ryuk | e5240cb911dbff768a00aa266dfb28448181d94b750d108df73c4f56b7ec8cf8

Analysis

max time kernel
108s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Size

144KB
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2
SSDEEP

3072:eOFqYZEtiRjB+OpBmUHkRCBMmn3T/znyS4:eO8xwjBx8UHkt2DJ4

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (151) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
2532	1073r.exe
3000	ujxNmpAnqlan.exe
1332	XBNOADooylan.exe

Loads dropped DLL 6 IoCs

pid	Process
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1724	icacls.exe
1656	icacls.exe
2336	icacls.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\G:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Z:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Y:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\N:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\M:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\K:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\V:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\U:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\T:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\S:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\Q:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\O:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\J:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\X:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\W:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\R:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\P:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\L:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\I:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened (read-only)	\??\E:	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\micaut.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Pretty_Peacock.jpg	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ja-jp-sym.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nl-NL\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sk-SK\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hu-HU\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\tabskb.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stucco.gif	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\InputPersonalization.exe.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_heb.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrlatinlm.dat	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\System\de-DE\wab32res.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InkWatson.exe.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_ca.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\MSTTSLoc.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\es-ES\msinfo32.exe.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\OrangeCircles.jpg	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresplm.dat	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\System\fr-FR\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwresmlm.dat	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\IPSEventLogMsg.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.html	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2532	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 2316 wrote to memory of 2532	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 2316 wrote to memory of 2532	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 2316 wrote to memory of 2532	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	30
PID 2316 wrote to memory of 3000	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 2316 wrote to memory of 3000	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 2316 wrote to memory of 3000	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 2316 wrote to memory of 3000	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	31
PID 2316 wrote to memory of 1332	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32
PID 2316 wrote to memory of 1332	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32
PID 2316 wrote to memory of 1332	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32
PID 2316 wrote to memory of 1332	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	32
PID 2316 wrote to memory of 2336	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	33
PID 2316 wrote to memory of 2336	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	33
PID 2316 wrote to memory of 2336	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	33
PID 2316 wrote to memory of 2336	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	33
PID 2316 wrote to memory of 1656	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	34
PID 2316 wrote to memory of 1656	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	34
PID 2316 wrote to memory of 1656	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	34
PID 2316 wrote to memory of 1656	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	34
PID 2316 wrote to memory of 1724	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	35
PID 2316 wrote to memory of 1724	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	35
PID 2316 wrote to memory of 1724	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	35
PID 2316 wrote to memory of 1724	2316	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	35

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\1073r.exe
  "C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2532
- C:\Users\Admin\AppData\Local\Temp\ujxNmpAnqlan.exe
  "C:\Users\Admin\AppData\Local\Temp\ujxNmpAnqlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\XBNOADooylan.exe
  "C:\Users\Admin\AppData\Local\Temp\XBNOADooylan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1332
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1656
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1724
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:3856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:4060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2116
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:856
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:4076
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:3336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
22.8MB

MD5
a040203954f39be2a1cbfbefd98cf9e2

SHA1
ce7ef304991438b876f0cb1b4372e646e146456f

SHA256
24a3dcd204e78ea62f1f99805de12d92445a16d141516821e263a65a2c46b40c

SHA512
2419f95b7c2b29fd359147d0ccb88c3496a2260ab415cf479937fd6eb8c1545daca202339275e29cb018ca8076f333564a5cda7ff57cce0b2d4e222462fb3558

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
c515325bec289f316b7d4aa197241616

SHA1
5fb0e5d6a0ff218c7b6cd1403c8388aa5ace79e7

SHA256
44694c4f61d0cdb9ef078273836f12015083942e384e03478ac07a44982d6bcc

SHA512
ac0b0c9636d80e9ae9fb6752c1689c8782dd0534f5797e90c6661c96845dbdd7a86e6d41d9dcc311dcaf02c9685b2d6ce8c536231a3dc47e3f0ca4aa896dbd99

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
23.7MB

MD5
808b6af629c866d849f6dcd32ab1c69c

SHA1
90328282c27403473dd225001ec55664e3fbe071

SHA256
65b84bc2e6bd1b2ae51922372bd1c3e505ff1f901171d523752015cc2432d679

SHA512
f40ec1c2fad020dff59c3e2f5e604a2d32b4a87c5da996ebf5df8dac50834dbac56f27ac523c04add182af4d8aff0bf3e31b6c151dd61bf8e1eafc7810ccdc2f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
c1f9501085988e670cb2109f51b36616

