ryuk | 6d2518918e5c6e5738338e1acebbdac572308585f39a3c61f82825c539e9c5e2

Analysis

max time kernel
106s
max time network
86s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Size

119KB
MD5

c68395e474088d5339972e2bf5a30f3c
SHA1

502e42240969399c09337ecc7b5ca8fc1ba4baf3
SHA256

9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8
SHA512

5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a
SSDEEP

1536:j/t3fhrg5rw0lQa2+T37us7RidSkPq9IiJ/EXrAyPca7m94nqHBmQSsWZcdH2kB/:lG55XP0Vq9IiKXrxkKNqHBmEHNVKA

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'BVb1qR2'; $torlink = 'http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://oc6mkf4efqrjp2ue6qp6vmz4ofyjmlo6dtqiklqb2q546bnqeu66tbyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (2060) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
2900	tPfXYOLSRrep.exe
2916	jjbgQTVTqlan.exe
5260	bafzwLNODlan.exe

Loads dropped DLL 6 IoCs

pid	Process
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
24512	icacls.exe
24496	icacls.exe
24504	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationLeft_SelectionSubpicture.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-compat_ja.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\tipresx.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\sqloledb.rll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Amsterdam	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.console_1.0.300.v20131113-1212.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_MoveDrop32x32.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_ja_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jre7\lib\plugin.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainToScenesBackground_PAL.wmv	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport.png	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_it.properties	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightRegular.ttf	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.jdp_5.5.0.165303.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-CN\tipresx.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msaddsr.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-services.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-application-views.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\FlickLearningWizard.exe.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\RyukReadMe.html	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\DisableUnpublish.xps	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\DiagnosticsTap.dll.mui	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\HST	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_zh_4.4.0.v20140623020002.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-windows_zh_CN.jar	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2900	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 2244 wrote to memory of 2900	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 2244 wrote to memory of 2900	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 2244 wrote to memory of 2900	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	30
PID 2244 wrote to memory of 2916	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 2244 wrote to memory of 2916	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 2244 wrote to memory of 2916	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 2244 wrote to memory of 2916	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	31
PID 2244 wrote to memory of 5260	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	32
PID 2244 wrote to memory of 5260	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	32
PID 2244 wrote to memory of 5260	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	32
PID 2244 wrote to memory of 5260	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	32
PID 2244 wrote to memory of 24496	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	33
PID 2244 wrote to memory of 24496	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	33
PID 2244 wrote to memory of 24496	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	33
PID 2244 wrote to memory of 24496	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	33
PID 2244 wrote to memory of 24504	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 2244 wrote to memory of 24504	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 2244 wrote to memory of 24504	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 2244 wrote to memory of 24504	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	34
PID 2244 wrote to memory of 24512	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	35
PID 2244 wrote to memory of 24512	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	35
PID 2244 wrote to memory of 24512	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	35
PID 2244 wrote to memory of 24512	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	35
PID 2244 wrote to memory of 35000	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	39
PID 2244 wrote to memory of 35000	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	39
PID 2244 wrote to memory of 35000	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	39
PID 2244 wrote to memory of 35000	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	39
PID 2244 wrote to memory of 35028	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	41
PID 2244 wrote to memory of 35028	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	41
PID 2244 wrote to memory of 35028	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	41
PID 2244 wrote to memory of 35028	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	41
PID 35000 wrote to memory of 35060	35000	net.exe	44
PID 35000 wrote to memory of 35060	35000	net.exe	44
PID 35000 wrote to memory of 35060	35000	net.exe	44
PID 35000 wrote to memory of 35060	35000	net.exe	44
PID 35028 wrote to memory of 35052	35028	net.exe	43
PID 35028 wrote to memory of 35052	35028	net.exe	43
PID 35028 wrote to memory of 35052	35028	net.exe	43
PID 35028 wrote to memory of 35052	35028	net.exe	43
PID 2244 wrote to memory of 36172	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	45
PID 2244 wrote to memory of 36172	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	45
PID 2244 wrote to memory of 36172	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	45
PID 2244 wrote to memory of 36172	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	45
PID 36172 wrote to memory of 36264	36172	net.exe	47
PID 36172 wrote to memory of 36264	36172	net.exe	47
PID 36172 wrote to memory of 36264	36172	net.exe	47
PID 36172 wrote to memory of 36264	36172	net.exe	47
PID 2244 wrote to memory of 37944	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	48
PID 2244 wrote to memory of 37944	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	48
PID 2244 wrote to memory of 37944	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	48
PID 2244 wrote to memory of 37944	2244	9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe	48
PID 37944 wrote to memory of 38252	37944	net.exe	50
PID 37944 wrote to memory of 38252	37944	net.exe	50
PID 37944 wrote to memory of 38252	37944	net.exe	50
PID 37944 wrote to memory of 38252	37944	net.exe	50

