e3ca97b2a88c4f5e7d740c0c3204933145e873c500b19feddb6925020e160ca7b5e559879497552c9e9165294508a5a

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5 d2b253645a6fca071cfebc3dd27dda01
SHA1 7696297ee9a6120cd54268581a38ca88839f1499
SHA256 b40b2d69e17d3ed5f980b40200414ddf656043b1b480eb548f2c2bbd1aa70a85
SHA512 026ec89e64446623194ac8b9aba9f156d1813a278b708b8e4a25d07e3f1a8c9ce111115298434ee0aa46a18124cf68bc4c31a307f4202cbcc993f312f316f37b

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5 a7c55ac972cf585c590076be27e0a7a6
SHA1 d0c37f1973c647f293a4dc0ee7b93ba9ab8ac0e1
SHA256 4a10592f89b7d22753f9c3e2a8039aeea93b349abecdff9d50b213f301a8a321
SHA512 4becfe795e514a9b0b4e489680f9f03d8620019628e497fa8b007fbb890f35249a10aea9bfe8b2e32a228f7e05033e2525154afbffe3ef6fb677328ed2193231

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5 c20473a34596645813cf172cb4e33427
SHA1 0d55e197e8f8ba311d60194c908a8d2218a82f34
SHA256 9af3acb3307937d9ea77a0e8f6ebaf399844f0131677bb66f7c819389e9aa38a
SHA512 0675ac95849f5cd6e79a12891cc0aac6722e214d3fe4f7eb447ef8efdb9162075baeb092b00b6a34e475950167c09164ba8327c3a1fc952c6b23a329aeee5d13

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5 02cb68a7514c4b559bb55ec8b90144fe
SHA1 afc66765ccccea70fb5b87dd032cd7ca394590d5
SHA256 d607092a63ded78b645cf974a949fd0693f51b82db4bb2e2bbedb9b3d208e37e
SHA512 b9b54040d39583762fbecb99c72b619ce5f354ec9ce59982175c325cead9a77ca50b45d5aabca544f11995cc0e4c1be3215a8f45e2d01e95957a34044b0fff93

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\PerfLogs\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\Users\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65

C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

memory/1544-98-0x000000000BAD0000-0x000000000C58A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 08:29

Reported

2022-02-20 09:19

Platform

win10v2004-en-20220113

Max time kernel

173s

Max time network

223s

Command Line

"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"

Signatures

Ryuk

ransomware ryuk

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
PID 1700 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
PID 1700 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
PID 1700 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
PID 1700 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
PID 1700 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
PID 1700 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
PID 1700 wrote to memory of 7544 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1700 wrote to memory of 7544 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe
PID 1700 wrote to memory of 7544 N/A C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe

"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"

C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe

"C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe" 9 REP

C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe

"C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe

"C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe" 8 LAN

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

Network

Country Destination Domain Proto
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe

MD5 045eb328ff30b09cebd6fe3c031db7bc
SHA1 b28cd818c54d7a4f5416728a8f8408e6c9c40bc2
SHA256 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
SHA512 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9

C:\users\Public\RyukReadMe.html

MD5 2ebc1b0ea162294be2a9d7466ebb5a90
SHA1 0383e7bb7f0e8e06afab4d70db4b4d330499cc27
SHA256 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb
SHA512 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65