SHA1
d302eabfd323191a6462e86c62d026cbc8ffa6b5

SHA256
31833efd3db313f36929fcc2de738b76049cdafe38628d8ab2683863ddd1af72

SHA512
1443b294f172be2338e8dd66e3851a7c6ea091c8ebc69fd3f1fe6051d278ef99e2390b3987a4d309a1f8a45b523585a7457e65449cbd62c516a456a105f0b4a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
7481d246bb6f40cb40a51a2aeadd6ea6

SHA1
77ac3ac9b3eef540de043c91a2c926f7f7bea2ef

SHA256
3b0e60592a169e58e42c4091337aa0ec904744b22eb3f7a70ca53d448ced101a

SHA512
a620dce7a1ee77e56284e7312bffd13a6da7f4025888a68687903dd76fda939bc02ad9a3ff3fb8f7593054fce72a07bd1a340f106f6c259c1320456397e50de2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
9fd8c9436d5aab1556269157c6aae683

SHA1
da871c46af9db79561057973b10f6e211a19946d

SHA256
21ffe322dc4eb1d3520ea625b2552ffbe7dd25e9f0df9f610564ecb6408a40a2

SHA512
95aced7c0b41136ed90f0906f6a3174d8a38df13ad289c7b5f56ee7acf477408eacf6cd6361b14b47de94ce94921e62a447141dd8d7daaf7584771dff1c0a5b3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
26953ec211433e79655996c3e524cddb

SHA1
13776eb3f6afc258994a7f26065aeb10e60e1f56

SHA256
503aac1c9fb638c628905f859896e54398e293243063987e53d5d8cfcee7715d

SHA512
feaffb8a5ed2bb5526c8bc857b2325d9ec9c25a69ab8de846edd57a8de070ebc27986f4b34c03c1ed3a7b688a5b8e420fc05e58ce443322d21335690fd08a92e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
378186f253cb066f8a8a16408ba05595

SHA1
d02ec60408328e2252a11d9fd46f0d80d4ad310f

SHA256
db11be89c961ab1b9b1fe9b58e6e38966cb56815266520a07f60312aef7cd4a6

SHA512
1c03a4bfc44b9af65dbdaa026cbf8289cdf35174626915affc7f50dd94630a63aede14bf6d383a3b21945b1a3fb5cdcadadb0bf599ddb7292cb7fc5a078c04a7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
bc931a32992d63a9cb7a004a2dce97dc

SHA1
64b8ecff998992491f1205acf54abfa4a66367aa

SHA256
c101f03bbebea1f8e99c9e524ef1bd16cfc746edfd45b2b2888891fb65c363dd

SHA512
826bf868117978b3d9ed255b4ef569bb720639b8128a0321427bfe353bbd5955a1ad72b210d593f1c8f20c050359cffa9ff3d28b249869bba1a1e465bd0fc8bc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
ccadcd297706c59b032a7484d70d3d84

SHA1
7bce489ca6c299acff7f94ed3508784f9636ed52

SHA256
7c3a4a7861f24613197c2f7bebe4c82784e61f62c2bbd23da963c669887cbed2

SHA512
05c8339082d1ebd82c6696525d0e23f899e35306cbd66851ea0c3fd47797b3ac041aa745598ab3416f7642f549477a4bef6f55201b2a9dce937aed65d9495787

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
fcfad47ce51fd642afd6d6fc43513c70

SHA1
5d07495c4f0ced339417194e583cdcb60197c0f9

SHA256
6dadd14fc4c616c09a1ac7afa64ded0f19853eb188a6a90d8a397afc15eeb632

SHA512
3956627d34b364b661748b4892440339644252403f79969a06b9ae4e6a0684b306441cea4beab7ac5299ba8a5f125e69a050f721e3045ddbcf6c8e31a6e89f6c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
7ac8ed8bd34291671724ace9d6a64c70

