Analysis Overview
SHA256
379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99
Threat Level: Known bad
The file 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Checks computer location settings
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 08:29
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 08:29
Reported
2022-02-20 09:19
Platform
win7-en-20211208
Max time kernel
177s
Max time network
226s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\RyukReadMe.html | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\RyukReadMe.html | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
"C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
"C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
"C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| N/A | 10.127.0.1:7 | udp | |
| N/A | 10.127.4.12:7 | udp | |
| N/A | 10.127.4.20:7 | udp | |
| N/A | 10.127.4.22:7 | udp | |
| N/A | 10.127.4.24:7 | udp | |
| N/A | 10.127.4.26:7 | udp | |
| N/A | 10.127.4.32:7 | udp | |
| N/A | 10.127.4.36:7 | udp | |
| N/A | 10.127.4.38:7 | udp | |
| N/A | 10.127.4.42:7 | udp | |
| N/A | 10.127.4.44:7 | udp | |
| N/A | 10.127.4.46:7 | udp | |
| N/A | 10.127.4.48:7 | udp | |
| N/A | 10.127.4.50:7 | udp | |
| N/A | 10.127.4.51:7 | udp | |
| N/A | 10.127.4.52:7 | udp | |
| N/A | 10.127.4.53:7 | udp | |
| N/A | 10.127.4.54:7 | udp | |
| N/A | 10.127.4.55:7 | udp | |
| N/A | 10.127.4.56:7 | udp | |
| N/A | 10.127.4.58:7 | udp | |
| N/A | 10.127.4.59:7 | udp | |
| N/A | 10.127.4.60:7 | udp | |
| N/A | 10.127.4.61:7 | udp | |
| N/A | 10.127.4.62:7 | udp | |
| N/A | 10.127.4.63:7 | udp | |
| N/A | 10.127.4.64:7 | udp | |
| N/A | 10.127.4.65:7 | udp | |
| N/A | 10.127.4.66:7 | udp | |
| N/A | 10.127.4.67:7 | udp | |
| N/A | 10.127.4.68:7 | udp | |
| N/A | 10.127.4.69:7 | udp | |
| N/A | 10.127.4.70:7 | udp | |
| N/A | 10.127.4.71:7 | udp | |
| N/A | 10.127.4.72:7 | udp | |
| N/A | 10.127.4.73:7 | udp | |
| N/A | 10.127.4.74:7 | udp | |
| N/A | 10.127.4.75:7 | udp | |
| N/A | 10.127.4.76:7 | udp | |
| N/A | 10.127.4.77:7 | udp | |
| N/A | 10.127.4.78:7 | udp | |
| N/A | 10.127.4.79:7 | udp | |
| N/A | 10.127.4.80:7 | udp | |
| N/A | 10.127.4.81:7 | udp | |
| N/A | 10.127.4.82:7 | udp | |
| N/A | 10.127.4.83:7 | udp | |
| N/A | 10.127.4.84:7 | udp | |
| N/A | 10.127.4.85:7 | udp | |
| N/A | 10.127.4.86:7 | udp | |
| N/A | 10.127.4.87:7 | udp | |
| N/A | 10.127.4.88:7 | udp | |
| N/A | 10.127.4.89:7 | udp | |
| N/A | 10.127.4.90:7 | udp | |
| N/A | 10.127.4.91:7 | udp | |
| N/A | 10.127.4.92:7 | udp | |
| N/A | 10.127.4.93:7 | udp | |
| N/A | 10.127.4.94:7 | udp | |
| N/A | 10.127.4.95:7 | udp | |
| N/A | 10.127.4.96:7 | udp | |
| N/A | 10.127.4.97:7 | udp | |
| N/A | 10.127.4.98:7 | udp | |
| N/A | 10.127.4.99:7 | udp | |
| N/A | 10.127.4.100:7 | udp | |
| N/A | 10.127.4.101:7 | udp | |
| N/A | 10.127.4.102:7 | udp | |