C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe
"C:\Users\Admin\AppData\Local\Temp\9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\tPfXYOLSRrep.exe
  "C:\Users\Admin\AppData\Local\Temp\tPfXYOLSRrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Users\Admin\AppData\Local\Temp\jjbgQTVTqlan.exe
  "C:\Users\Admin\AppData\Local\Temp\jjbgQTVTqlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\AppData\Local\Temp\bafzwLNODlan.exe
  "C:\Users\Admin\AppData\Local\Temp\bafzwLNODlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:5260
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:24496
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:24504
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:24512
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:35000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:35060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:35028
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:35052
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:36172
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:36264
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:37944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:38252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
a29efb691587615192e2ca6f63c81a3f

SHA1
91c2391a6d981dacc2ccff66d94f5686238fc14f

SHA256
989ceb59001ac193c9e0323a29555474f8fd89230004168bd0bb6edafb3da4f2

SHA512
3c9a9d1c0407ac732e1abf9083d5b78453b6e69d81c5daa621d284ccfad90dc05a35908f6cd47d91f613d64a4cdea9b3e9cf6938e3fc7860b3c8d911ff790aa9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
b1c65dc2d17ea09f4b537631baca325c

SHA1
6191c738b9238b808d40a9fc4ff83c124c8cf33e

SHA256
5392e1a37b3ffc94fa83d3299bb7a2ae028b7dd92a17d72347676266c5f6e7ae

SHA512
17e85693dc8e8101f98f20899a6d2050890b90304c35054be78e3ac5ad5600575984c91e804e3281d4765bc370cb5fe5a0fd1b2111d665d2608fb40387e055ba

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
e46da5865f65da829452e83edaec98fd

SHA1
541bc94256c1ac7d00f5b5ba357b491700cd7cdc

SHA256
39b8577f11d0c03ad17fcf5927d52dcea784872efee1d03a4e16ed2449aa6de2

SHA512
9be67d9d927e6112b4332f812326f4f73980f963cd6536235d676f2796b23eaa514d2cc47be29d2ac70d62e152aa82cc85a71965afe13df520372ed6cf0a1d51

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
2a163a2417abc3a931cd1a16ce730dfe

SHA1
9055b97eb87c8a2d01c19d37158e8b4b475f34b7

SHA256
fb013933beb82f7cca172c785cc7672fb93e6309d219f4bc31db73e00c9f5bfc

SHA512
f78a6f5db3b986f6835fd47dcc2ea0b1cb8e793715c3ca6141c1cd936b637708954927eb29aeccd36b00d8e9864e6bc2ae5d21d87911805b2c23c08decb59151

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
e6a89b945a0756d5da5b6eb5a1d7313f

SHA1
cb36552a046dca19ef585df61a8b86809d228e9b

SHA256
be71283a97b7ca00bdbe7d545f1ae7cbbb9ce1ad147397e6feae96a6e418ba5d

SHA512
9c3dc06310d5e474172ac779be0379f79a6ac6136cc7cee8207ba43b584a8eb6700474feacdbd301738797a074a1160cd341e83d7ad8ec6b4d6dc4beb71d38f9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
fdd4b2a0ff52aa75d7802a2bfe762429

SHA1
773581167a294a373f93d15ce28b8b6be7b399ef

SHA256
cfd98ce66df4b994cccaf1ae493b06cb187b22f2f670354fd182b260891cf88b

SHA512
062a518f80d5bc295ef1eb9697f755aa9c5d44252c99c7cbb551ca87c360a9c51845c7ccda1251440f6ac5f4547e92da36bfe4f95b7493144bbff756174e58dd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

