ryuk | d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9

Analysis

max time kernel
135s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
20-11-2023 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
Size

131KB
MD5

2cc630e080bb8de5faf9f5ae87f43f8b
SHA1

5a385b8b4b88b6eb93b771b7fbbe190789ef396a
SHA256

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9
SHA512

901939718692e20a969887e64db581d6fed62c99026709c672edb75ebfa35ce02fa68308d70d463afbcc42a46e52ea9f7bc5ed93e5dbf3772d221064d88e11d7
SSDEEP

3072:j06qm9E8obCg2QdgYdrp23suV+eGg21Yg:j06qHnOg3df9eAJ

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '8x0nKKx5'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (2514) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2756 icacls.exe
2456 icacls.exe
2260 icacls.exe

pid	process
2756	icacls.exe
2456	icacls.exe
2260	icacls.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened (read-only)	\??\L:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\K:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\E:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Y:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\V:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\U:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\N:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\I:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\G:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Z:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\W:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\P:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Q:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\R:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\O:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\M:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\J:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\H:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\X:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\T:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\S:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Drops file in Program Files directory 64 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\es-ES\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-5	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Paris	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_LOOP_BG_PAL.wmv	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground_PAL.wmv	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-io-ui_zh_CN.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-heapdump.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-api-annotations-common.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-explorer.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\classes.jsa	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Asuncion	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_zh_CN.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes.nl_zh_4.4.0.v20140623020002.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\de-DE\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423861240811.profile.gz	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Currie	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Windhoek	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management-agent.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-uihandler_zh_CN.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado20.tlb	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\HST	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssve.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\TipRes.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-applemenu.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_ja_4.4.0.v20140623020002.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Detroit	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Berlin	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tirane	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\release	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\it-IT\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Yakutat	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatsh.dat	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\DVDMaker.exe.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.ja_5.5.0.165303.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12Tools.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Pyongyang	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	pid	process	target process
PID 1564 wrote to memory of 2756	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2756	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2756	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2756	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2456	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2456	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2456	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2456	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2260	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2260	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2260	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 1564 wrote to memory of 2260	1564	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
"C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2756

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2456

C:\Windows\SysWOW64\icacls.exe
icacls "F:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
79763c50f0430833e73d22cad8353952

SHA1
2bd973581e4e9e70e27fc7fd3a7be76dc491b2c2

SHA256
002ecf3fc329577a6d218c2fadf3c9fd0c7701ca198353d4c76c76a81a356cd2

SHA512
1808d2e1d529141f58668023a7f150edfd44e6156e1bba9738f82fe00954a6751f622c27f73f61f48d4cf1f576e7932578f175b949eba81492c398f697505dd2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
6c552e82cbabc3b7c10507bc659cd0c0

SHA1
93b815e1461d985e7c855aee0ac09cd6d6995f23

SHA256
2cadca30f2b5c613e1681c06ec863a75b6a80902a4187579fb54a8fc3317d253

SHA512
1c1c95a958fe466ea013b6fffec15896d0bcae082137998471d9d869d7a23d901e4939f9d007363ea13ab81da480ff7fa0b5a032fbc737bc36c8cad55f53ad7c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
4ac0699945dec320ab85d30b68097d7c

SHA1
486440d2062232e152ed1f3ea2ae2c3a55afea7a

SHA256
2dcac8fd717cb79cfe9649a84f865d8162f43486bf34e42b4b7b28f5c56db337

SHA512
4fb683e5b7aadfa16b2d965dacd00e854b854dcf0007cbb4667383650621a3c85e16fe8c4ca6afd706bf36d530bad53dfcebc63e4b4b67e4dd59cbee165ed08c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
ca7908d72c558f56b82dc280a6f948ec

SHA1
020100908107c6a1e6bca10e2dadc1974ea9ce3a

SHA256
fa215351e204c21d8eb07da3c1ad268ee90eda6bf364e20c5671bf6e8e442380

SHA512
4000c87f6aa7ce7c3a61914412b739301dc289a8fc3b173b5384f2f9cd23df5d305cf2e16bb5509ef1dfe5b4e7136fd71be8b58866020bf683edb89020873882

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
da355726dfb3c89ac3a28ee6ec466df4

