ryuk | 9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-09-2022 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
SSDEEP

1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

pid	Process
884	chMISelJHrep.exe
1032	PvPVHYMNtlan.exe
5560	vnZQAybCYlan.exe

Loads dropped DLL 6 IoCs

pid	Process
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
26120	icacls.exe
26132	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\vlc.mo	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt32.clx	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\COPYRIGHT	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Samarkand	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Manila	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHEV.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_SelectionSubpicture.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Music.emf	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\vlc.mo	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director_2.3.100.v20140224-1921.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ACEINTL.DLL	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kolkata	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chatham	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\sentinel	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\mshwLatin.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Resolute	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\README.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\vlc.mo	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\TipBand.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_ja.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Creston	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_fr.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.p2.ui.overridden_5.5.0.165303.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\core_visualvm.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-12	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\server_ok.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Araguaina	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Vancouver	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_zh_TW.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 884	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	27
PID 1336 wrote to memory of 884	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	27
PID 1336 wrote to memory of 884	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	27
PID 1336 wrote to memory of 884	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	27
PID 1336 wrote to memory of 1032	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	28
PID 1336 wrote to memory of 1032	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	28
PID 1336 wrote to memory of 1032	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	28
PID 1336 wrote to memory of 1032	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	28
PID 1336 wrote to memory of 5560	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1336 wrote to memory of 5560	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1336 wrote to memory of 5560	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1336 wrote to memory of 5560	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	29
PID 1336 wrote to memory of 26120	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1336 wrote to memory of 26120	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1336 wrote to memory of 26120	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1336 wrote to memory of 26120	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 1336 wrote to memory of 26132	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 1336 wrote to memory of 26132	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 1336 wrote to memory of 26132	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 1336 wrote to memory of 26132	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 1336 wrote to memory of 43020	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 1336 wrote to memory of 43020	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 1336 wrote to memory of 43020	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 1336 wrote to memory of 43020	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 43020 wrote to memory of 47132	43020	net.exe	36
PID 43020 wrote to memory of 47132	43020	net.exe	36
PID 43020 wrote to memory of 47132	43020	net.exe	36
PID 43020 wrote to memory of 47132	43020	net.exe	36
PID 1336 wrote to memory of 47148	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	37
PID 1336 wrote to memory of 47148	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	37
PID 1336 wrote to memory of 47148	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	37
PID 1336 wrote to memory of 47148	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	37
PID 47148 wrote to memory of 47180	47148	net.exe	39
PID 47148 wrote to memory of 47180	47148	net.exe	39
PID 47148 wrote to memory of 47180	47148	net.exe	39
PID 47148 wrote to memory of 47180	47148	net.exe	39
PID 1336 wrote to memory of 47216	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	40
PID 1336 wrote to memory of 47216	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	40
PID 1336 wrote to memory of 47216	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	40
PID 1336 wrote to memory of 47216	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	40
PID 47216 wrote to memory of 47248	47216	net.exe	42
PID 47216 wrote to memory of 47248	47216	net.exe	42
PID 47216 wrote to memory of 47248	47216	net.exe	42
PID 47216 wrote to memory of 47248	47216	net.exe	42
PID 1336 wrote to memory of 48308	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	43
PID 1336 wrote to memory of 48308	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	43
PID 1336 wrote to memory of 48308	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	43
PID 1336 wrote to memory of 48308	1336	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	43
PID 48308 wrote to memory of 51112	48308	net.exe	45
PID 48308 wrote to memory of 51112	48308	net.exe	45
PID 48308 wrote to memory of 51112	48308	net.exe	45
PID 48308 wrote to memory of 51112	48308	net.exe	45

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Users\Admin\AppData\Local\Temp\chMISelJHrep.exe
  "C:\Users\Admin\AppData\Local\Temp\chMISelJHrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Users\Admin\AppData\Local\Temp\PvPVHYMNtlan.exe
  "C:\Users\Admin\AppData\Local\Temp\PvPVHYMNtlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1032
- C:\Users\Admin\AppData\Local\Temp\vnZQAybCYlan.exe
  "C:\Users\Admin\AppData\Local\Temp\vnZQAybCYlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:5560
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:26120
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:26132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:43020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:47132
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:47148
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:47180
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:47216
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:47248
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:48308
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:51112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