| N/A | 10.127.4.103:7 | udp | |
| N/A | 10.127.4.104:7 | udp | |
| N/A | 10.127.4.105:7 | udp | |
| N/A | 10.127.4.107:7 | udp | |
| N/A | 10.127.4.109:7 | udp | |
| N/A | 10.127.4.111:7 | udp | |
| N/A | 10.127.4.113:7 | udp | |
| N/A | 10.127.4.115:7 | udp | |
| N/A | 10.127.5.92:7 | udp | |
| N/A | 10.127.5.105:7 | udp | |
| N/A | 10.127.5.108:7 | udp | |
| N/A | 10.127.5.129:7 | udp | |
| N/A | 10.127.5.141:7 | udp | |
| N/A | 10.127.5.145:7 | udp | |
| N/A | 10.127.5.149:7 | udp | |
| N/A | 10.127.5.151:7 | udp | |
| N/A | 10.127.5.153:7 | udp | |
| N/A | 10.127.5.155:7 | udp | |
| N/A | 10.127.5.157:7 | udp | |
| N/A | 10.127.5.159:7 | udp | |
| N/A | 10.127.5.161:7 | udp | |
| N/A | 10.127.5.163:7 | udp | |
| N/A | 10.127.5.165:7 | udp | |
| N/A | 10.127.5.167:7 | udp | |
| N/A | 10.127.5.169:7 | udp | |
| N/A | 10.127.6.103:7 | udp | |
| N/A | 10.127.7.12:7 | udp | |
| N/A | 10.127.7.16:7 | udp | |
| N/A | 10.127.7.18:7 | udp | |
| N/A | 10.127.7.20:7 | udp | |
| N/A | 10.127.7.22:7 | udp | |
| N/A | 10.127.7.24:7 | udp | |
| N/A | 10.127.7.26:7 | udp | |
| N/A | 10.127.7.28:7 | udp | |
| N/A | 10.127.7.30:7 | udp | |
| N/A | 10.127.7.32:7 | udp | |
| N/A | 10.127.7.34:7 | udp | |
| N/A | 10.127.7.36:7 | udp | |
| N/A | 10.127.7.118:7 | udp | |
| N/A | 10.127.7.233:7 | udp | |
| N/A | 10.127.7.237:7 | udp | |
| N/A | 10.127.7.241:7 | udp | |
| N/A | 10.127.7.242:7 | udp | |
| N/A | 10.127.7.244:7 | udp | |
| N/A | 10.127.7.245:7 | udp | |
| N/A | 10.127.7.251:7 | udp | |
| N/A | 10.127.8.1:7 | udp | |
| N/A | 10.127.8.2:7 | udp | |
| N/A | 10.127.8.3:7 | udp | |
| N/A | 10.127.8.4:7 | udp | |
| N/A | 10.127.8.5:7 | udp | |
| N/A | 10.127.8.6:7 | udp | |
| N/A | 10.127.8.7:7 | udp | |
| N/A | 10.127.8.8:7 | udp | |
| N/A | 10.127.8.9:7 | udp | |
| N/A | 10.127.8.10:7 | udp | |
| N/A | 10.127.8.11:7 | udp | |
| N/A | 10.127.8.12:7 | udp | |
| N/A | 10.127.8.13:7 | udp | |
| N/A | 10.127.8.14:7 | udp | |
| N/A | 10.127.8.15:7 | udp | |
| N/A | 10.127.8.16:7 | udp | |
| N/A | 10.127.8.17:7 | udp | |
| N/A | 10.127.8.18:7 | udp | |
| N/A | 10.127.8.19:7 | udp | |
| N/A | 10.127.8.20:7 | udp | |
| N/A | 10.127.8.21:7 | udp | |
| N/A | 10.127.8.22:7 | udp | |
| N/A | 10.127.8.23:7 | udp | |
| N/A | 10.127.8.24:7 | udp | |
| N/A | 10.127.8.25:7 | udp | |
| N/A | 10.127.8.26:7 | udp | |
| N/A | 10.127.8.27:7 | udp | |
| N/A | 10.127.8.28:7 | udp | |
| N/A | 10.127.8.29:7 | udp | |
| N/A | 10.127.8.30:7 | udp | |
| N/A | 10.127.8.31:7 | udp | |
| N/A | 10.127.8.32:7 | udp | |
| N/A | 10.127.8.33:7 | udp | |
| N/A | 10.127.8.34:7 | udp | |
| N/A | 10.127.8.35:7 | udp | |
| N/A | 10.127.8.36:7 | udp | |
| N/A | 10.127.8.37:7 | udp | |
| N/A | 10.127.8.38:7 | udp | |
| N/A | 10.127.8.40:7 | udp | |
| N/A | 10.127.8.41:7 | udp | |
| N/A | 10.127.8.42:7 | udp | |
| N/A | 10.127.8.39:7 | udp | |