SHA1
275b7f0f28b38e4d4f37929436b2be5c227390e0

SHA256
bdd1a5bf22b84512c7500cf596a7e6959885c32267294edc27dbc084f0211174

SHA512
a7a6cf58b894ccdb7f95f3318a664b14ad8bc635688757e3bca249f8d36ce73aa2f8b9b71e0f02a753286bd97589d2bad388c5f00ca181463fa3e4f773a95e2a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
06ba4a323e4a028be9932d7251ec7f9e

SHA1
02070ec861c04e8bcb4cd5b3ec199437adb84d42

SHA256
43f9471d00107476164a146421faea8a41a632f14db7b93137873a79c74ca26f

SHA512
3d38a6de70010e70f24236175af5570dcf5d5b9186d88043ca4388a18623cd87cbbf46af3158a07f8b657fd6d21885c6c54d4bfbd77a55be916d31d7c0824168

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
aadc6b5c58577131727a769bd2411df3

SHA1
bc08ec449f52d97379efb58c34e631bb064e7920

SHA256
6e6f2411431f8ed39fb8f0aab854add9cb1ed40188048ca07556641cbdf49d69

SHA512
8a4ab905919007ab7e922fa0dd9dd3607c0ea9c391eafcf26e802728eef8a456d7e8d3913c4c9939f166538ab4e178fdfd52b7493a74f5d80535c438d49b3b34

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
a319cca493646baa6b165d6ef6461f84

SHA1
dbf75f661859e9835427c084efd70ca7a57b522a

SHA256
26407ab44b4376e8b764ddb805ba5b38464c3db58e83e2b822ea2b1f4dafdf7e

SHA512
ab517639db2724dfd4d9116f351c38c49319548f1aeb9c7ad4d29aaba08cd591a8c4bc0f94b01847b8c838ca2e89db089fbee6840d0ca935b27c69b8aa67eb71

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
a52681a1cd78307e538f46342b8744ae

SHA1
e777bafc8d06a4be6633e50819b807a07df5dc4d

SHA256
29d5a0b6a78dfee4bfb8317d25bb0fb0c4ea63e80912a267eeb236fcf3a1bc16

SHA512
b300df7f97f861d0878b8a83c7e74021c9813a4231d18813d6ff335eed1b2e51bd0617c58c79910b4bb3405e93f33448268d495a7165237e41abfa0044e81bd0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
4507ece8fba69c537699dce7eacde13a

SHA1
ca7d8700a49836f57d1b22294985991951fe6cfd

SHA256
5c3fd14c2842f8daa8a2a41913ab299a7da8917ca04850be8c7b4eaff43ceca8

SHA512
4e039d757b64231eb03ed1d3e2bed93e5943010924eed6ea8439fac771a363c1f9f0c9a121fe62361864cc01f5e49fabc3093c0d3683866906b9a1633956f1ae

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
52749027b963ba1b3bda313e58e2d680

SHA1
d1b2511d90dd559756de6dffdb4d6defdd68a0b9

SHA256
dbae2987a38111fdd03b5a4a3ac5cfc674663d8750b29d8f7cc72188dcce272a

SHA512
504d15b3013f21ce5ab8a0deaf36825dd37c18631d97e197163e138f55758303043e070cdabc20835e571807df1e23f9a3913a3fee7b87598dde11f137a0f653

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
1090d8e34c6fc564aa93ac6ddbbc0dd4

SHA1
302047569c81cd93ad0d640fdc79cc1ae31f5c9e

SHA256
18018009b24261acdf0d33b0fb9c9e023b151118d21ecdcbe0f8f15a1c65b321

SHA512
3a3d3e0e92960a12111b1bab2715c4018395da2e15334e38d76ac06a895149c11160f2bbf2dc6545909945bf7019f9e3adbafed4dae652339c8ff429a35044f5

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
4581fe26e3741003d51f7c3ddc35cc92

SHA1
7dff77d412822dcd3247447071a3062a9813648f

SHA256
be4fa6ce55ca60e8bb65bbebc430b4dafc924e313c11e24ef09b80efc7b0df2b

SHA512
77e23a84a08f56b40536eddc3194a72fa68131f80ae9ffae8f2d2f95760183c4a2e830d98a89f840c8afaf0a6df45d3c72e8e7bfffceb2495550638ee913a2bc