Filesize
188.8MB

MD5
3b38c31a3eacce7ead824247f9daea98

SHA1
9d719ae68c3bc600981e49333fc3211e1c551da9

SHA256
65f1678a6b0b236146e02c254918a0e6ec3cb53afa1f7a75b085a2287c4feeff

SHA512
ee831b0eb088c774364e60a2ed49aa7e24622a3dcad438a7baa567a1523550e26454d06e6325f4a5d3e54c2e527a53b8fe3584e8020b81ac42e0c6a7defe6185

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
12b653e8d9b306a17e654e99c3824d92

SHA1
8ba44fda77606cd8ca980da04f862d131c87e55a

SHA256
6880b7969a890381920703d3406e9f4c2bcf3d960fa5699b4abb50c927fd4160

SHA512
aebc490100b5ef1cddc0c6c6f6d406e1e8dcd4b27bfd26579e11acb6eb79867bd1c77afe0895f7cc3e2ecb784d59d475e71ba49dc7f0de97d39b408db8f231bb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
f87a1443bfd374627f4631941170429b

SHA1
1463ebca0e1779da588d45249625e7bcbc10f9b4

SHA256
4d50fb40d3caeac526ed83676da1dce1b5759c31fd013f8be883b4be71d94f9f

SHA512
2f653b780d84f75de8e91c85c094992a9a5e04a61c2a815571aaa4343b2cb9115f4d7c0240673928677383f4e30dc6cd15c5116d18e2ff07b4ec97d1d492fe05

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
305db41c8f05efead69c4ab1f90bec6c

SHA1
0a70ee4b8aeda76cc13631ed9e70e379335cfd06

SHA256
17a752ac6f439d18d7ef67902d4186485d45e674e974359128ab17661dfab058

SHA512
9997f33d07515eaa19022f0181090f2e5232282b1e1c247fe4520e392c8d00a3f75cda30f314a69c94a86f6962a20626a93fe81fc1e5e3b4e37f94b78cc086af

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
fe6d57cabee2722ee83dbb631b4d16e6

SHA1
e262d7133c903be2f362bfc55a4f5f9476af1e1b

SHA256
e4b48a5ab2b5bf2f4e75f36cdcdf8ac473dc385b83baf0952138b830224936ae

SHA512
4faf8cfa3dd1c41363b3e50490f5ee396efafcb7ee71dd48d5f348b22edd844a33f310c3cd57fbac57403b0246dc36a66f9773606c76b1c220ca1fb455a9f1ba

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
626c490a14ee0be07e4d8ea205418b03

SHA1
06624437ac59e82e7c96ea24cba4d3f014aa44d5

SHA256
bc4edbf6136ae546cafb5c832603e01c6175ce545102016658a3899e8f14adcd

SHA512
4e9ebd0ee87b521381a09e7a7302307d8a34d7b92f7b71c5b265c2a5e308ee4fe865c725e8d6b07a917ccd1ae60ab0a752b2d840f35d2a9a7ae2f42bbe1d754e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
d91b34e9dd0bb7f5f6719b8d637dfcc6

SHA1
b75dc083651939dd61941f8c2b0cd66aaaa9fec9

SHA256
1ae7d4d11b81befafe897b092e1a6527bd90d1a7e997bc9f762bdd1d6cc263a1

SHA512
3d395afe2cb28d7f22cb008226613998b06326005f288ce2617578ae12da7abf97d087d40abbb50d446a4280252f701b6d84d852dec60fdec263d6f1e96ef39a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
4e3571d515ef5b46d76a54a8d130e577

SHA1
a5afdaf30786ac5686b95ae22ed0c2a9352ca105

SHA256
40b87b687e8e1fa6104b55588d94ed8474943ac69381acd2aa7b76c7fa2f537e

SHA512
36474ddff1cf0b67136665882b01a168128f314e1dac75bd78c191878822a32ad97a10674ebb6e4a57c0def10878ecf89fc61691a7ad8310928b460729b0158b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

Filesize
67.7MB

MD5
f0b32a152dbe6a9048a7a6cde2926830

SHA1
3cc9896df5b17c0024b96002a53bc6602def30ae

SHA256
dc57bca793aef52a1baee417c53e0ebae2b50ca3fd25dd8dfdc72c25502f1fb1

SHA512
458883653da9f5d616112e03979e73247a85d550de0be1f11be8176311c607e1260749c722fd7a6f071221bdd6b52ebc546dc181e9388af3f8a96599eea9a2ad

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
6ada69cb0b3486a87bc22ec2e21d7016

SHA1
fa9d3d3c36a96bf8aa146397f4ad2646a9beaf7f

SHA256
0632b51bb01bdf159713fe93df11c74b6dcde61f8aaf857f369f4a087b7199b4

SHA512
b0b2d1a3622792ca8b807b7f1ffadf28407c8786b639c8b55033e492c2d80a8e308fc77957960d74c89c4d356288eae4a85badd65f912f5cd6a90462844bc022

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
ff6858dfa0a148a63be10355a5d10756

SHA1
48bd017b7d81874fc5d01cd2af3f853c8f9e87e5

SHA256
237866310f9c9757dcd8f78508cd177a1fdf7185f2daddde515b0d53a7a712be

SHA512
ecce7f8dfd27d3ce2e2c05ed12830bae4f0f3deee736ca8164be3ba6a2cfae1018642a6e63fc3bf3a01ed70a9b3645775eb5f3dd9946528ff86ccc69bf7ef77a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
6b936b9cf6103976e5a66b2f838b6571

SHA1
02e8f703cae1613267878c1600edf4c07117cd2d

SHA256
3d43b9e9d24bdbb62abbb35ff966207bca1daef9fe025f11aedca4dd355dc229

SHA512
ef944d05a4bb4c18873429f7f8d45fc608c180a1f8c4f463b0ab482b4102da0390f87c235026096f23a097ae0363fc407b139934423446f63e2903401b8abc88

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
13ce6d0a732cfae6998dd2ccbbc86328

SHA1
afd89f1dd02bc6cef3472c35e4ee45edd00c137e

SHA256
83ad0a624ef9de4ddb4ffd7fc30f2505b38f63a1c0c5acba48ecd147aafc8dad

SHA512
50a699822437f945f01cb5ef8effb47d59a5bdfecf8fe65d1bf4447b3ba106935baec88278744efc1bcb92ca2d1d5cfbcbb692758f1715e0af931498fdb21148

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
146039a05fed3b7c28249bf7febe1e17

SHA1
4b8584691de8cfe0df2b17c1f4743150ff87e866

SHA256
6cd6b7aff5ddd13397ab30cce6020a5e3bd808e3d1053e638574323f022a3430

SHA512
2b60dba802a1b0759ded43c94cdfb6e933ea9d2e5e38cc1264292b2d157628c0cfe92d1f791a16d9e1053c6bb9cbe91965d9fb325dba21c43175a1ca34af8545

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
4e1c88109783fb9545c0f651f25cd2c5

SHA1
10b01e617878edc2d3cc76f258041f1e13c1f3a8

SHA256
d5d63d94de371f7c93afec347b8c44220fb2d079bb4fa98463f42afed4d9b1a8

SHA512
794549cef92ddf2f6a673881cb90498203b980e3bf41fb00b02ac583b4a77fc319d83634345ae8b8d1824bb4091c364d2f6feb7db4037842a4222403bd331f1d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
2a9c3b6b9a8349cbf43d05ee4af68137

SHA1
313a263919ef26e61192eefdd91a113bc411a6a3

SHA256
876480ae39407e4abfaa21271062132ab6800ea80c7daf18ba2c65a2c7863d84

SHA512
aacd147f19a79b39a5ab1025aff21d7aad86680eb280fc774291481bc67d9a83b517f389489e4acfd626846cc2e8e9894997bdd997cd61af023f46c433815577

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
52f85b2891ff65e4c9afe2b7eea8c114

SHA1
50722f7a4730aaeae292770c03878a85a1935f81

SHA256
16277824533728b5c2c5a37a4c57d1c3d25db9c041bdcdd7351c50399e1dbc00

SHA512
5af61eda045e7c6ea0a0f54ab1c590c3e47655f3ad6f57ea8cd5ce8c77671ee1f27ebdee7f57a9cf371f707090bc50b01b2178f2c4b25cfca4a6a0148ba022b0

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
1167864c665860150ff87790b5cdfd54

SHA1
e6393ce034c85c1e85e1208c715f38da935ad9f4

SHA256
fa424003f288490be702b580f36b305003b213d48ddc85bd18e3b3b0ae3bd543

SHA512
e93ea5afdedfa386bb12d9b89c398e74d49f7c72335ff4025233e53d18c48238ce3689a471d710786daa631613824ebab30b9c7165268dfca2b58ee1cc127d65

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
f4cc035e416fc082a46dc4532495f2c7

SHA1
8eca5ce3d2235295581c55377d47baa317cef94d

SHA256
90db035527b48ee064d1b460ff1623ef2c8c7ed0dd125ced2419509cab3a5e7c

SHA512
021ab01f5deff9389fb1f68ddd076865dda976c245683517cd4d2143b8240db40fd9c62cb87321697728aba58c5f8377fcd47642cfc1764ccf6f3a9c475d2681

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
8dbeed5b8e5780ee35a183b06821af11

SHA1
ecf883c034877bcb0e51af7c1d4a288dc1206525

SHA256
5e838747fdee57a95ac38aac5604c2b5695df7311d0b204d275d9e5519aae3ea

SHA512
2cf0c5f40fd42ce387ec6882639a1bb9285c90cbd83f6d9297d0bbb49e29f7ab759e0f84120fd716dd3d362a5e9caf613f892a39db64cf5d613a5d756949b2b1

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
5bd80d6ad011f8dd69f71c8d1673dc7e

SHA1
c908e2bf684e3f7c2a123be09c3c0685a86ebb51

SHA256
f2f92b86cd8a7ffa9980077990f7e2c09fc08c02ce147d8af17292d9160d177f

SHA512
94fa2348b0cb7ba9ac1200d6207cb4c3ccb28f1bc3e8b1a949a5994a053b80951cf4977f7d33ed2fe68d3860024d4236024b182ac13982941ea2f49049118a65

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
493cc38192404a3c2ba003bc9448f81b

SHA1
901f369cb6e33b17ccfff59af96b7175981ee47b

SHA256
2b39794be218f8da7fed4935d2946ac4c8d1b5fdd47e85757758b98885a32764

SHA512
06445bae555aa8ea35050b6640f551a384008603518268e397cdc939f87fb04c9b34ab082afdeb75383f09d34fbc27371bfba0497ce0705c89c3fa616b0b0226

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
c15a265330bf572c4d6fd630203cf9fd

SHA1
bee5c30ba6dbb012a2bc571c93a1dc81911e149a

SHA256
cfb0115ab5e99f7fbab7317297587ff6b916269bda02a2049adfc0cc6170d7c9

SHA512
4ff93315c4b0f4222b6de3d8efeb01d6b17396c2375818f142f1819fb9c1eccaca57ed034f65575d2a66a456ba389491370655722be5973a35db89256b98e6a7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
cb0c63d354b7965fc831403e6d68d018

SHA1
a700d725732226b097d06411117c2ea88669adaa

SHA256
19a2bd731341605e3d04976d2a0765f8c9923a862b10b7450426822804b08c95

SHA512
6a7ad16aa9e9a22e7a3d8ef70511cbef066ba3b98628e50f1395625248907d3189ce816e80e974f3e2f043640ecaf109e914229843aa9ec664a36a9d299878d9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
fe6083fc9728051b8b2fe42674990dc3

SHA1
e7a8f2dee0e879598304cbc3e5eac7b1b0f014ea

SHA256
ff0228355780af6ef52c07c5d00d13844c847f2bef77d8678dfa67fa544f5efe

SHA512
494e5f015f51ae0672cf40fbc48583ad03750f7c2e52801313d2ee1c89787ed76bc89218043612327655968d215d79dd060708fa49c09a2d6968c1dc2b1c9ff3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
2be6b96c87e6f8c90152ceb3bd7b9c88

SHA1
74b333843aa5fd1401bf0e67e1e1a44c391e2c40

SHA256
eef7d5299608b60a0fec13cca7ee52ff4d8fd93fb246cd180341a30f1e8808ee

SHA512
cc1af21b430ebc8a9d34dc8b76213cfafc8c606174535c2a7b4953d5ac0e0b3a705fc7dcfe78eafbc8285fd5c88e8a543c0a9c47a1665028b7e5af05de3bf5ea

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
13d2d39206445132b507e815a7f3376f

SHA1
70daf4c4b361caf8651d86da2cdc64a196f08935

SHA256
cb95c5c2931a6f81574d1173186ec530102a19ad25056919920d5c3f2e99747a

SHA512
2d88e8b39b09f35af8606b3202fade0d2db0714c0bf2b6d359c76312b6072c0e43c78837c0ee7df0cc8a15c33bf910567070f4118cfa60a31ed41e5404b5d107

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
b51175265456d41597989ae2f703059b

SHA1
8d4bf5f8ba8e9401d55cd7d2a2a35aec7ca73cb9

SHA256
8fc9de0e83d736f63f0a965df3e875cdba7171291469d0f6f647be35753d400a

SHA512
b187cbb85fc8e0bf57ae549faa7e40618cd7b979fd3e25e7a06d5bb0d8cf84092dd48ae4ebbd9f627b1c45f924a49704b4cc42272c24009aa9c621c0c67a71d8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
dfba7cf5adc7db8e71071b812dc2d255

SHA1
a4692ac1e70b412c383522dffee771d0127df79d

SHA256
2c37fe70791cdb3926c04c12a8e4141a2263e745accc4c014494608a469bd931

SHA512
a60fcfbe726d9b34b3f8592b35e88cd3b77bc95b37da7098f1a24ea26ae4f7b60ace28513e53b670864a7e87b8dcf935a933703912922dc29417a813e60ed14a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
35052a05ae59ff86a1c40efabb78b651

SHA1
6c8d04f076490383505b910832b743d45c6b5ebc

SHA256
7005a856466993a23fb5071b5e900aabb0a9b802eb3cf2dac42253ce3050d45e

SHA512
85a90dd7456a9fe1991672038e5ebf0597e98d1371d487d17426293cf0b97db52358d98a29d3df8d29d14282728a16504bed9976459721762690a6d82914c548

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
935832e279183dbee1956ef19448ba79

SHA1
b6912a7d9ba327205eddbb7ad48a19660ab4c031

SHA256
e66670e6909867c4eccdae4ca473750cca4fee20221ee09285951155a814db5c

SHA512
4eb77771ea828778159014b13247821a8d90be4b75e08f66a89270fd76940df8c15a76db56c6a8c566c2f245cb5a781044572ddc5427332c8387c2af768a2bf0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
5b6528d23e4b6ac0e3333f94203e5dcf

SHA1
9dbe24c5baffb067d5ba9fe56b5f2974ebeaf20c

SHA256
c924ec36aec3506783c42af39dbf83d5ece140c3446cf6b67b2e64bbf6e42af8

SHA512
45920508e53bca87cfa184dac0f2038c8830d799d8de30ed0f70b33ab06f427eee44d6b0b418efc329c04e1e90c405d9348f995af4944975821c094ed30f8cca

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
c0f2ac587473db44bc0e24898c4c44dd

SHA1
4d047a7b77e8874d3ea72bafc38e3c03fd96a849

SHA256
447156aa2bb6bdad8566725d19e9373e8a00b9ee1938867908343f2b6b02693c

SHA512
af6a4098ec0c7d867d6a3587155aa5d7d27cff5cb31e75e096d328ff83d53ba0eceff71d194eafc4021f61fc3e7ee326ab4b3bf852fbee8e5bc5d9d41d893926

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
d4c9668e21d1c6be18ed3e95b53544b3

SHA1
fbb153184d695d1939e987b34e94e30742501389

SHA256
2e6e4ba25a7b60ae5fef09430684fab8ea2a2f3e3a07f8a3886c410ac4856e59

SHA512
e19bf1d1da6f1841d7c3eb28e7fb3ada1eb577dade7f805358e271f50247a628913599539d3afaa263c0177201006bc0b6fe71657782250b5a62f5052b5eba02

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
6ee68ca85f04c888aae8111312b640ef

SHA1
a4e5b0f63a9704618f2016c4c866a104e2584d75

SHA256
7bb582060c662101cc309ebdf6ddbcca6481803ce2893d38ecc5d878bb1d1b10

SHA512
121b24c3d4396e29c21797981665dd24336d8c45e48d99647be22697cebfc1a5d5bd1948d6a7bb790838c7838dccb4679bddda8264f8f235cfc801d3e324e7d3

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

Filesize
2.3MB

MD5
0086ba47509c64f81d5928317e19a749

SHA1
400497d8bc7c99324d6b11204fd926ba2e051afc

SHA256
f8685ca2c057a7c5ca32df42abcc89f166e1d8fb08c04a4900cc57d7680546ce

SHA512
01bce06d6e4d36c0628c52636731813fcbdefb7fe0b5a8203ff59789a558d9532a8e64ccbb964ee2ac3fb09fa7f1372b31b9aa1e1c00ba68ad3d6743535b21c5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

Filesize
1KB

MD5
0201eb7b9f2de2e73a64c2f89815d62d

SHA1
69607d1f2b915577748483edc46f7c13d4867ceb

SHA256
f0d6254311abba8b3ca0e4bf845252832475edb898ed8b3d085c64bb448c67bb

SHA512
b86d27743d74b8845ee9a4fda6b99c2ace4b7ac17d63e739548c45d9258c332ac8b17d66144a57c47da83b56294fd0f3612e75ca38e7ebcbb8fba3d565d8a58f

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
1ea06b8c70d18ff2107c3d4c8db54ff8

SHA1
24d018569c5c12df676004f65c1a1144a3bf73f3

SHA256
e22f35bf8e199725906221f5c5b8793d06f23df03941d6ea0d629dd87a82a2d4

SHA512
eb76ef1ebf95de2c01e4f73b85a42a3e5b338683c832c455a3c75231cf6cb1af1c2b33bd6061f22c2f71cbed729cb6751f9c63ea0d7be98b369a8053ef908381

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.RYK

Filesize
1.7MB

MD5
0876a0f63f46807317a468c41ec676b6

SHA1
18d1425431568c0871c9dc1642780b7672839b79

SHA256
8015082f5ea5f12269b0016abfa6c9c5f053c610ea7b1d0e3bf7a501c350f2c8

SHA512
5fa734127d7a1abed06fe04a29d7d08b65d265a3f93c0f59f25c2217e4e8420e7016b6ffd8b4857a5de6fafd3669fb91b3a002c5cc1a885651815f0154d9c971

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.RYK

Filesize
1KB

MD5
5cd6d05f0bbb6c5361f20b4ca48b56ea

SHA1
2c1de4ba3461811139950051a244a25bfde60291

SHA256
e77ce78a8be072a2e34de34a8945af3b8c57110183ac59e82cef56e5eeb06fda

SHA512
75ef08ee8d2917a1ee9bbb461fcfbafe95a0849d9a11e1716dd2e355c923c227412cb19f4d3b3ffe2ebf1d5577607c312e7b7c163c17eba2829e88c5b7020062

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.RYK

Filesize
16.6MB

MD5
09be12bb3b92f5e34129ae82ead88529

SHA1
715dd581df7499a3d299edb38248b0aea9842e95

SHA256
8d1599d340a4953637d2084f4dbbce2ca33c6d09edbc59fae2416127b2c4c964

SHA512
991ae74fb01c7845313e3044ae0738a2dcb6f565c4dba35ae1d297306108e61961504c379d43406e1b3ab5fbac515587613f71e555ba33940ccfe3e2a612e4f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PvPVHYMNtlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chMISelJHrep.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vnZQAybCYlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
\Users\Admin\AppData\Local\Temp\PvPVHYMNtlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\PvPVHYMNtlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\chMISelJHrep.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\chMISelJHrep.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\vnZQAybCYlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
\Users\Admin\AppData\Local\Temp\vnZQAybCYlan.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit
memory/1336-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download