SHA1
ed85b111c0f14f2dc00b7e1b262a2f7e70c932ee

SHA256
d6ff1960134e6892bee74df6a87a8b58aa0c8a510d765e4ddc710b962ba46ebe

SHA512
2d5d28c433743b893b353a53a1c8e37da7606f3475b4c089f3a27015383587f39aa9753c628bc87584da26501c3cc39fd3fb16af26e55d2c5600a2dfbe32405e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

Filesize
142.4MB

MD5
2a77d628db206737b05034000268bcbf

SHA1
da3437d38af5c42358b3ebaa16d3d2343e44b317

SHA256
33088463edc5d51509a1e931f63344f4637bf8c1671a270f530450cd6ed7d366

SHA512
51ee6748c3799e40c21aea966123bb998dd30cd632307ef231a4ab72f8c821d42ac0882c72b3a62439ef3890be79ef4fc1963487df51ac259c5cbf3d64fb60f2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

Filesize
188.8MB

MD5
161d65ecf901c6b0f899f92b015ef46f

SHA1
51e4bcfb1dd295bf26dc17d21d05b6cb2c070e53

SHA256
1949999195d4c561ae96187f6aa922fcb27fb0d15e2a228e23cc85f4dd645ca9

SHA512
108dc2417863e71b0cf56aa5c1a328df435ddecbf9af57a4543ab7607dbc1de95268786cf9654c8a37f0ee40df4245e17b73bdc4a4334eb988b30b278b823d1f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
9c6179185a4a7d82ac5918db80cc605b

SHA1
f7016e7e641be820c8395c44001ea6aec7ecdd2b

SHA256
39d687f36cde4cfd764fff009a359232d9bc0aa6f90997876840c7b342b4269f

SHA512
580a891a5591cf6a9504a4ea02e5161e94834c4599b69cc1de41484841e154cf05cc16e5fc10917a7ef1bfd26e1713b07e52534cfb47cfbd4f80a84b502cc29c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
5b662d5b6d270623d292a8b7ac29a4f7

SHA1
991a878a8b8ded7312985e8b7a5940884edc5b1a

SHA256
e6ee5f48fa56dc2a759fc5775ba06574c94b9c3145f9db7d65e5016531c25fa2

SHA512
774ca0250901275d02bdd1ed62e176c1ba03bb9806d6266122eb3b81fd180f104612762a4b6ea9d0aaa56bf702b3b29c5a2868bd82dd511930951a57222efcc5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
52b87c71b162c126b83a77e38e24ed54

SHA1
a673cc7b271612f833812c0c68b47c93d84ae475

SHA256
61c6c5a1e187f8d44a65e77fad9239b9f6156ee879a00fc48daf3075006bd3b2

SHA512
18559eb8fa7e6404b419924df60fe2d11f896b53294e55b301b6f1722a30f0e3c7215b3598421f6dec185fad419d510dee6790ff5c1690f16087dfca94a9c5f0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
c8c0ed84d723370fc07d7105400007bf

SHA1
85c4ecb0e6388d988f4d028dbf5ce0cfea488b6d

SHA256
7b2ce5dc18b4ac7b14b269a45e2c9704d3f0f1a1a0d75022dc003fcc04a4e461

SHA512
642ecc25ec292cdcd6d2874eff6443e2303fe7b2d2bf8e2accd999a4d401831178638aa83546473798f1c4d9fe1fe5d24413bf16f64e976762f7214bf54cae5e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
da919ca31f3b97363538327f555d0417

SHA1
3f3925a89cd072641daef9dde23012868b5582da

SHA256
d1de92a31ddd0c635f9b6e48437402b0e1c05a926ce83d3462ac72b8e11d4a60

SHA512
1f2628964754266176b2c6e9bdfaaee7c3285e7066a61b7a9050655ada67bcb636ea84cf77876c74772daec6312a5cf64ce4805716f8f8c098d7f45389f178d2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
5485088c730aaa95bf7a1ab670f34d45

SHA1
4a46d1996e68fdb2ebe9eefe1f4e131feacd6f2e

SHA256
44a640d3d46b0c09a4f9591db8745c4b04328cde9440b3956c0a79169edf294d

SHA512
7c1afe956d117bc64743f10a203b517e1ae761ef04b8bb4757f66615a54a147974bd994d02dd6e0cd3b3535ec84ef81b85ed15193ef62b96c68e9da74c1d910d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
d20402d56bd064b44bca83144892aebe