Filesize
699KB

MD5
4fa5e1afcb62811e33569c199acf0c92

SHA1
4e788b7766ac54694dbbde1fa72a2a0950edfd23

SHA256
7c2c2fc839151105c1b07ba59df5b8dd7b290a2b90208f7ff5fcaa629385cf8f

SHA512
d0afa128ebe6c222c965d1734e9f16842d02a7e79af4711d77bfb3ebc3876ff79d37674f9cab7c77ca44d8c7ad4c651758e039ee382ec29c73be2a35fbd2d796

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
e32610ca74bb2248637396b351499e1e

SHA1
0e9f8f40e2e330019e92d18c8370dc095c783746

SHA256
bcdc98583e59a01020e2f7cc77fde353a5bb711398ab63a621716a447a3f1cac

SHA512
f8fc374bfc0ded5b7d04f4212064055078668bbd73b68d61287d5c24bf8e07fa1280a10de24f1fb92726e50ac48fcc4300f259392e1bd27eab784f7307d7ef13

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
d0486deedbfd7315099a1447985e1d6b

SHA1
b190c77c4ccb2c73efd0e8c7d2a97d032ecf3023

SHA256
20f432609fa3758ce8f24f442edea2ba1d2bda39f1d323f8a78cef6ba358af00

SHA512
80337ff580273c99b302f4b73911e9b35cda34b6d0034fae4a7aa0dcbf869ad325498def0ffce6a028b9a61ca6b602db09e6d8a36109ff2008df4fd53136d426

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
f69fc44de3e8cde26893f0b0795aeb70

SHA1
88b8e406efed9e29c7dd795433cf0104385ffae3

SHA256
9c547568e874ea7d2dc739ae8a9d5253cbc9f570f0cf44f78ca32aa27140e1bf

SHA512
1bc76c4302fd23d9a3ef9c54dc13296936f720ff6684258df1b049b7f1f782eed6aa04f4ccd106d2240b062923c6c1bad0b25841788e538973160dda9b0f3872

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
93e54232e4dbe782dc69d857f7787b32

SHA1
51b79c2739805f45b7c66a88e6551bc73bcda3e8

SHA256
c308f89237cabd8a03e1854384fd558058ffbad696de019446c6ef7ffee0b750

SHA512
2f1c05ccee7b6e1d2af790e21cbbbf07a567e159a82a559815c2f5d51d82cc34e6b6b7d9aeb27227cdebaa44534fa2bee2e6bc65b05a1cd0b35ec1d2435dd838

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
2aee0050cbc6fa1d055d8808970c1e3c

SHA1
8f2c0a8080f270a7c5f1362d267bdc9534ccb24c

SHA256
dfa4b919ac77581e240f472c0465cd50ef9cc2eb142b34e53aa7b9d9df67e64e

SHA512
124ce3b98c36ef1248a71ad2845fa0ce3bd5dc56a43e77d00cbef765371e228224b35015487217cc5f871d61b4d56431f95d908761ffcba99334acd1173483c8

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
1156c63e44fa707a2bb601f00ffe0974

SHA1
5450aec3265fbd3277d8287da8963cf9dd413181

SHA256
40dc12b89059bfcd5a7ff4a22fb5c9f3d7696aa9e44c13b039d5aab539b7acfe

SHA512
882fbb74d90b5e87059de3e444122db24f09a16c25bf445fad899552c97abbf1578ff4eeb2f4a131098b9c92ac7f7781c778dbfb5d7e0123cd923215b39727e5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
6b6c00ab81a439a0e7df67800174800f

SHA1
ae4fdc557b8b4eedd4342837e1857479c6352bbd

SHA256
560444b8122cfbb678dfcf8c0b8f2ac7e2b2e1f828f1b78aa1952c8e14ceacaf

SHA512
54dcd01ce6088b692b78fcf8fb928e60edc7b9965facb206703b931985966506215eabffd9bb68250783d0253ed87fd439508a6f4f51a5ccd34f3a052de080b8