| N/A | 10.127.8.43:7 | udp | |
| N/A | 10.127.8.44:7 | udp | |
| N/A | 10.127.8.45:7 | udp | |
| N/A | 10.127.8.46:7 | udp |
Files
memory/1544-54-0x0000000075D61000-0x0000000075D63000-memory.dmp
\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\users\Public\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
| MD5 | 7f46d4093208046941ac3f57aa807f80 |
| SHA1 | 73b2b0ba258b9162ea87301c15beb69bb6840a0e |
| SHA256 | e31c3a9b2228057b58678a691679cdd240b5e43998e0d2fde1081b96144bd115 |
| SHA512 | bf6513879f75b682d919cf7755e3c36360731d5c82e2d73b5e106e11d521917739a9e1d8358977a5ff7b1ad66be9c4cd09e7b04785085cab64c8380f200bfb8a |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
| MD5 | ed1448395aa7a8b0a3de40038c010c95 |
| SHA1 | ee9867ee9bd89b0eb031bf0c99ceb9bbd68b2a42 |
| SHA256 | f453e7a81af34875a67605a0ec9138b2d3eff614dc0327860a6173c2bd1846f1 |
| SHA512 | 7890e7a2064f689c0f78b9435d2db7533808290e1a56b2530fd359f3c3ed6a0b0bac7d09788bd4c8b482074930a3cab4a0408426a05eaed1659943a9c8e3b964 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
| MD5 | 6d4714f2135663477b765f6945b7a196 |
| SHA1 | 9dfff18907a124ac453468c96159558617590a8c |
| SHA256 | 7b6c99b1c3e9e48387d59785550db57e98be61bf433b909dd906699f70119d37 |
| SHA512 | af6caa9c15286367316180918feecb0ff0ebe7b0a948e0183934199c805da711509cdfd5f698274f4048c2de47a3641266b43f52baf15650c555b0cab1bcbff5 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
| MD5 | 9afe9bc62c50b2db45decd9a2af05f67 |
| SHA1 | d2c07e85b10fb8a6b320e23e2c87da29de4792df |
| SHA256 | 7245935794be24f360e03e11a2c185a277e212d3b81c5c86dc83e1b6f78947f5 |
| SHA512 | 10e57af6adfc702f0daa2c27322ae1acce252ce13d175ad7ae3d6e61593cd315dc7eb961cc9c831b0fdb06f1bd236ee2fc8545015bba0be7ae834a1ca8e956bb |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
| MD5 | 3730dfaa6e6f4d1010a2168f3c04b244 |
| SHA1 | 42eef5ce5b68f664fa03adc31761653289f5bd06 |
| SHA256 | cb9950bacde9dd03056a2adcc43737a75e5cd4d315eda6bbaf86c6517beefa50 |
| SHA512 | f8b4abae5e7feb476b0b442cafc67c4bb2511cb470000ca443a21ca56dfe739da98dfff7850ca0bb324b37864a7165fa73c58b65273a509261af1e28f66d6b90 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
| MD5 | 6c432ac1c066d3a88a9be1ae4d9bbc5b |
| SHA1 | 662eca96469f7ce05ed86ff4039ebb46d63d19cf |
| SHA256 | f001051bc8ed094e6984b637198bf385d3a2d5fdb024669000b18c46ab6fb34b |
| SHA512 | c76baac4bdf366e00d1214a8d872f2576252e40d7da1eeebc49c2865ce2b5f7b00ec58d0531561d78c64a1499b11ef858a6d6db67da2308372eeecc2e8c0ed3f |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 2eac3c51723fbe0a1e4d89694ba71371 |
| SHA1 | d843575dc85ff2d99b55cffdac90324b01d8cfdb |
| SHA256 | 11b6de4b3544b41776ce1aeae611b8b9bc5d391f7dc23ae87be4cbb752603801 |
| SHA512 | 8ab7a274fb546ef894a8c320fc9c309e1fe616c951cc34c6bd9cd52a1ee5de7fc8420d67b0685204914f5cb2e3d20ee53a3a648046472ff923e1ef57f403d214 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