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
d83a581a88dcd566d464c7520fae47cc

SHA1
95b8864321a799e56ebafd77938ea4c111b5b4bf

SHA256
e7155707bf879f9b306b6fa4e1af624bc873661cca2232a9593aa39460b450f3

SHA512
1a3032bb6a08b05b715732f32826d80d0d77501feac6608b10e08b1f8f236c28388afe1d4c008d9d0436f242caab261364815d80848d92b63be236921d18727d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
aa042f43d6536a13607757b960e02db8

SHA1
3f6b30ae5d30b106f0e4ac991b9ef50c2cd92dee

SHA256
a7a65ae1422b246540bbb78463f2a3efb0259f9598d986d839c57d39ddbcdef5

SHA512
687a97413ebd21ae2abb4a5ca1f0a845c2394887ee5c5add849a94d34c4bc6f3af2e96fd1ec9045cf34827824245a23ecd913848ae9d36b1c57b673bf83e8b84

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

Filesize
41.8MB

MD5
41552da0881552a5cac5d9f15faefbbb

SHA1
2b34f7032993084bd7f445552a735c58fd92730f

SHA256
3ec02fd9b454722ff526ca9490b8368641f74dea33a6208f880eb3c5b6e29a10

SHA512
5a6f1568ddfaeeec13872f0b0e3d4d475c983fb89befbc812cf036e4a16ba2a0c2ea9cf0bb2f24fd69c346df0311ff0a8e65e9a6af9c3bc388b3ab067212f897

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
f435d0b2b8a8d4e61ba0ac6a4b4b83d7

SHA1
3fb5619489ebb79cbd0825b535e39bba0e07a3fc

SHA256
650a34272dcf9e3bc009d37d75ffbfd9132b13467022dac196d0cf4dca46c503

SHA512
da01fa385d56e52aff99c0369d5b5b175c8adb7281eb5cef14459733f72c58b991063254989afac623a1381e403fba0bfe0da95b5a198b138da01d90ee099dc3

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
435af4033111bd4121cff7cc670154e2

SHA1
f06af5c01e8c83cc9750a20683cafd6b901b671e

SHA256
ccd3ef12f9703a74990232be515f420b720ddfd018ac26f905a27a79813238b0

SHA512
09eb9fb21ebb0a3536faf69c647e8de52396aceb47b5d4dfe5b3d4d96872493dded426f4d954cb62e4bc42d3edf42d1297339c7d03171398d8289a5339196843

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
0071a3529b41bad2253fe8b3ebbb479c

SHA1
c9f668cea48d855256a54ce56b1180affbe2f357

SHA256
ff579b92e902abc1c058c8c301c1cfbb45ea214f5786b44fb8b340b4231e00ed

SHA512
8686e5f9eb8db08f1ab139a02ead6c1111ea44ef0da9d8c00d723d247bb60f899eab97880619db62cd761c6cb18a9909173344147a285a0181c4125afbd4d589

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
d2d4556582b95b7e921f800c9314c457

SHA1
11edace71b514e55ebaa76612846a9cc436fee8e

SHA256
20ab95de2a96922cb5942499cd6d376609ee2ca89a9267960889e87eb0f615ff

SHA512
86e24b37cd6ecb1ce859c06d0760d26b43001f2298b558eacf9ec9eb3b31a0d17c0d187043bba50771b1b35590ebe41abbfd4e1e4300d32f838dedb221cbc1fe

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
0dc17c505331e180d329fa1014121b6f

SHA1
4d669eeac1050d1a069fc001c0d4638f84aa3dbf

SHA256
56d93813092c46534699224395d2ecce4a1990585b104dd95842a93f15c06a3a

SHA512
10268212a5d5b6bff24aad467a35aaf75f56258dcf818e3e08ca8bea6e38bf9a8300bd5c115ce52c779ef09de2099abea3478e51f80821ac8f5cfc91f201cb7c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
1939117db9c8283f87a2b7abc268d2c8

SHA1
4f295b8009a844cbc92ea525b660699f0563c279

SHA256
b20bb5aa00cdb3d92017200039c52bd95d8047b980fdf05759d7cdc607e9cf74

SHA512
34bc9d028431461fd618da9ff6a33ea544be17d7d511fb8c787c7cfaae6018b1fa5198e4eeb5f00627c4e65b3197baa19c5cc98b3d499ce58e6f1516a47c204d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
4ba09f807e3654641853d0f45c4632db

SHA1
12a806920880f1904e6d5f611329db77737d30d7

SHA256
9937fee6e18677ddf0560e1328e40091db68c4000f0db6c8ae17b21c6270ebae

SHA512
4d12fe007b96d88732efcfc1f232ac3a34699105bf56880fb324ec808d9c86537835ae7eb265c2b79a98f96edec4701d503bca8727616f2a5d343b6a549948cb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
ade934e42346768a9ecc2efd0bf3a9ff

SHA1
d4a7e4ccde7181c14c3e6262ecb9f3ef60c577bc

SHA256
86c376d2ebf7e1b026cd4855de4cf83b845a14d5469ac463143eaf7a9a4dd69f

SHA512
aae04fb2531eabb7217d335441a7e5fb686b6b913ec6975c6ca553950e439f9cf8ac63db0fabfe1a135674bf450b6932d47e462a945d601fcb674180319fb507

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
043133415f4aa315bea1db6d66dc240b

SHA1
95328c66800cbb29eb04d321fdc80f0ae204bf33

SHA256
882c8478bf2ef80134d2bdea31061dcb8d0f960494d3103e2f95138a17ee5d8e

SHA512
ae9c89e7469d71dc558147552ac4a01529e7bb0fcc57ff546cf10112400469d26b94c5b128070658ee0a93668a7a0fc404d39b2b121c03a57f2047512a692d0c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
4ef471af1064a8a89c05baaa6e327400

SHA1
cea10a482cd7d300766e8bfbd9ad09e99df9af9d

SHA256
f5d70b943abc6014567b79cfd2f22b5505c410cf82ecc21b1a619deebe2fa913

SHA512
a70d137e1828c07beb9f2db9a6ce3acbe49497c0ee9ee1ddb307cf8e83ff5323da4f8015374abda3b7f8735cf88c67129239750bdd3a15af6789b7caf5c77394

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
cb1f1a1d970ee9da34a7a1d0571e0fc4

SHA1
8fe8c7ebbd9eea66d1e6e65fe3e2c33c467b9a06

SHA256
7125ca3a5e54d7b1b2f3b8209d36b013950a500505372f95cef0334cbc0c2f4e

SHA512
a7831ce4db5157ccc550958ed517d2ea3f58d9a4634a142fe41a657b07eca6774ba45aa481f00d95f6582d3135d3834fdd6e92667ee650da7ed47d32aa49e568

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
1fdb716df692c56c0815439d59eef06c

SHA1
32258e508be8768854f4f227562a2fe75c38bc93

SHA256
2ac062cf281e28db18eda289823c3e5621b799b37dc982ebb1489d3c78fcc3df

SHA512
ff04e870a9172d78361cffa12ff658e362ddca55a8b04400fe40ab5f0781b85eb75dae7ae3aacd654cb2f76b61f6aec2f1fd4be36543a04a1efaeed530b912e4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
3b85fd21712a1b4cdf9dd1b610bf6295

SHA1
e9bd2eb57259ac78772996ad8bec556a8666d5c8

SHA256
2bbd0fe8b0da2fdef6865df3bc1316a3859893633bdad6deb8aa7f0fcc64d63f

SHA512
68527cefb6867f4e1a609da3a73ca3a4447692349ada9b7c7cf4dda177ca03254b4545f9e9ceb52952b46a0f7eecbc0dfb942e98e9c40d096fe8bbbf521c1dcd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
6849f72ce83a45bfabe60876b27e67ab

SHA1
01f5f91dec93e9604a047041faa1b1a68e2ab258

SHA256
53d811544f724e5d1767e2b32ad4a2f19555eaa98e77c2cd8c1c8eb0c027f43c

SHA512
98c2c759bc817d41447c84bb1d0c3ab8ce8c87de4b3ad8641764505608a2003736879e6f100038cf6da74d7158ba75746c41bf8aba4d88a587aa6bf408a89496

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\RyukReadMe.html

Filesize
1KB

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
\Users\Admin\AppData\Local\Temp\1073r.exe

Filesize
144KB

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit