ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
Size

279KB
MD5

5df4ac6e94ae7e9f9eb28d8f7f464946
SHA1

79f222f94fa265896c5e4578b91ed4ebc100058d
SHA256

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f
SHA512

18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a
SSDEEP

6144:IS1cGDFCQuthKvzggi4quAM8QRofVjjdQxpBkAI5rZ/OuHqxwbmmjO8Sw6Z/rqS8:71cGlutwSuAM8QRC6pBAZmo9sZ/rhgt

Score

10^/10

ryuk credential_access dave discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'oqsuyezb'; $torlink = 'http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (1531) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral19/memory/2544-8-0x0000000000240000-0x0000000000266000-memory.dmp	dave

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
2296	vRMdYORzIrep.exe
2748	SRUQygHNQlan.exe
30312	pWTCuPmmxlan.exe

Loads dropped DLL 3 IoCs

pid	Process
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
55708	icacls.exe
55892	icacls.exe
52144	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationLeft_ButtonGraphic.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_ja_4.4.0.v20140623020002.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\EnableDisconnect.tif	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Nairobi	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\join.avi	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationUp_SelectionSubpicture.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\play-static.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_zh_4.4.0.v20140623020002.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\it-IT\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\local_policy.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.zh_CN_5.5.0.165303.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_zh_CN.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Internet Explorer\Timeline.cpu.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\trusted.libraries	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chicago	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nipigon	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\AST4ADT	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-over-select.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Lord_Howe	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwruklm.dat	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_ja.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\PST8PDT	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsink.ax	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msdaremr.dll.mui	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.bat	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Bahia	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_ja.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\IPSEventLogMsg.dll.mui	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\sRGB.pf	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\.lastModified	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations.nl_ja_4.4.0.v20140623020002.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pt_BR.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Winnipeg	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2296	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2544 wrote to memory of 2296	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2544 wrote to memory of 2296	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2544 wrote to memory of 2296	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2544 wrote to memory of 2748	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2544 wrote to memory of 2748	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2544 wrote to memory of 2748	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2544 wrote to memory of 2748	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2544 wrote to memory of 30312	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2544 wrote to memory of 30312	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2544 wrote to memory of 30312	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2544 wrote to memory of 30312	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2544 wrote to memory of 55708	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2544 wrote to memory of 55708	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2544 wrote to memory of 55708	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2544 wrote to memory of 55708	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2544 wrote to memory of 55892	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	40
PID 2544 wrote to memory of 55892	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	40
PID 2544 wrote to memory of 55892	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	40
PID 2544 wrote to memory of 55892	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	40
PID 2544 wrote to memory of 52144	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	42
PID 2544 wrote to memory of 52144	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	42
PID 2544 wrote to memory of 52144	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	42
PID 2544 wrote to memory of 52144	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	42
PID 2544 wrote to memory of 69860	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	46
PID 2544 wrote to memory of 69860	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	46
PID 2544 wrote to memory of 69860	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	46
PID 2544 wrote to memory of 69860	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	46
PID 2544 wrote to memory of 68344	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 2544 wrote to memory of 68344	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 2544 wrote to memory of 68344	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 2544 wrote to memory of 68344	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 69860 wrote to memory of 70524	69860	net.exe	50
PID 69860 wrote to memory of 70524	69860	net.exe	50
PID 69860 wrote to memory of 70524	69860	net.exe	50
PID 69860 wrote to memory of 70524	69860	net.exe	50
PID 68344 wrote to memory of 70012	68344	net.exe	51
PID 2544 wrote to memory of 68448	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	52
PID 68344 wrote to memory of 70012	68344	net.exe	51
PID 68344 wrote to memory of 70012	68344	net.exe	51
PID 2544 wrote to memory of 68448	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	52
PID 68344 wrote to memory of 70012	68344	net.exe	51
PID 2544 wrote to memory of 68448	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	52
PID 2544 wrote to memory of 68448	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	52
PID 2544 wrote to memory of 68352	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 2544 wrote to memory of 68352	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 2544 wrote to memory of 68352	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 2544 wrote to memory of 68352	2544	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 68448 wrote to memory of 71016	68448	net.exe	56
PID 68448 wrote to memory of 71016	68448	net.exe	56
PID 68448 wrote to memory of 71016	68448	net.exe	56
PID 68448 wrote to memory of 71016	68448	net.exe	56
PID 68352 wrote to memory of 71068	68352	net.exe	57
PID 68352 wrote to memory of 71068	68352	net.exe	57
PID 68352 wrote to memory of 71068	68352	net.exe	57
PID 68352 wrote to memory of 71068	68352	net.exe	57

C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
"C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\vRMdYORzIrep.exe
  "C:\Users\Admin\AppData\Local\Temp\vRMdYORzIrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\SRUQygHNQlan.exe
  "C:\Users\Admin\AppData\Local\Temp\SRUQygHNQlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Users\Admin\AppData\Local\Temp\pWTCuPmmxlan.exe
  "C:\Users\Admin\AppData\Local\Temp\pWTCuPmmxlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:30312
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:55708
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:55892
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:52144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:69860
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:70524
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:68344
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:70012
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:68448
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:71016
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:68352
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:71068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
d62b997f96cf7661038cb31cfaeee652

SHA1
95b4bca209a2ebd1436688ffbe97c6c0d64dccdd

SHA256
1f927e10b83788856f89cb83a011aa76a51b71af6e077bb4d9594e86afe9d26a

SHA512
d8c1279fb9780e452ec2edacaae9111a94b78217e4f3dc9dc2cf974dadc4b8eada82fa5190a2c8a406a04331b79041a946751e1ede04a73626d6f6591c203d0f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
97a49309104b1180434e930f80ca06d6

SHA1
35d92ba99015e1e50a9ab4d7e9fe80e2e37caee7

SHA256
ac954ac91aaf261341ffb1c4764335101091a3c746c2650676cb79efe9b83b7d

SHA512
1a20ba5aebaf9c97e38a3450255f83c1ab283cfb8ea47917dee27a7956cebdd731a8fc8360ca472a0cc8e2d40fe35949cb64b4353c31e3ba7253fc68ac84b4cf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
5a1e6deeafe4ae2cbff150fb4d0f5aaa

SHA1
d443816d63ece67aeb61473e1b01671502e19599

SHA256
6a484cc9b74010ba02bd9ae9e7e9a4b2654381b1295752666afacb3f8a9c8301

SHA512
3bc3f3a5913459e493e1aee9c7c377b45659e2fafab812bdf9b7b63d3bce8da6f0fdb8c8aa1b8a4755297db55f8d4da6c1c5ab5db0392f6b1cd8d09a0cd468e3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
4d9cb91121b7725d708907a84a29fc97

SHA1
77076ee23c197b5700fe6eb875dfaa49950dade5

SHA256
257e17ae8fc29593981d5077e78d405f315ae79ffe62c8e3213fa8c88f28518a

SHA512
b37123be7bceeef6532bded9ebf4a480332474a5775eadf36df1a9ab01438f634eb2917cd3b4a05b66c4f76c624286582818ad4cf743c59e686c94813fcbd5d6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
f6b9a4e207ff039d9a4ceee57262a0ec

SHA1
a11aab04270ae915377ba8db07642a285178d819

SHA256
94377a2108465bd68988435e63865422e1100f9ce8c31273ac41d92b9984691d

SHA512
b29057aa8c1e30bbd909caba65bbe6669e1d47a2a95f3d6e27eb9a2f3a4d049bfff67efae3570137d3c94945c2dc6b0a3a52e712e87084375f01f6314c26d877

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
20179b084c4c51eb317a95740b8d4658

SHA1
916d606353adfe3fc441daa44674f2292257b666

SHA256
bca08336dbdb75a26bbbdacf0570638887897d203dd8bf79c57bcf56095da47b

SHA512
d77f2f4d5a127d3d8a9d7265881d3dd62b52d28b522e119c9d39f0542458f98b1eda31f5e1d4b96909c500f5d45c4610779ba6323e734940da8aacca1d34efe0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
3ad3d3ff0abf7d573590a9becc348f1e

SHA1
a760adcc85749f22cba39bad28f31e5f0046914f

SHA256
42cae456fb5e15283de6a3c7301d428ae8f95f6f57d29769b007fd90d9b9c424

SHA512
5ccb3dd06eb0fa3a09541e65ace10beb2a4c09fd10d3ce71b567c543abc811d98ad3121b1c3a3f32762dfb87d1119a57db8b7b9ccc7009d2246b425eab7fea46

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
c736cd9f73ad6e40c9d1f94949025d68

SHA1
0f625aa2b49476fc6e67684f4cee5e26066d5ea4

SHA256
41c9c6c4788f58b36ff817abab6346eaff172ad1157c7f5bbe77377f9d020af3

SHA512
561305f742db8a92ef926267fc736fb236ca87d9c9aa7fa5de1397ab7e22bedeb1602f32006ceffe532af443adcf483543d120af32582ca934020e27deff5b49

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
a2ec6f5e482debb9f03ec93c809bda2e

SHA1
a46ae35e9aadc7fc060750ef53d2fc93b45b888f

SHA256
ab17259b3b8086665d2b1d2877717e582593e5d14c502f5c06fee8183d3a68c3

SHA512
909e1ac117c90c11a15f0e11a25e7f6235f0a3ad8ca7c51d5e468b4864302a72659e5e3cf14aecb248a650a828ba5082de716f75bd6d2d51d3aa68e90cf91d74

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
d1a769878d84a9ae7148d7ff5ade1e3c

SHA1
178a49aff5581136dfb0e76e471abc6d547b9328

SHA256
a0a37b24263ac9431d3ef8b79f448e1df281c8e1a0030c5ab8d0a266ab792e04

SHA512
8c332e667cd3e7b478c4cc5a59d6c7ab0bae97133e9a1a562f58af2a81f702ba19b767fa6c6e45217b790facad29888ff8230ec15913d8db82d4c3fdaaca51d6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
75f320743cbd4626e1dc6c578b3b4d78

SHA1
4bb1b81497224f4fda8a301f63a5d5f038c6c32e

SHA256
c426dadaca45e97a3c3f4ca34f78b5afce90bce435a56bf8b11e5b0faefa96d5

SHA512
438aa90556fec972337f0767e2ae754b4e2d1fec03fee735ca298885783dc9db044fe993510debe62895700001219ed74c1780b46cc1ab9563a24a2f4f9b04e2

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
557dbf4306e0a8f52fa9f8c1f89d2d22

SHA1
28e085f2d03716fffa09b1f90269195a3916c9f8

SHA256
a66755022c00d72871821697b95710d1bda63fe0e49761a3752f8b60d0e4f7f4

SHA512
33023eb7a21013c887069d5d8a85cc1085e430a9817c96de2b9292acb256060c17c9fb821d1687929f59ff5c6b77b62e03d7f4ca1472a1b7f785cc5e1c7afa69

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
181f880c15fa885351f275c4be7c8d2a

SHA1
41da665673e0ab101ce811cc8f945d5dbc9f8e04

SHA256
465cd2cf8a2cde56d65a615c923cd79fdd4ef58a4f1bba871dda4a56081dd7aa

SHA512
9d6082e39e89bdc48e7c9e52c8dd9b94b1c88809b5b134f9b93fa139eac3327405867a5c864010fdf4f4284b9ddd60f8e38390bb11381ae4da743064ea452ea5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
fc911728311d8303dcedb7abdd4fcf61

SHA1
e98b5768ad5246694b44cc584208e012f33858db

SHA256
cd6fd85b161576774ef72ef063b3840a4b25edb0bd22838fea7b3e4278425c92

SHA512
f054841b93528f083c3257df1fda41b64619eee60c916c3c8e9192442f6475ce9cec5d6f16ea5d01a72df065a69774a7cf93e90edd80b1083dcc8217d32c704a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
5c6ebfe407b7a3295091b3b19e3c0911

SHA1
defcc5e226af8fda3b7165696d5d06b836c07fb7

SHA256
e1699208a95efc1d2c215594fe83416d98a055b3a5fbbb05dc2bbedf2654b341

SHA512
f623263828efbd9b4b50ef2afe2c7d493f56ad2a26c0a0ead65548951ef9052f13f9eb46bce1f1366d3a6b76a5121478386ca9470ef84f8e942d2ff742f9fe6a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
e48eebf495990ff1a3dc22a2ec37f203

SHA1
2cefc601e06de6ce3f214c1ddd7b870ecdb491c2

SHA256
7a80bdcbea457261fb46a554df3f81d70ed85304619d51953af0b3c6cb33a133

SHA512
11bcb9205c01ab3968f25b11f2058b57ca5bdf23361a5563d81c98a89be51f902216f0f61034c68e759dbaa682ec7740b829b27c5c93836d9d6b98c89f97a7b5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
288dde7e842620ae9df18dcfc087ac33

SHA1
dd91f1d8b3260858b73096acad828ac531d122b3

SHA256
e04e472ed6f48094e15f548226e8dfe16dcbebcd1e5f90eb750d99e7de39b0b2

SHA512
af15ef373320e1b55b73f49ba04be887c596b4c4870b64929d90451d0030f504de25cc4d4b617b3f3aea972faa3cdb28a2b38d38525c8774aa11111fd1dfe77c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
6a26a86fa3fc8b0234d028916dcd4125

SHA1
b347fd3d15dd1eb9a4b681fa9438a574e494215b

SHA256
185f915e75d57681cd5d2a3155228bb62ad3497330d02920e832260acc15c72d

SHA512
6692730c57a4708be77b68a2ec6dd0829dd74ef6c50834f29ab36e7f3d8e3a42b19d5a7ef3bd64d674fae028a2b458cc14d218076de4361236406a97ed476c4c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
b3a64c58aae5bf9893074865691d5c35

SHA1
1133e8610afc1a955f9763dd44f55f3156f1c64a

SHA256
38779bb630bee341cc2dffe397a6034dea9c1d929c079b7de19201054cc53fab

SHA512
acb1419ac58d8d84718644b7593e44eb8d225d6d122231644de2e91acce40634af0c493b1ece11d265ec88e75ad9f96011f716740fc782d2c6005ae4f5b5c2df

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
0784d607ffa01304b057419bdde4a8e6

SHA1
669a6c8870df80c55493257e5e0c6bdca16de398

SHA256
851cf22fd69bcd63bebc3c97fb0ebf140b911cfa1558026a1cd91bb0fecbe72b

SHA512
8a4761eb949e96c5c95e3d78f454346c7c1965d86689a06b9be75a1cc3ba205b077e9dcb115eec17b0b37a41366c97874a669e8f76c06cc0baa622aafd3aa38d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
801cb82ffea59bed5d9f38de8958962f

SHA1
b152d5652d22b4720fdf276c314acfc7fdec3f09

SHA256
3ede4c4032a9bfe74ea1674f4b3e5092e8e9433b874799ad67f3ddef4779c853

SHA512
bad950540e812ce27884e0346aef2d24fe8be190c7e0a453f79ae3336df8d1d1b3842ad704d783eb66f755c3455b6d77426b68944ec7c0159ff53f6202623dcd

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
0a5cbc4792463f2cd43d545ba1237dbc

SHA1
74079b28ea8ef140e68284d8891e1fbcfc0fe677

SHA256
846a5d66063048b52015a7426eac2b2a064c8c16733f7a667bf3f24504c41733

SHA512
6867139e3c24cacbd700a7926222f7ade1d6f9b395d6ebf2d2b10c0fd8bf8cf2b5b0e91978531c44759c66736462e70907ce173e05a09f0f59ad53c39b87f67a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
9799a9f08e14c3e2bdb8138ad52636cc

SHA1
9fa47efe063b32282b338269cc172131e2226cba

SHA256
64fa593eedf0a4bbc7a5577fc016bb53676c3efd2fe2e18132b74a6a7d3c11bf

SHA512
9cf111abfef0b9df064eb31e7dd3f590bf74c237db3ecb93d7f240c9eed962b9ccc261129067bf02e40045bf06000d8674ed9da537bb49c15eba555c3aea959d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
969386822b87b3195ccaa86e2f18226e

SHA1
bf47ee7b4132ad414306716712ec0e6837847943

SHA256
d369e285a7ac1668460020189f8d29013706a03837edf3244374d11dce447eca

SHA512
771c68ff1658919d2057af7b442859bbaf2d16f193ec25d47a1447fce5204e59e5611765a4690ff02885113bfdf7e2d515da0fd9d9a90929319dfb31bd1deb78

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
3bd1859bd74b572df3d748264c59e329

SHA1
d661631df4724363683bae42a5c4d0580c78e3cf

SHA256
54281687ed994d93bc6249828375ba6a957f0237cad7257105791c6ddec5a95d

SHA512
66a538c0283374d3c975d42e0988598ffedc936c1b43a840e104bac9e4cbc8f457cac30080ffb81504d8fec99661ff8424fe40b44349e5228976a7c2ad800e7c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
76c0d4346d2f1f830e225dc650069b73

SHA1
a48c3a20b9ae8ed817524370c716ac3d8e91479d

SHA256
ab4e7f4e4273a65d4f58804bcd34230f7403ef61dfbcbd3e6e943700916f4fea

SHA512
1c3f3ff79f50404942b5e8ac475b33e518c78ee6e3a24fed54e6cbea4feffc7868a325dea78ec882dff11eec3e287795e2a4b0b3a6885ac5def1e3baa3102d00

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
cc6b761dccd2ad87e46d75255b93a547

SHA1
523195880bcc37866f76e9c814dcb489d249a0ae

SHA256
de78aae34e14bd1cc5e7ceb428eb7ce3dd851500bf6ba7c46eda4b143224aff6

SHA512
b0ee87653b19afd323e44aae1a552c8948ed59300ee9d755cac590517ed4f09d9aa6fd93a77b93ab02989500391b36d59facef472f22dd0cdcb440734ac3ef81

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
94c747f3b602b9abaf6d25cf723a694a

SHA1
748c18cdab7cdda332c7cd0dc68227b8f82ec0cc

SHA256
9f98f57e512f919b9d5abaee67ae168ecffb0125ee92debd887dedbf4a0b16aa

SHA512
1fa60b01f374642b6e6577321c8de508663cebb66e4ea18e1a33612b2f1e430db71603007a4a3697eaa1241c7a664d86244611ca1ef9fe6395c8926092b4d8ad

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
f972c5bcf3f29a17bcba0bfec1d84648

SHA1
9053b136fa1858cf21b499bed183fd71d67c99a8

SHA256
ed3737cf51a8c7ad6884796659546bb46499c72a4f24e804cb713a547317cca0

SHA512
6ee9df56cc01d47d7473a92bba7b8ba25de2b034bc015ca6c9aba278969d1e09f180de3aae620e3699adee69c66af7a1360105e5c11c97da8ad8eb719ac4c802

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
fcef40ac34eea5d278f434985a94fbdd

SHA1
7150f7296ffb02ef512313e5658e14d9e6b4e2bb

SHA256
2d2c254c8db22ef4fe0602defe0c33e1da6ef8186c94d2b4c2413b3c2aee2aeb

SHA512
cfac6b14d52024025efe9521c2f88642567344d99bb10b2b39e30dd543959e8f6d1af2885fff011f1ea4cb9c7fd1b7f7b884b1e44d9e672a5f708b88f1dc4086

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
97c9d0b35c666be1cdffa8795e98ac9a

SHA1
eeb968c8fa0a689955869643576953a61dc0fb05

SHA256
309f9317d88101f2d45290caeeea1e88744454ffb719fd57a2d9f2b95021c57c

SHA512
de694091ad3d1862eff5c2027b1604b52b55a4bb13b9818bfa02d5933155bee6ebc156ea379016fd2ad5dfc0f7b9fe29cf80c00fea59bfa47e5aed4f89d300a4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
9cbaaf843bd128c9944027a674d797d0

SHA1
7dc64bb2c62b900935ec3203b5f5c5249914a76f

SHA256
ee84169d4d13fe4e1f8c5f21b9016d367f26cacfaee419e3ad0877c8fb7fbc8a

SHA512
4d32bf2a6a98171dfc4f31de9488e7fbf0c5495d2dfc680b8bb415f974a7d3b46899eb15f3e51abd6624986b38956d82b4407624e04187d6c64e5cf83258c286

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
dc6251555bb8c494a5cddc04c6bc0cbc

SHA1
1bc3844b14b8caf8da40d60cacb9483ca5edbffd

SHA256
7942304eb695750f7370889ee73c9bb73b666a55c3b7b9dbdfb79a6272c3d4a4

SHA512
459a2c7a5cfae73159b7feb1e55ddae501d649d43bc4ac0bbbfc92e5c83cfdcbbee939e8297134f4b883e48f51e573b9de2ae0b554db2b9afa789116a6af7ef2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
030bded741effebbf220b3ab326f6e25

SHA1
4c3028f6a9047004333f32aaf87f8136d4b64d78

SHA256
f26286b0a14ba149f093e02e9eca94f7a6c50de6f9545998f6ae3d9045bd945e

SHA512
e4963f47fb891b6026faa76451a4c6d2c5904c7808b82cdcf7a28eab6df4be8cd7883b906007518af4e60b501dc0ee29806ecd6e8999ef9af51a921c709c6abb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
4e6d638e79b3fb963a86b6ded15db0be

SHA1
8875610398808fd35560105188421a3206e5fa47

SHA256
a10d290a528f719bb72e8c434d592851213896002d94657369ae127fa39289eb

SHA512
880d0251b7a48872893e6aca1da5eab5fc78feef65fb2727d15f6036c1a67ac01012c1eb316cc100febee817d2934fd46e4b020c472491d85acca12c0d724ba5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
1aff33491d0a659969de25951f79320b

SHA1
8ec0b8dd0fabf6244809deff2d13e98ee8e3dd7b

SHA256
097eb517293fdf8140232c7f65ddfd4520c201f520423ed28783f7e96a4cfa2c

SHA512
971440d9cbe1229985ba2e03c837b6994fc62524e94a5b9b008c3026110d8423d771ab6d4a20e58ae369d827e5138d4fd399a6d373941159595b74f841ced61c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
a093931e758308ac03c42e1856e63f76

SHA1
7c8072b6d0d0ce54c7f39419c013880888601d67

SHA256
58f2af51fcfeefdc963e6673cb67b74a8d9cd852b19b032b3e75ced94fdbc589

SHA512
5da91f87908e4ab72b7ac7d1d36c92078ea3c828f27b740757592d7fec16f7ed9d302f184be0d5ec4f99f812003c40c187844ece76afa3a9e4258f42e97fb430

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
06471ca6cec877e5dc3926b1489a7bd4

SHA1
af5be8ca0a953708db988a25514dd5403a3cef60

SHA256
c22dd7c131f4111de8f47ba4e0b3896053db84455dd3e321e03a78bfe05775ed

SHA512
a715f0fc86b166286e50aee840bde2c95e9fe01d9a50529ea15f3658af28492cde19f17da050ec03452e0a67c0c801bd0e03b414a05888689c93119ebe0def94

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
b94bf3413bcf8148275279f4994c00d8

SHA1
fa58515fdc18905d90bed7b7299e2ea6b5fb8779

SHA256
72fd62f588d8f18b0a81fe36d5cf76d74d1c670e3f429f7e36598b4a0f0da467

SHA512
72ffff349da4c88598ade71f69bc7e1afa72066bf9d552b1d916dc4d99fde1bd2cd3b950f50f9a87bfb83d27e75c83f2cda9debe67a9e5cec48772c724675e39

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
5cf0c19964f2de308f48433e78e3d24a

SHA1
9a14fcf00d68f64647f4b9d807685d5c8cee2573

SHA256
f5e579c28356cce59dd74dffac7f3c066b42e08ec0754a40f7464a9a742c3f42

SHA512
2ef4bcb6d4e246618827b1c0fe293a0536a812107ca38836d6fa51e0a10ffccdd705a1ab10b1ab0a2edc9a2ec3af65e938a14ecba014e8de19b55931a5c511bf

Download Submit
\Users\Admin\AppData\Local\Temp\vRMdYORzIrep.exe

Filesize
279KB

MD5
5df4ac6e94ae7e9f9eb28d8f7f464946

SHA1
79f222f94fa265896c5e4578b91ed4ebc100058d

SHA256
3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f

SHA512
18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

Download Submit
memory/2296-63-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2296-40-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2296-46-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2296-67-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2296-73-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2296-78-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2544-0-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download
memory/2544-8-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/2544-4-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download