SHA1
4ee79426f99eec4d403aaf5e68356c2241583114

SHA256
fadeb96baa1ad3c7a034df93c3e38175221775835cbf67f28518b17252d63e22

SHA512
2a55784745cd08f55f9e130cbf42848f34cfa19e7a4b7b03c0aaa21fee8004e8a872d157d1621c72111d6dadda5c9c16bdb15612cfb5ad81c4efeb0b4f8e766c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
89831c956fa4e1fe1d16363c3cca89f4

SHA1
389106a149ad388e5083e9d5c42c2c0c303a7ea6

SHA256
59466bae63b6a54451921799aabbd5c08c424dc5c6103a84dc548b5f62074f1a

SHA512
90efe02195cc19682fc5db9096e0c8025d4ed909e78c8f2536605f26162567993e0f1b0ece4bdfe96d0f79dd3fa96fa7f13021f422838b986c0076eefd606610

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

Filesize
67.7MB

MD5
f728a5c57f9254ab7d991b49036e66f4

SHA1
4a8c99ca1d2dc2799d206781838ac18de36820c7

SHA256
f565469377d93f53277313ab940d0ca23061ef0ca7678f9455e0a8d9a28ccdb1

SHA512
079845c1106700503faa4e699276cbd72b1f47ef41f5784da696594feac45435817a7be483001d3534f263f0b1f6a1263025ddb06064d42b926af3ee63d6b90a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
1957dd9a4192f709e52ddfc72eaafa00

SHA1
36d88d219cf351774045b8261755178805e52e69

SHA256
06d019651dd9f90d94ce4d09b129a3635e5ff4f2d3534e486f63222942c3ee80

SHA512
78b7afa2897ba68ab53afb88ad3d5d78a8656c368c14f3518a7f9e4580d4e432c635c74fd21cd99882feae2d46ad758f030b3f345e8b1ad8d1298accc39ba70f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
b2b52568a9ef9d1421bb6f7706755787

SHA1
e0ee6d4307317aac94376472ae101b24945e71c8

SHA256
6792e1fb6b5b5b31170de519a8a38c3f522edab0a2e79b46c670f49dbfd6e404

SHA512
714238ce0b42171a526539397a3e6e96e0ddcc3717614d4bf228571ce5e3340c3782b73c162b0b4af5ff7fa4ec7dbc302b4f5b1aa6f4f733f83f7d93f87504a3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
75980112bae3ddb4c466786f7317f24f

SHA1
a4533a961ccbbd3d296f40e8fb4ef5aade78a8eb

SHA256
4b3d1802bb8629a6e53e745717e30cee46efc56adf43e841e9361f9bfb05c3ec

SHA512
508138481069c11f59e18ce495944030828b556013f555e88ccd101febcefbc5352038f0a7cebc69f2befd818ddfe4e1a22a96fc8dd9f95faf54f40105769225

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
e944a7a818d060186fbd92a8018fe33e

SHA1
33a833d84ad168f57b37f2a40392e6a6a80d1514

SHA256
d44f1bc1dfa1d57706d0a455d352eadc2c637779bbf7df067e570ca80534d2de

SHA512
993b2d922f87676ee53c1a9804ebc01147ce5360a874921eb94f13e22d215ae633d5b235e784e7fa1da1498cf4552200372c7165a7bb1f249966d544755b42fe

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
e5dfdeb796be1e0b8c399e8b099a96a3

SHA1
6b0801c6111d23a2b41cfcb4bbe6ab506e801ad4

SHA256
9c8480bc4bbbc0d3889b6595fef298a3451feb06b7794473ef6794e7f7a17929

SHA512
0520b69d30e57281813d51b8a1060fc6f3ec29f0ef44fa8bfccc7e4882695336216cafa910ba9da2ec34d2894658fd0f65759bee085c52756ae1a3f9b0749905

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
7218ff96239649b5f1b805e2ab853181

SHA1
b1200a8522d429ccfba7858ac58430d877553e2f

SHA256
35cdcdad58a2808e47f8970029512b78bb055278b8e9a6ab68e133f8cfa526d0

SHA512
292bbfc28f98fac456b84ea4bd78a581604bf95e93d77acf89323ac79f39fef5699a9a8100e040d9faea69cb8e2b20d33c4db52541ad2450b76f1376e27abb90

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
78c19ab33cbe56b3010df55a7532abc5

SHA1
1c7572d9c39c51992bf72e8fdddd6eeea2e4beae

SHA256
566792462600ad1f020c2007e6536d28e1695d6063f0b065d11c3fc44f5650a7

SHA512
09206485654bbc9554a240c4af9e86ba4a07baa0cf29ee9983fd6dd0816b1f8befaf43bbac8d35dbb3e159a47883ece7e1687a979f458c5bfcb11c0e40e71727

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
e287f320c21db806e05737a58c39ed9e

SHA1
b2c7a042e83286964c4d76995a4ab6407a20e7b3

SHA256
c15d1fbf47e9ad51c1268505aae22e13d1db4d203ca73f06713e620291cef2ed

SHA512
e3e5fd360ce6060d2f993974f438ca11e22c41babe78231325ff75ab2632fa3a43ebfe7034bef9030caf1c87a8b82cdcf5e30303382dfa19a0fc87e6b44041be

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
7bf3726f1dffd7335170c4e2014b0381

SHA1
56c4209a2873c5129b6dab32b49123e59017302e

SHA256
9133d694a306c0850920115a9c8bb155e4f7ab98dc6a00fd12c448903e233242

SHA512
339e422772f8f63c2481c054287a979806d96a6c3aaa853c3e116703fef38a71197c53f4788dc351047f1742afb4029ec5729583f586a47669fca442b2a26346

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
5d2d81f4433fa74429d638c6e075d0a5

SHA1
ab3211766b68b91d226d9e37f319580f93f2ab59

SHA256
25392aa5cbd9825dc64a896137d273d31e4c888c3d44bf29a19c05e64de62417

SHA512
3fddee1c2e875ee56bfdfa90c517dad5bd919c5cc1d19841605d34a38c21f2cd1ac9cc0fa9a57b62fe5014afd0364ed3385b0de04cca368e696421bcb704ac1a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
7a91d09cc85ea74542e61e15c0a2b9d1

SHA1
91f62669983321b32fd42f27740d0752c87e1ecb

SHA256
f2f5ec1f9db04c5b9982293f3193cbfda451e0c4d364ead53ebca04cfd34339f

SHA512
ee7a2588612e666d17215dc2aac87208c5c333d3447db61faeb6de8cb44215eed14f7cf300f2cf6bec8abca2bb9f7a7f642f7b455d25edc3a5f90174cd13bc81

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
bf20b9d29441d0ddf4cfafc4a962b6c2

SHA1
9689701d1b97f883c3c8f4fa1f7b679715b06694

SHA256
30eadc465b479d3d5456b20fcd2b8545b8597329bb5e835c91dbda775b83d63c

SHA512
c4c58d1d4fa458075c945e6ab36da2b819ec7006fd2280787cb36cac444baef63163fdd2a8ea8638d469e43a9cd0537d8abd57e85cf6505fd647d101c692d073

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
2971f14334489113e50da2d1427fc102

SHA1
3cba3e8528033a62c0395d80486e8914ae23d810

SHA256
dfbeecd0e1aa121e1dc7ae0a426bb47ae108e142fac53bbd5fcce4aba205f25f

SHA512
ae01e3203c06e56a0d333a7aa5607865f3a77e329e9d1a0fa428107dba3f3e41fa61cd99ff1c92276cc23083251825d0738a05dbef478b54d180b07a9b0b6c8d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
fdd4d8f41e339e4cc32512c1eb7eedfa

SHA1
4bd16ce1728dbea60883c5640ede211892a59f23

SHA256
a342f4e73bd6819103180bbb6c029a54facfe01b5b506e128ce535abeb3b92cc

SHA512
e2cfef5b1bd705cc73030cc1defa5e74ff9c9ef2fb818249c5759685a0f0f175fedbdc91d602ffd4e7aebe2afbfc2638b88450da40cd5fa0a64da7e03deca647

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
9895684d376eeff291561975defae41f

SHA1
bdfc77d9abc0d2a78d5df5a00fa44fb80efd576b

SHA256
d87ad9c9e43b5a3eaa85745bacefaf25381c3f7817d59de5913cf8d0bf29a183

SHA512
3e381f941b64def9f5295e0c3336d5f0d2efe7a5d874b001a59a8be38098b4df015bdd537b9a1466977e104edd924070239c4e5306d0e425aa14f8618381d49a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
6bdc74b6da5d481eef45b9cd53534ffb