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
30726e7059a7e1e1fc093bf47af01800

SHA1
c7973fd51dfba24c9d8a15d7f04628982a1e6259

SHA256
daf1a41f0b65835e4725addf7df1df95054f63b8877cc10351b35153db7673cb

SHA512
9b8edc80d6ac220110a5f4e415f06e130256c95ecb964b36a8b07bede06cc50efba475952643ed7a786d7df1bc373b208f949421bf7829d76f3e431130398d8e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
a1a9553200bb9b1c29b02a10b13bab0b

SHA1
3a8be61458ba8577bb53253c77e4c0d43f53094e

SHA256
24e5007706391a8fc3acd3a75ecf24f7530b6443553d9853c2e2ba43b5dba4a3

SHA512
f3df2e365d0947d7aed5c6a6f31d1b5a11d44deef0ca9735ce692e9c4bc1fa2cf73e58afb4a84f000967f1f70c8fd5a2deddd801d2d85fae3146c3447bb91733

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
a85ecf92b94d1fcd8b098c9b103448e9

SHA1
a24165c9dbdcf03b5521710aac7bd6d089a12c12

SHA256
6dc52c907b6a48c0b529e78f085cc9a5c07bf949766b6057df065bb6acc40bc5

SHA512
d204ec1588e4b5fa399cc55fb017b6f2a8ed3f1ec2f6a9660c8e75341e06bcf2a471680b4d28019b2b51ea54fc12aece9965802fc970de87195bedea8e5fc95f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
25fbf613931f149e0ee5ee9eb7367016

SHA1
185b2338c5910ef275b06ef960bcdfd8d81887e7

SHA256
2f1e0e954a97c41c4c9f11deb27e6300dc3616c18f149b87b48591792b433823

SHA512
24173726f8b09b7ab56ab8296b855819d1adc3e9ad4b4e1d54e3ff86d76589d55da66ef486810054fecfb39ff9eb0b8a25e64bd7b3ba48958fe8b41e8cf52193

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
c70aa8019197e4d8ec9e99e913e95da0

SHA1
86cdcbac0705fac1d312372e8f19acc76da6e666

SHA256
35e63870f597737d1c6b3a18981d5d3f41122e136fb37df4ca2ee1a726f24e7f

SHA512
abf2b0c34150a500aba8cff5bc1fdbcef76eb283d778bf59483fb99593dccbe4d4aeb5737a41930662d774b72088b4da200f5ce02bf53032cd094c068da7ea02

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
2469ede18fd6d02573394b78efde6282

SHA1
cd06ddc93d9bb2788dc0548b295c16b808e57c24

SHA256
a1a40541c70a02cef2e0f9abf8f828cd608d36e4a9c097241323816af0803420

SHA512
fb70ba0e48d86aa515884044f7368c86b4ce97e6279f512fa093b5b724d2e4620e9e87b629b75746986bfd030ab765a1758dbb8455feeecd296c2ec093931c4d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
e462e8af8fd9d5b6552e26d20f581ba1

SHA1
50850d5a7364e5e95d24956db368ce6bb457e2de

SHA256
ee14c86b760acd1be68e52111027a6830f323760f60a409a9528bdb636ce7240

SHA512
fa1c1065b2be931e4f5f23de6a04c74564cdbd3100b1c4f073128fb08f5866ea0662e78f24633a1d058c9858d13f6a04287e8549fc1fa9751ad40c374ef3a7e3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
e6e9b490abd28d23fd20455e4194bf4a

SHA1
9ae67843e816320adb4914fc355369058fd9f8ec

SHA256
c13c073075d56d98a1b899f58ae44d03d0076b7c5319af6b6dba05b9249b09e7

SHA512
d2656c0caeb909bf17d531f6ff66e4cdcc36f3da2473e16378c101cbf5ef39238950ff66eddb2c87ade5052b98c37f633f9d2c4891c06db34cf0c8654a6bcd17

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
f5c342a907a6bbc405607986d119595b

SHA1
9d3ed748c451863b7e1a75ae5accdfe597bdf158

SHA256
7816f427dc915ef28d423a117970e473994d930615b054e22a1fe926c8bafd04

SHA512
6a2fbec19217eed28dc89c807fc89cea3a8e24ba71a821d9c9117899d5b906303676303912fe51f8d3b47fef0deb10aa58407897c8484525b2b8c1bf377554ef

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
a22ce5c0374f65f1410ee2251f13d1be

SHA1
c50ea3de840bf33e0ce6451e3d53a86fd02df546

SHA256
a75400f0ede88ae17165b5c80eca5d175538a84c00a69405ebfe9597554c625c

SHA512
c51feb256240c637bfa1fecc4c5a2b73b21b84ff4408d9bb308faeb044f0b13ce5d091ff7e92703d58a91f3984e9b41747faee82cc47a3f5d5bd7517577023d0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
0001fe2d6ae57acf7e4d84aaae74cc2f

SHA1
4decafdf6985972ca766f262391deea2d7eb135d

SHA256
e103bfd367fd1c413546296a93569f6fc8a8e4d65101343401fb370017094022

SHA512
788af0348338895e199074c1ea7bca7bcfde65c5275ef9327de9bc1735195941efdb598eac53efcf6a866d9f6ab62fb3594583b0368b8b91e411176d7b9d7196

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
7dca49091e023a814b5ef25f9dc61ad3

SHA1
ad01550284c36c5deb520d8187bfc88275707803

SHA256
6ab82d840df50cefaf72624624b8f4c8369d1b076006a3abc948ca64058ff030

SHA512
e95f0b1e57a4e6a05b57fe3db84fe846eef452248b03cadd7901b72e96f6705418fc2bfda24b874feaf989ac5b48b3d7f6d3b9bfb68111b99b7e9f1a2309bb80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
7e0955ea3799bdf77ad703462399f7ed

SHA1
839c65c604e38d89c8099d06a10b4164f4ecd0cb

SHA256
a2779f1f6b77074f5ebed5076193c96384212d81198c2b79881d5ab70cbfe2c8

SHA512
c8ef9442218d97e4cc82d312f699f5f1fccf595ed0701dd17469eb8c5f5295a941e3fa57e8db9e05e2342eb7843ebca22961153f7cee72569f6570a35d3e2bfb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
8f7d1dcc76d7484823a0211692216189

SHA1
abe08715e62063be2ff1d25ad012ffce1cf958aa

SHA256
a399d06e01171d2dd86d8623f741300b619ba3fdaaceeddc7e421478fb5f1dff

SHA512
5906e2f9e8feaa97958540edbdafcab924217d6daffa4f049c9ca586c88750721093bce806b9747e8c47bd45866f9be72caece4a725207ef3c26b4cb08d60262

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
8fb367c81c0ffb68b0c1fa6ac8a6f5ad

SHA1
f3922b1ffaf63a5c4e455dfdf583edb3b0d46d82

SHA256
699577f4c0d7d1fcdabe844f6775c3c627ccaf6d63ccab2ad1406d4c7b75e7de

SHA512
11cb9589fe8ca509719dae9342a7a13b4c8c611969d611497c4e0c13403ce44fc41c832cd547ac9d6a3a4165752f3cb5cf475fe9d6450f63ca4d8a9a2645b53b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
c1156ce5ca99eaa2ae9069336867a95b

SHA1
11eadfb85164031ff718baf195eba330ba9b7d12

SHA256
7f8cb7fe55a53df02fd9fbafbf2cd42ad8533dcceb2e0a95d53cb2b5e5f52787

SHA512
578325784f4b7d8b0b72b1994044707be46bb4ef805f8de7fa86b813dce735a4eb99b0ffa775c45ad32a92d442dbb9d41f574ade4a24e7018bb627849dcd212a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
6974914ad1804c980e762f2903defc8a

SHA1
4976624c50d29e2678dc6f09140be92b7a6f657a

SHA256
5f089d5fd34397b09bd0b313b6f269f1982ec0674aea8ef0ee9bd08f4437dbc0

SHA512
b06ad8f2f7e8f73ca39ce7ffd94770942284aba19e546260ae96ce7e94c6cc6e053e564b348384ce0c9e2d79558845c3b08fe8b66ce772fec5717de9e56d05ff

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
72b14f9c1bd3bb5971133a0c43dbc5de

SHA1
af25612671e96a4a6a40b7773035ad654c32457c

SHA256
17a1404aa4a46b317ac3732aa48e70a208bd63fdfbfda213bade435d0d295f32

SHA512
cf7b9673f60d1777c3e1f025f9dd3f6ad7393e1b47748ae5705c0c459750a6efd8118c192e717df53e70869e679254361bc5d48e26cf2af7a7c573a8d9c4600a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
f18139983bfe0fe5d403ed590f5dbe62

SHA1
5b65d933cc7c2f900b4ff1766556c43fbbc3be21

SHA256
5ca75ce132e5e96e8578803da2ba63ff631a156bac848646fa2e02afbb989f48

SHA512
96ca12926d700767ec762b72904035ad56d6531550137521e910f8e6118719dc0a19f26b9a33346b6ed3fa9c21fbf906303e660a11ed189f53ab7b15bb36e85d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
963cc9c8c400cfed767cc1447beb8dac

SHA1
eff9f74f40a3d3225470fc6bcb561f8dc592d803

SHA256
0ff90dab3cb4204637ac71e107dcd37f0a9155166d866941026d7cb6fc58937b

SHA512
aaa36fde4b9944fa9ec3427dd815c322996d1c12aa9abcc4c42bf3ed22da3f179ba106910bdc2bb7cfb4420179a4ee60fb116e5573ec89e6f28d43322397d814

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
9cbb539143e256836b18b021d29d3dd1

SHA1
9ebd9ce9e77732abe92066819eb948f4bfc97b9f

SHA256
1fab6f8fff283cf762347644dcc689a73b0b1259a553a938c46f54fe50022784

SHA512
4ade8cca4398178a8ba6ae47339f478555600cb1dc60cc02852180c8a3cad75aeebd41f9327dad76c39b3ed3bde384fe39d8e949b92116df61829b5d85fbcd6e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
a4a74af5d6c270c04858fec706b7e828

SHA1
7dd0eb02d41a6bc78c4ced86854a93de752fcad7

SHA256
cfb9cebca3fa1f9de13477de8893cfe008136c7f85606214cdf3626e1a8954c9

SHA512
061a08fbe43a88842f6eaddecae5964f83e4d06b843e0da663306a8fc82f1db0317d57485c9554b1d818a2a0d661c795b11b195d70bf14ae8f9644cd1241b490

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
efec2fcfec13541a29a3c2c5eef6152a

SHA1
8ff5e6abc3030b76e3990b03729437c6a84017f4

SHA256
30f90ab580178ff56137201243bef946aeb0de665fc747a1a83a56eff85cdc0b

SHA512
e7adcc382bdd23403e01d50f22c440ab19f5c6a37a4a26842a7a01cc7b432a93f5f5a00c78d287120f6412406a4a4ddc8d775310cfdeb4cff1e4b4381c8d824c

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
98d3b55cce54a33a6648f5b02a11f65d

SHA1
8c0fd3cb0ab6b4bf962199b2187d0984490fa8ef

SHA256
807979e800f4efcf68130c5b6c5af3c333c76e8b7198419ab0a2966a84322131

SHA512
9e8d9707a15bdd0e6a7ee360359d01220c5fe95ff472bef0c7460c2749eb8a1a480392b426a62709838d1260a25cff8f5da512eedd61fe2485ca61f3df451a15

Download Submit
\Users\Admin\AppData\Local\Temp\tPfXYOLSRrep.exe

Filesize
119KB

MD5
c68395e474088d5339972e2bf5a30f3c

SHA1
502e42240969399c09337ecc7b5ca8fc1ba4baf3

SHA256
9eb7abf2228ad28d8b7f571e0495d4a35da40607f04355307077975e271553b8

SHA512
5320fe8144071dde940ebd0285e6fcf573d36c28ea51fca3b5aecc49bfe5ffcf25d1afbd294e0d0b565a3a621d5ea189b075d868bbef521f2e1fe6702e8be75a

Download Submit