ryuk | 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

Analysis

max time kernel
148s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-09-2022 23:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
SSDEEP

1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

GQPzKGYtfrep.exeKuUTxHMxTlan.exetXryUaxvVlan.exe

pid process

860 GQPzKGYtfrep.exe
1492 KuUTxHMxTlan.exe
5548 tXryUaxvVlan.exe

pid	process
860	GQPzKGYtfrep.exe
1492	KuUTxHMxTlan.exe
5548	tXryUaxvVlan.exe

Loads dropped DLL 6 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

pid	process
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

26092 icacls.exe
26104 icacls.exe

pid	process
26092	icacls.exe
26104	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-lib-uihandler.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaremr.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\ja-JP\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tripoli	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_ja_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\imap.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-multitabs.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\prodicon.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\FlickLearningWizard.exe.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\CompleteUnblock.rtf	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\ja-JP\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Aqtobe	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro_3.4.200.v20130326-1254.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcfr.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunjce_provider.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\cacerts	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\masterix.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

pid	process
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1248 wrote to memory of 860	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	GQPzKGYtfrep.exe
PID 1248 wrote to memory of 860	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	GQPzKGYtfrep.exe
PID 1248 wrote to memory of 860	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	GQPzKGYtfrep.exe
PID 1248 wrote to memory of 860	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	GQPzKGYtfrep.exe
PID 1248 wrote to memory of 1492	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	KuUTxHMxTlan.exe
PID 1248 wrote to memory of 1492	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	KuUTxHMxTlan.exe
PID 1248 wrote to memory of 1492	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	KuUTxHMxTlan.exe
PID 1248 wrote to memory of 1492	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	KuUTxHMxTlan.exe
PID 1248 wrote to memory of 5548	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	tXryUaxvVlan.exe
PID 1248 wrote to memory of 5548	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	tXryUaxvVlan.exe
PID 1248 wrote to memory of 5548	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	tXryUaxvVlan.exe
PID 1248 wrote to memory of 5548	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	tXryUaxvVlan.exe
PID 1248 wrote to memory of 26092	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26092	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26092	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26092	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26104	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26104	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26104	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 26104	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	icacls.exe
PID 1248 wrote to memory of 32200	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32200	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32200	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32200	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32964	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32964	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32964	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 32964	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33144	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33144	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33144	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33144	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33172	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33172	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33172	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 1248 wrote to memory of 33172	1248	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	net.exe
PID 33172 wrote to memory of 33224	33172	net.exe	net1.exe
PID 33172 wrote to memory of 33224	33172	net.exe	net1.exe
PID 33172 wrote to memory of 33224	33172	net.exe	net1.exe
PID 33172 wrote to memory of 33224	33172	net.exe	net1.exe
PID 32200 wrote to memory of 33240	32200	net.exe	net1.exe
PID 32200 wrote to memory of 33240	32200	net.exe	net1.exe
PID 32200 wrote to memory of 33240	32200	net.exe	net1.exe
PID 32200 wrote to memory of 33240	32200	net.exe	net1.exe
PID 33144 wrote to memory of 33232	33144	net.exe	net1.exe
PID 33144 wrote to memory of 33232	33144	net.exe	net1.exe
PID 33144 wrote to memory of 33232	33144	net.exe	net1.exe
PID 33144 wrote to memory of 33232	33144	net.exe	net1.exe
PID 32964 wrote to memory of 33248	32964	net.exe	net1.exe
PID 32964 wrote to memory of 33248	32964	net.exe	net1.exe
PID 32964 wrote to memory of 33248	32964	net.exe	net1.exe
PID 32964 wrote to memory of 33248	32964	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\GQPzKGYtfrep.exe
"C:\Users\Admin\AppData\Local\Temp\GQPzKGYtfrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:860

C:\Users\Admin\AppData\Local\Temp\KuUTxHMxTlan.exe
"C:\Users\Admin\AppData\Local\Temp\KuUTxHMxTlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1492

C:\Users\Admin\AppData\Local\Temp\tXryUaxvVlan.exe
"C:\Users\Admin\AppData\Local\Temp\tXryUaxvVlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:5548

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:26092

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:26104

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:32964

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:33248

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:32200

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:33240

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:33172

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:33224

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:33144

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:33232

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\$Recycle.Bin\S-1-5-21-999675638-2867687379-27515722-1000\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK
Filesize
22.8MB

MD5
e670657b1bfabf8f5a32f5c4f936d35a

SHA1
c576f3ef19367a3dc0ec5c8e3444f1682517cc8a

SHA256
1be1bd957c1a228d4b3cf4cb9bfb834bfe49a59bc04bc602c82452dbdfb63d33

SHA512
31d9622590c1b841f495c8f30e2c4d105665e709b419e27bda08a405c1aa91d9b2d572548f8f40e37e035695e635aa00720cac0ada8756e93b10ba43d2e3a760

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
Filesize
2.9MB

MD5
e86aa2fc15479b6be868250fa5c1d5c0

SHA1
d175b41a147577b5ad38a6d0c3da2336e4f538b3

SHA256
bb578cb147f92c6f9bd94ed58a833986421686dcbb5d8a03db8ba5b03c5b32e9

SHA512
eb680c65782f51a57086d6dcd5934988933b92da0514cbc714b303032c4746e662cf6c66a477623cb0f67e57e060cb740319a5fbfe2f76d2b45f4b595988e164

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
Filesize
4KB

MD5
2493d2bae779026cf2abfbcb0b27e380

SHA1
03ef1a09b17d3dd5c6d5918e9bb59819c6f1012b

SHA256
d9b022e4de825685925c66bf4638cdf37787f42c7fa49482bd7e9fa2028defd5

SHA512
5d11099f591df199a73ca2eaf3e472d768c31550034689d1b434e9593d3ae3543db622b2c0551b4f9fdb0692e87ef6f93a44f6a48192911ae22cc074fc97d4fb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK
Filesize
23.7MB

MD5
9af61eadc39df8618d497d11df08b2a2

SHA1
263282e01f9f5618fa926268ff0ae4354c955826

SHA256
c8cd216a25b15e453d7e4f4d5c1bcd823ac91306f4cbfd76410cceee86f207f0

SHA512
d8cd2cb3be69a84d02d53aa50ca0246ab368ad6d8b4a58432e1e1e96f08bb0f64d1b90461c288748f44cbab2a3c0f357a5040940777b8089374defb5a4fc29da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
Filesize
17KB

MD5
cebd5911e459ab592d894373962d9bd9

SHA1
13cb48cf20248dca24f9a7face4f8dc62bd6c92e

SHA256
07e9472aada35d3daa08006dcb3ea60ba88848d4f2ac7c3663a691f3cbe551e4

SHA512
ff8e6edb87b52645346142a4b69fdeaf442b62aff098e04c76a33ba1ceee37b2a5e7566401a21dc980f36143122c0421f08b476444f9e4fe911d1644545cd574

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK
Filesize
142.4MB

MD5
822f7b85330bf5a331573e989a9a107c

SHA1
67364bd7507f1def2f50a02768276a8ea12af1f4

SHA256
23ee20c51518256e1c522d07a17d97536c8cc2c46c25e5a9a4c548c7c29f26e8

SHA512
26bd065ed3b616646d0513eb269846efc987a6c2bd66818838f8b71463aa8f9e22ebcf4ca02f1883e6c4f669eb48f5b3d7696a31e950b003b0046414fa6bf91e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
Filesize
188.8MB

MD5
34b03c1594d39149f7d6bff37118642d

SHA1
df70928242acf533c711f05c34504300916c8bb6

SHA256
a616320397b889fb9a68e8cf795e0e62b0cee8b57ce6e6e9ddc7bfc4cf77790e

SHA512
3d5b89a2fb02aa8a0b85611ffeab19b3e471183d8f120af027042b0a98c5b74d011d9bd301b00f47ae4f9f5b453f236d1a744ba9c96424e514379d31da64b44c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
31KB

MD5
2ab3462a8d256af79b7f49493eda3eaa

SHA1
dccb4d176cedffe742f0323e666055a4e2efa2f8

SHA256
984050fdec63796c0cade20f1def2092dc72a89c24e6cc2e46f9f9f9876aff48

SHA512
9504db41694b0b4669e952ab0d4d0f678c6d7bfb154891c465f972de185af23b0d709a3f5f2934db52d45d4b4a51abc28d83ca5040b9759608c9c7eea52f83a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
Filesize
699KB

MD5
ca8e3be61fee02737d8f695eabecd86d

SHA1
594fac9dd8b823304968a8198931385a5815edb8

SHA256
99c8f250a7cc8cbc9d4386bdfd53289507bb59286d4439046bb5506ae1b484e4

SHA512
d4cb99192da34f0b3cb089a08099c525db452de8b57e8ee53d99821f60f3a49b96b1a8bbf403652a5580b37960cd70a42e54d4a11b66f848c4e3c946b57b2943

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
Filesize
16.1MB

MD5
2361cb2b66948cb6b8a78d09cf660e7d

SHA1
26fc64ee1b5014e22918caafe91859bcde4c36f0

SHA256
c6416e1c2b7de1c9150c04fc8e2c11b00d8f238bb08f90384729dbcb31ff2ba0

SHA512
dc646678b792fa21e837956e07afef18771ffb8fbdacccc11cbaefce9247752d9896bc209eb28e2efd499e55e4316ab20e93efc1dc741c3dd92b56b370920934

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
Filesize
1.7MB

MD5
bd89c44f6b0dad2df8f33b725575d528

SHA1
bcd9429261c2325451eff10214695756fb256b5b

SHA256
3e4708a0c0b8815ca90e932597311db6046482e7d8b8122a7ff97d534832eb23

SHA512
9ee2454a17eb1364f6f08f434c95b40c6859d43f1ac08c129abc535b7720efd60e26a43508396d44041399b1edab568becd35749803a075722f59d353441c98a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
Filesize
1KB

MD5
f7eb9738ea6a16d0e5a795a95f83aaf2

SHA1
a67c61c68e644b3af5e1e02bff925e20b2fe499e

SHA256
b63480837d6359de5be683ebbd370edbdf6d6b2ef422847383237d69d515fb6d

SHA512
99ca1ee2db831604671bef354bcddff147f99c3c5a3890d0268db101492849fa80593624513f735c5dcd6f0d7b5bcb8634c9b0f8368bfa4b7432cefed1aa3eff

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
2KB

MD5
f251fdacad6aaee3e1880c49f673a46c

SHA1
17757f015bffe5260d32edd91c09d5258c3d0ad5

SHA256
9448f1f508f21ea6132ecc6fb45ca797a65611fa9ee12641ae5431be88922e34

SHA512
3d864d66d5551ae9b389c7a5d8e5a86391770964ea4bf9a76e738d7fe493855ec20f1418432d10ea370b4950a4b8624fb79cbd867f2782be210523c4b9b6fe2a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
Filesize
1.7MB

MD5
4a1c4cb4eb4018abb5f717c81edef1e7

SHA1
f1ed683d68242f38cabdf1c305fc27429fa89fa9

SHA256
882a7eb32d20e452b6a5e9a54a1660d7a3f64b422cf0bb627843364f31e0950f

SHA512
18f554c02df8bd33d8ee40379afcdb0ec3a215f54a4145a2b90e894e6c669b4e55d5bc80cd414fb261d1ec9809f9f4bea946e076fe3e69c421aeb72ddafcb346

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
Filesize
1KB

MD5
1259e0a1078e6a1cb5a6d0eb05c01fcf

SHA1
510035067660e2c5084a631c120e990163360ee4

SHA256
efffdd12404db00327a4c5d225e57b7290c764099b93b92319f3976cab90d9ca

SHA512
b433fa5f1a133b965072b1b15c56395973a50dbfd9465e81c99c94c8f8e4b346c75a49799de10c2c937dab05e1347b6034193325c328d9923c011ab639c077f1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
Filesize
67.7MB

MD5
30a0e9df86a116377269b8ff786e2483

SHA1
9fd10c6265927905385c0deeae3a50af5fff322b

SHA256
e7167a6dcfcd1e442a41ef5b3980e64506b98f0979ac227b6d60950d1f1a3e15

SHA512
62fd658d5c890036b7a663a896bf43cf30ee38d6d5a4d587457c7dc43a2a78fa6d38565a26e958fe29b776b56c338802b05c4b5b5d52a3088903332ce85047e4

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
2KB

MD5
d19d71d17e30bb0d3144da2d2b059241

SHA1
adc03b56ba20e45b512088f93ef2bfccff04ecb2

SHA256
a245d2d60963ffd746ae31173805725a941a34e7ae2dfe0251e2dc3b35955cc6

SHA512
91f93df73947b9058455328139f454a7aee6dcdf205e0cb3fe9dc35a74bc9cc380513cab12915058fba47703e5bdb02ba0842a4b1d58ebf52e10e26a784d9169

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.RYK
Filesize
1.1MB

MD5
71ef0a474089196cb0ae887bea058907

SHA1
732a6e6a0a12a7084908441b61572149d50ac637

SHA256
938af35cfc420b435545798c135ebe2bbbcfb79777d19aedf7fbe0fa7b6c75c9

SHA512
b77d5536ebd96d854fb92dd653f82551cff44d8b0087c0f9518fbd6d46576b465ad4ba5bac38ac430ce9780dcc45cfa74ee8e6afcd6b42fdf2c2c5aa6b7815d5

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.RYK
Filesize
638KB

MD5
c5be997e18d6ca21c216988b7db58a50

SHA1
f32005d09045e16d67102b015fb57e3a755f9a90

SHA256
c8b23993f7f6e61dc741487dc3e7e7aa832b2123cd5db26c92fb8e3a225a7603

SHA512
9b8cffcf1e42e0150f670b693ca2f3368d75ec6185fb628a14bee5da987e2227c3c038f9547f5b3ed0590b39a432131426865b87a2ee50e9f18c82edab3202c1

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.RYK
Filesize
1KB

MD5
b26a0ec1a3324b5cb968454bc49e9058

SHA1
554cc000123c95d371b29ad97c8b2a21a8d4d910

SHA256
c2fa2a542db5cce03b4b85a2748e5bcc296544a1f3c81c12e132bd981b66ff5d

SHA512
e5fd53fb0439fe50f13dcfdc3169ed799a7aee9994433c6601252d80d0801e36a10bd89f08f175989237dc9c9a3130282e9215f57bf424c9a8f9a7cb5527baa1

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.RYK
Filesize
635KB

MD5
8dfd3f2b1c8fb81761ac28cdfb9da169

SHA1
3cb791478bb6bc12a72f5d1fb60eed09c6e09a83

SHA256
1cbfabde63e31b7c120c6de225e2ea5791107b2079fb2b583cfedb857f493ef4

SHA512
5fc7d4928a7a6d297eee45e5ab422cf9e505f206a3249c8806aa85b9a1ac74a0df21999d423c7ac85832c6d7a0c454d0d88a9bde36497fa234f87cb78b857596

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.RYK
Filesize
1KB

MD5
8be3c000f88b5d9b88c5a70573b2c226

SHA1
30aac89af2f99890607cf73870cf39fbd1e8778c

SHA256
7d453e648d0b260dee64e66e8a4cff2d4a9d3e459714321209adbe2f6b689630

SHA512
648be4c1828e11a4840c43452318153f6392c815a93d396913a54b7fd8aedf84ddccccb91cc0a6ba85b254045bfe857c9f83a73a65ecb51bb1e1deeb89c296bd

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
2KB

MD5
5db81af5782356683bb865843f77c7f6

SHA1
81c087cc8c409f07cae7a1f6f3970fe44cc86134

SHA256
c760e781dc2cb60ea4cc9ec15a03398f8d003c292827421eb13ac08b68821e2b

SHA512
0f4ca5f5889a64fa7cc051e5ae17088b0a7aa3b43ce56a93f445611621cd4214bd48eb97d0ae6a86b2c5303fa5f136b50af046bdeae92df8d972c7cd9126a999

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab
Filesize
26.7MB

MD5
256465b72ef680aca961435bbfecbcde

SHA1
b6860eb3d184a6e318507dff1ce2c1450a8d6cb5

SHA256
4703799742a160094b7d2aa706c0f35857fea0caf5281baf52730ca7e59f6082

SHA512
b8f552943d67528625dc5db630f53ba18669eac4d27d4f7fedb4171c7971c05d55eae82a7b931322a4740e2b6bfe3a0de47796f80f02c9d2f0108e65a9fa62fd

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi.RYK
Filesize
1.7MB

MD5
2ab3bbedf88dc516462b715bf141b753

SHA1
b3c7df77f12119db6897fbff1808adbc1a9ec2c2

SHA256
9915d526542f6855f41b4190397966a52500a0aa0f948809faf304217bf26c80

SHA512
0342d786f03408ffec33007a296b890cf4191984eb03f59ca1ebb8f66424a1d15fd576dd82ce185a385c372d536ade1268114068fe2c578cf7fbb4934760da89

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml.RYK
Filesize
1KB

MD5
0e1a921c5b66c35b0ebc0d538741dc40

SHA1
3d9217bd7f26b34b2201fd9139d0734dbd31d5c6

SHA256
6378d11df5e8934706696e409a7924c05423939c4323ae12dadb39255809ee45

SHA512
f049ec659e8f109df7ca345bd6ae8baf629882dbf8d783b6a3ddd3d026589444ab3e6e2c989d45e7c25a5d0e01cf19d0559a0e1c66403521a6b89b564a3efaaf

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml.RYK
Filesize
582KB

MD5
e4986a696c25de42e371d5d8c57bafbf

SHA1
027500c6c23e799434367336c5a432e8f3202604

SHA256
362baf7bba884ac1f5d070c9ffd576e2bea7dc54cf19b0d98afef7e39e701826

SHA512
d693a0e6d663d3c89e35e0e1247c058745feab80783f6b1907a8e2821a634beac837cec9f0772abb2c6ed0b943571d4971bb67ab1c6e5f3988b3683e29054099

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.RYK
Filesize
635KB

MD5
0be3c0b0ea5c9b73abf2c9aa3a46fed1

SHA1
5d570751ffd231504c4cdd22a464aefbc959bc39

SHA256
5925c6aa82144991415df736a616bc52e32c5fe57871f96cb28e659c045baddf

SHA512
67170c3439902ec5f22a9dfc28ace9fb7cfe5ebefe965f5cfb332a6534c2145781be8f1e70272b663405a5bd88939084e1975518523f2213de9fb164ebd5d827

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.RYK
Filesize
1KB

MD5
9f8b8a279f403ce2fe47c6d315179a00

SHA1
03f10d72ef0796de82cc484feadaa03f51f1bd87

SHA256
3ba8574afa70c4854688bac6398a94a85f0a4233e2a626e78d5421edec5428ce

SHA512
f08a04a4ef5f7dbdcf1ca7203742bcea24dbab4695d5cecc55e9fe29b5ffcc8c96db57bb4aebc0b6bd77281826792edd065953888d6bbcbeab6dfc6abd518a81

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
2KB

MD5
0513b64b4271d1adc57c5184223c04fc

SHA1
2a137184922e099bbf4779c4733689a25081c7e5

SHA256
e986c7eda3f12055650c6738f2d1a7edbfe75fd5ca7cdb37a06e3bc115e8569a

SHA512
f5a20ae19c07e09287d65c8196941482a403622e072556f4fd46500e0030f54cb1615b72dc3b7526049977b77e5eee4047a9c0cf0a9cb152c0c3bcb6dfda5a20

Download Submit
C:\MSOCache\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\PerfLogs\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQPzKGYtfrep.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQPzKGYtfrep.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuUTxHMxTlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KuUTxHMxTlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\tXryUaxvVlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tXryUaxvVlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\users\Public\RyukReadMe.html
Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
\Users\Admin\AppData\Local\Temp\GQPzKGYtfrep.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\GQPzKGYtfrep.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\KuUTxHMxTlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\KuUTxHMxTlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\tXryUaxvVlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\tXryUaxvVlan.exe
Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
memory/860-57-0x0000000000000000-mapping.dmp

Download
memory/1248-54-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/5548-67-0x0000000000000000-mapping.dmp

Download
memory/26092-71-0x0000000000000000-mapping.dmp

Download
memory/26104-72-0x0000000000000000-mapping.dmp

Download
memory/32200-117-0x0000000000000000-mapping.dmp

Download
memory/32964-118-0x0000000000000000-mapping.dmp

Download
memory/33144-119-0x0000000000000000-mapping.dmp

Download
memory/33172-120-0x0000000000000000-mapping.dmp

Download
memory/33224-121-0x0000000000000000-mapping.dmp

Download
memory/33232-123-0x0000000000000000-mapping.dmp

Download
memory/33240-122-0x0000000000000000-mapping.dmp

Download
memory/33248-124-0x0000000000000000-mapping.dmp

Download