| MD5 | 8e826f6def5231f89aeb53de72f703ca |
| SHA1 | 60858bb4794a2750780ed16bbd57fd8ee358cad7 |
| SHA256 | 4a8e01cb2eb6d93ed3ef8a4940e285ed61ec3a27fbedbfad9a234971ebbac8bc |
| SHA512 | fd2f5782ea99c0061e4358fa182bbeaa223a2c73added451c846906c9c6edc943429be21047ef1328dc94e1f5a981c7d656e6392572f900a0e6251cd7416b9b0 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
| MD5 | 2e66a0c34068f7922bf33bdc4da58f3d |
| SHA1 | 6e9a52515929b6ea56af6a1f4609d138317af9fe |
| SHA256 | 27f0c5d48623b111a3a07bfd5e0b24e05267691c84c55cf0ea4a1e01d0d16ce4 |
| SHA512 | c4d2c262a7c68066eb7127afa3bcc1fd279d610bb0b5b1af7939e1919957115aeb2cf2d742e7da858ab5252f42f41f8ad3efb8adfe58dbed25f2a551f2511b50 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | b583fcb6ce03b70885438dd4360429ac |
| SHA1 | 312dc428058a72bd978669ccb0754f6c1f6c110d |
| SHA256 | 8ccec1d1c459d46e59b1da227897f35a65adc8b387c89191fbe5e3c1c2c7fe78 |
| SHA512 | 0ec0268dd43e3fc11751f293a3d1c819c5c90b746a998bc7772229fd727776b44ea120fd8a9ababc646e994fb8f0104f3fd9921a53c85f1e671dbda2853fc2ea |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
| MD5 | 6f2f2b3977094bcc55128326a7582ffe |
| SHA1 | 3b944f5fd2c055a8ef8bb6ebda6c8a978b558937 |
| SHA256 | d99ec186b86d7cfb1b2ec3b8317e9a8002ed5c7d35b7b24d6a58726841d9017d |
| SHA512 | 925dd162f415c5e7513cc4b9b4c8a3dfa8ffba4647356ba9c55cb8e9eebcdcf1e413d6c5b41550dec208be58e79ea301efe42e25aa87df5dc2517804cb127cb5 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
| MD5 | d575603f5688fc18edcd38166f53b024 |
| SHA1 | b23025cdb710fd3d1311e563fb89083fced2418c |
| SHA256 | 9966624a96d9efbbd7126806012c5fedc95b07758c43fb3fad0fa1dfd98b1ed2 |
| SHA512 | 92a97d3c25704893b42c18879855f195bb40252b12748855ab6df1f35cb77b7c643fe6cc496d7f0ceed8a01a88d997f43f432b8dd4bc56c92348fa0c568ce407 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
| MD5 | 519563524371a040cc2c0956d847a4c7 |
| SHA1 | 087c09bc65822b4308ed9d46ffc79008dc7b3497 |
| SHA256 | 607b7cc3d09b6c5d92240bc33c582d37426ebb06ee03a7ed09ed1f55f9d3c726 |
| SHA512 | 10d34c94e614378c9ed09877cc930a0b45b61a881fcdbec50eeb30e7c3c64b28f2e53180df5c5d97076aa89a12aeb772cea3d00061b01027785be6d5db5ba8f2 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 161d393e64ee96ce7082496dc06e6160 |
| SHA1 | a88dccf4fd214453d49b2d0adf5487f0f56735b7 |
| SHA256 | b092b6279c5b12d67e3a2dff382a204f3284de36ec497c589c916c1ae7ae0a91 |
| SHA512 | 915eda45b7e8aabb52ce546693664f503dffe5e5c20389c10423f875d812bc3a40a69215b87836396871b30f1d6dbf74fbd24238124a3b54c0363e89baf7ad40 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
| MD5 | f33b55235600426c5df3293b0c09fdf9 |
| SHA1 | d2ddad1a7e0006b0af69bc452b3442489a5bb20b |
| SHA256 | 5056a0bfd68560fecbbea755f8bb27aa28d4f5c6487b3aed6c1a4fd67278e08f |
| SHA512 | 0ae39094a90d554edf6bdb88bf9d2091b538052a730a833dced38715ed137fc2ae40304e65896eb5a1c971c77e307344ddb2b9f01bbca718992326cd839f96c0 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
| MD5 | 4f9fb8b21b580ad65fc8dd62f6e72e04 |
| SHA1 | a2d97bd716fd89de4d401555b3b30c5f842ada1d |
| SHA256 | cb0a9e940214cc0bfbbf2847ff48e43c2a4f4d5f949f7956e016656cc2c45bb0 |
| SHA512 | 459b9c65ebf658f442a2bca4cebc8ddfeeeb8948d7fa6221a371a49a175dc922d8b01cecb8d1f097b17098227499ea0680532d444425f0a9e807c24275cde98f |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 3d1317e5ffccadeeeddd5636edee7021 |
| SHA1 | e3f6d89e1b9bae571990a47312bff320853d7a61 |
| SHA256 | b62f10cef4f8535ed313841df42121d0c0b5026ed92ffe5a33ab340da6bd2556 |
| SHA512 | 6738369f75ed85d4e75ec3d3cd90409bf4e92978cfd2733a34253f95d7cd5aa283dde9a30beb74baa79f2b6fac2f7dd908e6292763fe8a572333c8bc2aa7948f |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
| MD5 | e4053ad64c731b0c9bf70fb7eea73457 |
| SHA1 | b6718f9b9f2ced0c8b1c759af1fb685ccf9d77e0 |
| SHA256 | f1f78009396815d600665334e11f6fe8135b6e2afab9e248a7c6ba4763a740fa |
| SHA512 | e980d8b8058a619b44d84d1a86678f97cf7f0cdb1cfec547d30599b029de7928ea0f33cfe1af46ce05094216d6fc341cd5331b7e7f0e2280f9ddc9b57124295e |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
| MD5 | 2452d07771d86bb532ebdc74cb49946c |
| SHA1 | c9d9e570e8a9d232bf7df10ebe3ff38507a7d766 |
| SHA256 | b9b23436a02988494af4f57c7fdd8ad5c2414a0305ad05a71d957a4f6fb4708c |
| SHA512 | ebd8387b0e16f7669a55c55f7bf76945afbfd5c2fdb129ed1d726dc35866b70c7ef1123feeace3cbcba79b210aa966ef5add6c83c8278ff767017d68d06e6311 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
| MD5 | 06ae9658db490865365c8c546d610f2b |
| SHA1 | 7246ace6a5790f3d9d099c4300bd639c0a8963ed |
| SHA256 | c1d2215f2b9606feabd801d9fddb45dcb512d25434d4217aeaa9e4202695501c |
| SHA512 | 75aa654744c014f4833cf09a5a1dba2a82f10409dbe7415a47db60bd9bb945bf9981dfec6d0f3a161e140338cdea7bceca9305dc2778a115674a21f60d5342c0 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | cbc4d2558200ae04cb9e86fb4ce9e548 |
| SHA1 | 5484e331c0def86888b5d5e7b156aa019687c392 |
| SHA256 | 6af13cfadb53c41bb4d391eba9b8246b7f196290b95654e03595129bf649bc0a |
| SHA512 | 9d27e1650b3b63d6d106657c8da21b840e3ca97b2a88c4f5e7d740c0c3204933145e873c500b19feddb6925020e160ca7b5e559879497552c9e9165294508a5a |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
| MD5 | d2b253645a6fca071cfebc3dd27dda01 |
| SHA1 | 7696297ee9a6120cd54268581a38ca88839f1499 |
| SHA256 | b40b2d69e17d3ed5f980b40200414ddf656043b1b480eb548f2c2bbd1aa70a85 |
| SHA512 | 026ec89e64446623194ac8b9aba9f156d1813a278b708b8e4a25d07e3f1a8c9ce111115298434ee0aa46a18124cf68bc4c31a307f4202cbcc993f312f316f37b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
| MD5 | a7c55ac972cf585c590076be27e0a7a6 |
| SHA1 | d0c37f1973c647f293a4dc0ee7b93ba9ab8ac0e1 |
| SHA256 | 4a10592f89b7d22753f9c3e2a8039aeea93b349abecdff9d50b213f301a8a321 |
| SHA512 | 4becfe795e514a9b0b4e489680f9f03d8620019628e497fa8b007fbb890f35249a10aea9bfe8b2e32a228f7e05033e2525154afbffe3ef6fb677328ed2193231 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
| MD5 | c20473a34596645813cf172cb4e33427 |
| SHA1 | 0d55e197e8f8ba311d60194c908a8d2218a82f34 |
| SHA256 | 9af3acb3307937d9ea77a0e8f6ebaf399844f0131677bb66f7c819389e9aa38a |
| SHA512 | 0675ac95849f5cd6e79a12891cc0aac6722e214d3fe4f7eb447ef8efdb9162075baeb092b00b6a34e475950167c09164ba8327c3a1fc952c6b23a329aeee5d13 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
| MD5 | 02cb68a7514c4b559bb55ec8b90144fe |
| SHA1 | afc66765ccccea70fb5b87dd032cd7ca394590d5 |
| SHA256 | d607092a63ded78b645cf974a949fd0693f51b82db4bb2e2bbedb9b3d208e37e |
| SHA512 | b9b54040d39583762fbecb99c72b619ce5f354ec9ce59982175c325cead9a77ca50b45d5aabca544f11995cc0e4c1be3215a8f45e2d01e95957a34044b0fff93 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\PerfLogs\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\Users\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\$Recycle.Bin\S-1-5-21-3846991908-3261386348-1409841751-1000\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\Users\Admin\AppData\Local\Temp\FBbBrmbdQlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\WffDgOMpjlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |
C:\Users\Admin\AppData\Local\Temp\OKIzIqFIfrep.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
memory/1544-98-0x000000000BAD0000-0x000000000C58A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 08:29
Reported
2022-02-20 09:19
Platform
win10v2004-en-20220113
Max time kernel
173s
Max time network
223s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe
"C:\Users\Admin\AppData\Local\Temp\379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99.exe"
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
"C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe" 9 REP
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
"C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
"C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\MmFTIiMoZrep.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\nVpoSqBRLlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\Users\Admin\AppData\Local\Temp\kJGwghwrBlan.exe
| MD5 | 045eb328ff30b09cebd6fe3c031db7bc |
| SHA1 | b28cd818c54d7a4f5416728a8f8408e6c9c40bc2 |
| SHA256 | 379ff8def54e51a12c15d10479906d7e643c88cae9b829eeb7e1ea1e171b3a99 |
| SHA512 | 6f612366761abc5017dfdb6db985736f059fc21c8b6ab6816d379357cca7f9f1ff14690ddb71179e9771e58e0a5eb85d2765b58e8057666b497a7420658ae8e9 |
C:\users\Public\RyukReadMe.html
| MD5 | 2ebc1b0ea162294be2a9d7466ebb5a90 |
| SHA1 | 0383e7bb7f0e8e06afab4d70db4b4d330499cc27 |
| SHA256 | 6ef0c0963b933a607bf80bba260392d8ee51467ee778ef197532f73adecc90bb |
| SHA512 | 978f2580a7a4472a6c2699a4111cc491d8351efb8dcc6055b6573bc7e341e62397047d4bd1b0aa2df12d3338a2e1a15de58c51f1de8d8d6c414436fd08d62e65 |