SHA1
493d828814b31801146ace0a61c63cd1af1ac57b

SHA256
73d2be1cce2baab415b727c3b239d9d79a36ff2a1409df275a8ec28cf7f2fbb9

SHA512
678a3c55d3efdac800dcf0dd6d0a14213a48056c26fe81865560fca1ecbb5c13cd3fa12f6493d8c7ed197fafeda9e96ca1635d4f16ea3e134cf8439c2af50878

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
51172ed660804a17b57d6e4282ab6c1d

SHA1
7ddffacf064885bb4413b8493210ddb7e55e63a8

SHA256
c7d517c7f5bc8a385f856baacf22f4478b6d5d6adcf8e356a3c5af178ffe4d95

SHA512
facf4f268aad84e6ae2fb851029d50bf44bc117378f6839b06a66b35fadd839c0eb062d28b72e40702e5b750cedcacde77a1f12ea31d8c0f5ae7331d800cabe7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
c5be88582c9a8c001c2c237fa046092c

SHA1
50039f2714f8831c30e4aac87fd5e879ac51502e

SHA256
1f8af35ed7ce72c847956f8eebffcd6cb9806d2d793cc4ab2efc6764fac02a23

SHA512
033310129646e7e16bc20041d1886d0a95a1de93ceff725fc5e4b3d38480593bc34f4124a82a69fa209055f7264bcd8f13dbd845837ce3363cdfa73deca8d693

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
d091b3080cec014dc67dd32cfac6b70d

SHA1
24e20aa61a4c736791202e530135467951c94020

SHA256
226f87ac5bfe1a5adf27e971bf38c6bc56e7698453c2463da7b928187ae0a603

SHA512
fae0c6d960e3f569d39fae6e1670e108074a0f595258d78965d567e254067fe0b9c493f77253ee22cc1c350b9f2933ae160210d8e874f7679e010a8e15b6ff8d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
e70d7b0e0b1d85bceee30df7c0ad36fe

SHA1
27f6737456ec9dbad7a7fad4e77e0631dc4d9edf

SHA256
2fc12cc6ed025b22c04d419e6da058fbb3b1a3d6f874f8520d1e957e3e0d82cf

SHA512
952cb40a28d0dba4b6b8bdd60d901d5f19728c398b6f39a8c1c5cb722aed29f7e7e8242eb4170034e1e8cde4198140a7a6885ee2f874da50371c428438b20fb0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
9248b683d6ee6987f7f4f287374394c6

SHA1
9c681c46b81ca3ac54309409bab2cbd7338fe049

SHA256
bd4e7a8d8504110ccf4dc7840117023642e3a569649663c98d171ed5aeddd578

SHA512
93d742310e3f95dc4e6ad65b170e6c3e4b159998ea805a390bb63c1f2964d052ad2604930a4fbd3b64af315aefd6b6dfb3d2f3f0d6a7d462e2ead4c4948cc496

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
82ca0a7c44bc42b1bb9c70c9037ca820

SHA1
3bc365d0778ce755d8acfe6a101fad7b52a384df

SHA256
fc26964a81dcca79f183a3e35d48f6bb4acb18d43bbc780b4620455a454db909

SHA512
e2f1885f64201ec8adce646957e78598455d69931d5ec549a1397f74ca2389ff9bcf9a36d90b2e33f0176c9fb7b25debd47b50085286af6015917933df65d3ef

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
5c02c6558105cbbd2c64351e5749f31a

SHA1
9b4309c8e8962551b2d55ab27078ccfa260e4e0c

SHA256
de1ace46d579615d8a6245b471931bc36ff67ca0bb00e0e14e662770da8ed830

SHA512
2c2a6afc961387290cf5f9f86628db2755a44bc773b1aa4955f41fed290c15765199cb35f90c4757e1f0eff9cf1810c51cecefe6cc63e059ede69718d7b4dc96

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
034f0a0de454b82856ebd3cf21080742

SHA1
9eb7fc0310253e455a9e47fface635fb176b4968

SHA256
71f911dfe413c55c826613c0d0e1198f27e3d43ba2c2e8d95fd7593aec0ff3ed

SHA512
9a4651da90784c0e4eb7a13c46fc9b1ac055af96915f258f1145b376dc6ae3d044f84409d004bc51ae7bbb92121a0ee07a940e0076261b8edba6621be0d75494

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
f03f24f4044d56dd52f13048cde23ce9

SHA1
ac2109333f94b401fca72f62de043e36b27fe84e

SHA256
24147924691bd4d66069fd59357fe8acce3487c1123d933f76403dfa5e2db2e9

SHA512
814fc7dd2730c3e6efcf0742da8d09418b71164a37335ea16ee72d4cc5419447804975e7a557f14d19e4415fceda5e36ca60690d745bdd09f5674bb0dbe243ac

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
3208888789ce9d107913a489a3b4decd

SHA1
a6bbc0f8cd17c2447e2be0c1d52e23e991d6da9c

SHA256
f094edee8578c914e7ef1f5ef7b39904f81083b1a7575d25cc387a55bf218789

SHA512
ccbd8f6da636057e21015937b6244ef9fd25a0635d513cd5d8899d8210942a032840e6e73778b638fce03bd3824805812b701a98fd383d456a208cf83e4a9a8a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

Filesize
2.3MB

MD5
06c797eb20005ec5e586d2160cd75163

SHA1
1e46bd691e5c4191bf1ac423a714fa72b3b97b96

SHA256
5846d03e4a8832abbf465ba0134e001814fbe2f388c5e7be16b3634cb5166b49

SHA512
eacdd6f9bb0602156db9cfc93be12f78fbd27f59327736309ce66981053343a0cdb3e1252bad1ec6074b3d91c7ba50219ffada2708bc43ec758bf20f1bfdeb63

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

Filesize
1KB

MD5
efdf8c257a504c97870dd40a059456a9

SHA1
33c0d2e44e6c6373a7edefdf09bb8695ed23a54d

SHA256
1180d928c83ce2dc3fb484e45545c118ad47abf85341d53a657d187482fd322f

SHA512
f21c45f70489e7fe07fc91e0fa17887ed8039e9606daf4aad071bcc9778149c77898a2b544300b2fe5cfd36d38a698c97c61cb3c946c4edb3a281bae3af01f53

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
1f34e1f35ea37888aef27ad49fc59eac

SHA1
59bf3730749bb1e24adf95852fb3fdf0072df0a7

SHA256
bd212334e81e2ec19c66770d0322fa4dccb38c88ce8d3b98b739396c6ad043a7

SHA512
780b80ac9b8a6acc69e88c32acf6dcf7eb05d29341f2a506a28ac8e27092579677621f0e42bdff8a010288c4d178e971b986e285dbdd22d89e8bff1e0d1ed97f

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.RYK

Filesize
1.7MB

MD5
466a6dfe7c9aef1b1993320346d1043d

SHA1
74229d94373c447ad3932a2c3799f137060ea4ac

SHA256
e9237dd842fcd17b9b1f6847c9ea697020eaa0d98afe5d73d9cde9b63384cb7f

SHA512
1c515c8134d7820b886e8256cd9fcd8ecbac801cda1baacdf1629f53a2c5bcf1aa08a351570c63f4aadb3baae57cc52d2e87013c4b840cc07b1276a351d0b512

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml.RYK

Filesize
1KB

MD5
a3617fa0593b41f7f983e7eb8c405c1f

SHA1
da08a1d6ee502f5938018b30cad214bb3f0026f4

SHA256
132993831c15790f766916c8d856823c28725ee6290285376ad51799d2fc443c

SHA512
c00fcdf1093d63a0d1e81ca713fbe27787e01ce12673d0422555fbf441f2aaa2eb3bbb595878423d4f689091aeebcfb4b254f5e31aadee4b03deef0ebdc89a68

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab.RYK

Filesize
16.6MB

MD5
281e6ffd1de898ee5b7e5b1a70bb7743

SHA1
29ce7333840a89b17e161fe281ae795d3712c436

SHA256
bb6cb07e1b51cb11fc6eb4e80ead0d5b630c752066d17bc9802c5f7b00196a74

SHA512
4eff0da70c67ddb6b44b795528afe05b0ac2487650474d483951d3389e1f3ad213b261ea3bd0f40d3e5d98733a676b93502d36c082902025c897ce82b29c25a5

Download Submit
F:\$RECYCLE.BIN\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2952504676-3105837840-1406404655-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2952504676-3105837840-1406404655-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit
F:\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit