ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
Size

279KB
MD5

5df4ac6e94ae7e9f9eb28d8f7f464946
SHA1

79f222f94fa265896c5e4578b91ed4ebc100058d
SHA256

3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f
SHA512

18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a
SSDEEP

6144:IS1cGDFCQuthKvzggi4quAM8QRofVjjdQxpBkAI5rZ/OuHqxwbmmjO8Sw6Z/rqS8:71cGlutwSuAM8QRC6pBAZmo9sZ/rhgt

Score

10^/10

ryuk credential_access dave discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'oqsuyezb'; $torlink = 'http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (1569) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

resource	yara_rule
behavioral17/memory/2032-8-0x00000000003C0000-0x00000000003E6000-memory.dmp	dave

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
2456	FdmWhdYRXrep.exe
2648	xKlovupqxlan.exe
30272	UEpymZELwlan.exe

Loads dropped DLL 3 IoCs

pid	Process
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
61824	icacls.exe
61776	icacls.exe
61792	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\de-DE\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jdwpTransport.h	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\.eclipseproduct	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\es-ES\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Istanbul	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationUp_SelectionSubpicture.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\203x8subpicture.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_zh_CN.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Broken_Hill	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\CompressInstall.vdx	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcer.dll.mui	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Prague	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util_ja.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\System\en-US\wab32res.dll.mui	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Heart_VideoInset.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Detroit	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Palmer	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-visual_zh_CN.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core_0.10.100.v20140424-2042.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\btn-next-static.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Godthab	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Havana	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\RyukReadMe.html	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\tools.jar	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Canary	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2456	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2032 wrote to memory of 2456	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2032 wrote to memory of 2456	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2032 wrote to memory of 2456	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	32
PID 2032 wrote to memory of 2648	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2032 wrote to memory of 2648	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2032 wrote to memory of 2648	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2032 wrote to memory of 2648	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	34
PID 2032 wrote to memory of 30272	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2032 wrote to memory of 30272	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2032 wrote to memory of 30272	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2032 wrote to memory of 30272	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	36
PID 2032 wrote to memory of 61776	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	38
PID 2032 wrote to memory of 61776	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	38
PID 2032 wrote to memory of 61776	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	38
PID 2032 wrote to memory of 61776	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	38
PID 2032 wrote to memory of 61792	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2032 wrote to memory of 61792	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2032 wrote to memory of 61792	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2032 wrote to memory of 61792	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	39
PID 2032 wrote to memory of 61824	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	41
PID 2032 wrote to memory of 61824	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	41
PID 2032 wrote to memory of 61824	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	41
PID 2032 wrote to memory of 61824	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	41
PID 2032 wrote to memory of 74944	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	45
PID 2032 wrote to memory of 74944	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	45
PID 2032 wrote to memory of 74944	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	45
PID 2032 wrote to memory of 74944	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	45
PID 74944 wrote to memory of 60588	74944	net.exe	47
PID 74944 wrote to memory of 60588	74944	net.exe	47
PID 74944 wrote to memory of 60588	74944	net.exe	47
PID 74944 wrote to memory of 60588	74944	net.exe	47
PID 2032 wrote to memory of 76136	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 2032 wrote to memory of 76136	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 2032 wrote to memory of 76136	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 2032 wrote to memory of 76136	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	48
PID 76136 wrote to memory of 77380	76136	net.exe	50
PID 76136 wrote to memory of 77380	76136	net.exe	50
PID 76136 wrote to memory of 77380	76136	net.exe	50
PID 76136 wrote to memory of 77380	76136	net.exe	50
PID 2032 wrote to memory of 68248	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	51
PID 2032 wrote to memory of 68248	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	51
PID 2032 wrote to memory of 68248	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	51
PID 2032 wrote to memory of 68248	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	51
PID 68248 wrote to memory of 64620	68248	net.exe	53
PID 68248 wrote to memory of 64620	68248	net.exe	53
PID 68248 wrote to memory of 64620	68248	net.exe	53
PID 68248 wrote to memory of 64620	68248	net.exe	53
PID 2032 wrote to memory of 76932	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 2032 wrote to memory of 76932	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 2032 wrote to memory of 76932	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 2032 wrote to memory of 76932	2032	3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe	54
PID 76932 wrote to memory of 76916	76932	net.exe	56
PID 76932 wrote to memory of 76916	76932	net.exe	56
PID 76932 wrote to memory of 76916	76932	net.exe	56
PID 76932 wrote to memory of 76916	76932	net.exe	56

C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
"C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Users\Admin\AppData\Local\Temp\FdmWhdYRXrep.exe
  "C:\Users\Admin\AppData\Local\Temp\FdmWhdYRXrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Users\Admin\AppData\Local\Temp\xKlovupqxlan.exe
  "C:\Users\Admin\AppData\Local\Temp\xKlovupqxlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Users\Admin\AppData\Local\Temp\UEpymZELwlan.exe
  "C:\Users\Admin\AppData\Local\Temp\UEpymZELwlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:30272
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:61776
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:61792
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:61824
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:74944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:60588
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:76136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:77380
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:68248
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:64620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:76932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:76916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
bac9f25a29282fd6c92d49755b40a97e

SHA1
5f65cdbc6be08878e908b933e7e2d1ebe1df16fa

SHA256
c43e231a2966c373edab069f00900b6e64ae88e6ba4cdf984568744d45b4ad9a

SHA512
a1d76fc1f4f5af65e67ea74cd492be2b22f6f6743f3a7bc0388701069021dd96b07faf57eac848b557c3d5d7f9f4be0daeeaa66bf96c8e068bc40bbda8ecd782

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
60646cea5ef1ced0e82029054478fb8b

SHA1
848979b49033c6010022811d1e7a4e30b29fa31d

SHA256
8bc4b833a1d6d699930f4298fe0733277b3a31ee0f28ebb7cd899e7cd8f0237c

SHA512
f0c497304bd4d2369f19256318727a4eb7eaef29099122c8434fce7d6c4fdfe039a481cbd70498c6e7f1fe5c4d58d82911e59a80d97952704d38bc4cf7213ce4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
69680aece2a5f7f9570091ecc9218743

SHA1
73f419439d1c63186a09b12ee07480e505797123

SHA256
76db47734fc2b7055c9375063bb90723532ebf517c815c3e7dba6d07095ac0af

SHA512
9c01ac869ac24cb1e94f55de1c9f88e07bf4d7856696147e48045d75e4b25ecf1ddc28e8700cc939b104c84a289c005b081893f6398e1b3f3237e89ee03375bd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
af40c1d7b6395d64a26bc04e5d6ca5c3

SHA1
610eb5c02a936ad10321c174452d0c960717db7d

SHA256
285e8bb71429614be0318f4c9c9eafd4288982b8ab97f9f66ce74984aae44d22

SHA512
ec3931a87457d262cbc7f4e25ec0baa403067a4b210f99bf868d157baa3bb5df01348ff8957ed557c17e15f9a3ffa96db61a94090ed0bc443962ffdcd3bd0919

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
893305079c79e3f681773853e668ec7e

SHA1
918766a1789a1b9575ac3de813f70126518556f5

SHA256
2c8013dd31dc6b41a0f6f8123fbc5907d5057d62c8faae54fe4c2dad4174bda0

SHA512
fcec290b2b27eae1d85da75dd49d2521526f6ab0edbc5f0046543bccbbfb1ad9c67aafee4ead07c8bb559ccc30eb59410ddd49cfe3754f5c38a0f49be7384419

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
263eebb50070b9ed36cea9a30ddf81b3

SHA1
38c3e4fbb26c9ceaf64997537b17260613710227

SHA256
bd1bf2454f7d568298230c1ef228f9fe2eb642bc2f5f5c422e0a83f276c69ac9

SHA512
85a4d519fae19079baede03ea3a3d72153b1b5a7b2ea8a06841f19e6e6706f7f32d1486c415b3ba4650a1d4ef271d825144a307bf660f08c46677ad5da2780c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
67529888e094abe1753945f8074d29da

SHA1
5db5274b9f9d993a18242b17ee2df63f6340f847

SHA256
ca96c56b43120243882623c73906428245961b6f65d349435112ca1ba390f507

SHA512
e8d20b2d6e21d767278b2ef4870c3a2db7e392d151d81cd8bc106a7a4deec39be5972b360749dffb502eaac6b76bc8e4fa4313070e61626fc3c09443aa8393b6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
e2e96d15548b781c031c43f4e27a7e5d

SHA1
a3d808b40fad88b42ca82cad63afed71fa87253b

SHA256
1ff4e3d37392564176eb8ef26fe34be971a924f59ea8cc4e9ddd2806b1c4eb06

SHA512
34666038d0530ead581e838896c77afa3b521815fb24177915befef2150ec2cf3cd46d1d92c135c559d77ff93207af95d1a2131a127948df940a69faded74fa4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
2b6f2c317307128989a2c46b0832fb7d

SHA1
9ea1312ea405b1e7f2279d4a885e9ad61aec1d41

SHA256
45d8bf9d07fb402a335a6bc1612d602644b6e6a9d587f4d457af57cfe60c1f24

SHA512
982c04a505766e5bd85a04cb1298feaeeea33b3cf23d032aa999dfc68b824af72cebafb5824efc6b48d9cb1d91e279ff25082205cabb43adf343c4e6f1841f47

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
433a3afce64445b99e120a76acf4e91f

SHA1
76725ee5a5cd80bb8b665c2decbf9a4eaff8f393

SHA256
bb8276eb3f06d1be524bbd96bd2563375f023ea8fac7d872be25cc0efe778596

SHA512
4c00e1c1bb891e6c008fb6490508817452c310a7822b8fb19322122da09c635bab7b6aa951b2128d3a56ae09970437fed6c36126013c453f6ad7a2c76ad0cd59

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
e3f3c2dc1568c75dbb666d774ec4cbda

SHA1
bc0a6631f08fb368146922437169b538273a8ac6

SHA256
dd9e692678d99995fd2aecc5a78e354a4a5455d43807d792c5c5b7793b9d90a0

SHA512
e03b854c7ce2587df6b16fbbb4a7f4e6d8ba4bea37b53c389a885de3760ffd60a7a42118e85344432316bf8fbc1fb506de07bc6b3f947ec09d9e0dfe835433f2

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
91e211925f75a8463999ff1e2bdf3700

SHA1
c4314d92a0a2e2b0dbf47c212a4ebcaeb7d97026

SHA256
a96e9567950946ca1fd7c28bf8240d8406a213ef15036f8429cbc80e1cae85f5

SHA512
cc4703190912f44ef53269a081840a91408ab3ce5853bbf15545a9e6d94dde73cd3afa7f1d53ae31bfa03b7e0fed5e44e2df843a9f4b5fc910cf35638999ac89

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
19469aba7ca56e2b155d14773f92e4d7

SHA1
de3b5669ef839250c518cfeb4eb38a85a34c6a24

SHA256
d4cf5a2188783f67162f44a64771c91c62e7d52cffa93fa5781cd0ba02d8bd77

SHA512
db0591e08af6724467496459d5efbdb1cbd7ff28877df5ccb407d72c4cfa1560d7993ee285e80980d457c51c0e7797dc05534069074d8a406da7a02fd930e37f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
b124473e2cba7407e05c39fb75541ff2

SHA1
00e7628e1546af780cdc5ade1f2b91c4b00d24f7

SHA256
e01016164d9a31fc5f8510fd02ade5459bfe220460052acb48d15b1678eff1d4

SHA512
fc990eec38e6aef87cc97eaf31958a3ba48dfaaeb41e27f72b27734c585755514956293c975d273128fda60ce07ff626e6b928f967e52350e093950bda10c2f7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
f178e826cc551a610ef9a3412bf09505

SHA1
7413b6d74893ceed01abebe521e079642587d3d8

SHA256
0dc9d4443d80c4aeb1f5996cf12b09c63399cfbfd8b96b35a13536bf6fa07414

SHA512
6c5ad7c564b24950302149105945418900e13c18e25d0711b249104a6b3db3e90df929d538e52d06ecb633f8c19533dde100e441436bee234f310203fd5e5e48

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
5bfa27c44b5c31975fe9f45a097c1d29

SHA1
8cd39fd68ac03863354dff2e71580e3772d0adad

SHA256
4c96b3b07681bf4f94c2063762af80a706a577d13793754d3bb2a3fc3b39bda6

SHA512
98bbe39000fc29b11831ecd0afdf89d98f37b763806e0a8671c8215872aa914c9bfc54f18e90303f16ddc61dd9fed0bd2bfddc5fd45fc82db156fa7a3ac0814c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
bbba32f1b8832a87c3a21650c04c0929

SHA1
fed4106e7cc3b06842cf4886120b98c5cd900de2

SHA256
af5c65b0491caecf33f1f5a91fafec2be101d465cedc15894fdd3538f0a33e05

SHA512
49f0880d3ab7de86fbe5403361ea2b9b49dde77e65a12278c50a75b8330bd3bb6f87bd65919ed50696a62c0117750f4bd38bf97313abfcc2f63a5829fcb7df8d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
274d5da0e78382d75fd3e32eedda1ce7

SHA1
29129e5f0a7bb2d5abdb405b765a13181efad834

SHA256
afd042de3a4355f1c20f02e6e8ac211b6c1b9890cc40796db6789d950bbe4158

SHA512
995db719790126d4a907fb723d4335321c3a6a9f984b6269dbfef534895bbebf74f7cc2646035cc603243332be54bfcf2e9739466569e3a995ea4f7432e04aeb

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
21743e9a64de66b9c81b4e7c4de8366a

SHA1
54607314d2859327f88848966efac54d02a5e3f0

SHA256
09d501728f4eaba207889558a004cb0372a709587bd3741b8535e68f439bec01

SHA512
373298d767d64c624d8215a79992e6aa81b8887d4ef899c06714aad17ab299c6acbd237199f4060596b33bf98051dad9d9508a337e6984c38dd71f982535888a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
21297fdb6b52bedeb7d4cff2ab438ef6

SHA1
b681cf2e0921d32e1c176ea8ec93286c32515880

SHA256
266bd6aef34e73c7759c5997ea50dbdfa326e4e9d4649fc04cc99312ecfe6da8

SHA512
e575b1d022aef82254e67051658bb97709035c615a6d8f206f67f4d355563eefbe506d4c4347e4245e49d2158b1469ae5c467fb43d4144860c0c8f63b9a46e5c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
32a4c9439678c4f1237828f66768a5e7

SHA1
8dbdff4198f48b04cab0188e6608a82288ef1ca6

SHA256
4f7eda9b8c4bf771a6c3962120589e5e437b34147691272659cfab7cc994462b

SHA512
21e0160d6ca3b6a82d58febbd51133a961843a630ca33487b41a43132a0be5bea9329663e655eb9622f8642ca0c16124ed18de2d2afee9af1fc3be7575d9be94

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
3ad34c18ff5d9c9598d5d91acadf74ef

SHA1
44b8e661256404196f53cf5f23b905f9f859be67

SHA256
8a16131019c0c2d8cd57f63c3c304478cab691ebd01f4c482a5e5edd90d494c5

SHA512
712e484a1e5e65475e30302d9d1ba569f2883e25f9aa1e9d877677915df6d48834d3ed55dd3af5cfc5bbeb465ddb6bcb2eb2829b508f5e8379a029af5f759fea

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
4d16feeae93bef2eab3eea2bbc687664

SHA1
b4df6cbdeb7654eee086a3c16a2bdf4bdb1e059b

SHA256
8a5bf5ef0e337bf30213ff4b2688776d24f7adc07ae1946a388f77953c5ec791

SHA512
49e9ee2d71a7bd418e9688eb23e245a3384003030f405737f4988f62cd722d91e60387c4dd69764e356ae60778cf76e7f05b059f3aca0117f4b1a8938309c563

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
975a10e10657d9a76d7b81724c969248

SHA1
d595094b0c72762bbf731eecc5eb511a6abe70d3

SHA256
fd2156eb9d0c2752dbe8b1ace4def2ed5fce75c12a7af76749fd03885b265a24

SHA512
3fc59362ffad3b1ecb69791a83cfad858bd4acc1e6506c13728a71662dd1edb8c7604132166849822b7ebda740532045025fc070f84b9c2923afa6939aac0090

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
764c008d39379b21eabab4e454733ee7

SHA1
2da605b799afef2e0169c7ac3bdb0508e4484249

SHA256
1294f5a4a0d5cd54ffe55bd41bb7993f6ecfe20051d853248c632de520e440f1

SHA512
76f4bc5b8d0d57e565142cc8b3a85da244351c88db714c3432bec6e45582a0a994f1cd4bb23a84bb9d1f9853da986892d380320fb091a68581b6c37daab9465b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
c32928929507120c21083f7153a1b2ab

SHA1
f71bcd3450bc5e04c5e20135f52b0dedef881cbb

SHA256
e3f76e0a01365be1307f76608e5215b22e2845960c36c202ccac567195e51cee

SHA512
3e562d1fa9c00f47193fa574a5701edb78da1a28c08bfa0d4a28482e4febc41deb71fb254dc9b070edae0773dfd7cdbe785f267a71f6bf52887ba8da1a68ab83

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
fbce595c2a09cefbdb7dfe4af56ba830

SHA1
3622fd551acee0ae1b19349a6e496311b1da8da0

SHA256
67254e83bf952e708c16e75288104528398f7ab86a36e22f414cd62f1e970ad6

SHA512
d107dc250547b55db4dadbda8546c6aeee839d6e43a3fa4926f01bc4c08360640d04beb01ba80596612646df66d5be3602857badbecc1663f4a20fc26c6dbb52

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
f4652d043c9cc63a8bd9a7ce57094ebd

SHA1
4b13519f10e98057c3e58feac8cb9f4371d126ab

SHA256
843a181279162751580a02d3eb816f336e3d3944cdb93dcd128ed39686f29b2e

SHA512
ba1a203c42cada3676d06fe4b4d925a0a3f9a52f51ad150b9d2c78d2698fc6abc7cd838502fdb6a3ad2c0e372f5f9586c284ebdc065536f3c6e4daf0f4ac0bb1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
5863c59101a7500336e7e2d562720b14

SHA1
84f7ef3f616ceb02afd43746b33237fcfb1ce573

SHA256
b4a0b15609ab6779ca866ef325efb3fb37580ba91fa773e4c4b9c3414ccb0928

SHA512
26ef830d42d31e1f30d09cca07f90b5f42e34bde679ca59805833d87e93f2b400c2ec82a090884b4974698028396ef6fdcb711e63c48bdf5f96d6a4029577466

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
871c8d13398b9d33bea78984766112de

SHA1
ab7845274baf5c8d51b1bd336e2f9ee5c3737124

SHA256
98c75b8042ae62bab077eca35501b5904621cfc93dcc63bf61644923a0c6ba16

SHA512
91aedded45f17956eeb1355be5528dc7dccd4b4e0e43c2f15d30d4bbf2546a3c0535a5d637078ed48761079800b1d966c2bd27fc32ba881c590a5715f1cc7364

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
4b5669c7c90e8f43423e9af60fc47928

SHA1
2b3b4cb451a83e4e8ec82c26cff2e6d761f21ab1

SHA256
7905481e328fdf51495a737ecb503e0aacd2792a6e73acdb2e495cf3152ee092

SHA512
f4dd385f00e7393eb2a0f74d199cb31a19f178714497a93c07be1aa408575422065d2b315d4739ccf987a6818a86775e799bc281809126d6b794c176afa57224

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
1a73ca2bc54e26854864bcdd2e007e12

SHA1
6851644c4dd74f1b18739dea3f6e8aaae98fc8dc

SHA256
e6bd96c0d96e0f0e1d8e4805980363ddadfdf24aac113647168631685d124119

SHA512
8991538c9f0d25f39a822a1c9a01c3afb86f06f2b002e77791e2dc3d19d99043837604ca964b89be48e105eca52242e95605888739d7265fd80cc8cc0bdc7f91

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
7bf1756fbf7ab52a532a6ded1f097cb1

SHA1
5a5c50ba2d4d0d895e836e7c55d29eb4ad2ed704

SHA256
6ca19ee75fd3781125baa80a5fcc3857b25908a9c21e5cd219a53e93fab6acf9

SHA512
4c5330bc308f188db2d36761b94d4524992ff5c396b5d69ac41b8476d1279d30678f260cd3171ac2c38d667de7b5418edc18401daf7acc18c3b610f7ef861f5f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
2123e6d73a2afbeea6e9989565ce7a12

SHA1
368136ce7ea7f0b655265e5745ef165cf4dc1684

SHA256
abe8a34e02ac5ccbe8f2cd3eae0e694225c61626e79bb77c048e9401c8593772

SHA512
9083118a643475271cbe971c2b3724f0fcf420a261e6ed621aaad08c7c9d4b6c11b02f40b0e42ed46cc3dc0db98ef6300a96c9cbeffa66528f994b22befe7738

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
7a35f9e5f8c8dd1ba745680d299fd803

SHA1
392babf8648182ef791fdafbdf4b0965e835a45f

SHA256
875bc6269da5ce94ef62e4706447ea08cc319dc6f6d55ff1a8d02821d9b1cfdf

SHA512
53a677cbf92db4d882579beade91b085159331baf195d21c7e429cf95410cdde374fd02417a00ba51236eaae7c58ccc5ae599fdf393044c47a75d46cb5fd9ae2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
55aa9c2e7788e0e07937d68d60483bc6

SHA1
bd9cb76219794473d22663fb02c5fea9a119f208

SHA256
a4353435e60f5a30336aa6de65f20be33ea53efef3f8863f04ca34c44b070c83

SHA512
697e6ec96c0f2654cd58a6af0ab2eea1d2d4d1db9d49b8f97b970ce724a644e00e6c5b1dac1002ac878692c5a8a897b445008e20ecd685a69e73433fa375ac50

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
126a30b547a81533559176b812b53f46

SHA1
a508834cb85d8ec91be354bd3042e9f33f83aa86

SHA256
5beedd797e5eb8cf3f0bc742279d711d6d9decba8f05daedd84ff71f2074653b

SHA512
ae99a0b42799e23ba48a6bc09555a0a5ef7fb76f27b0bb3813da32a586bc94a6671c1654ab333c8ea2ba45af79bda380fe2ae9ab9706a5e02f03eec24978560f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
733111e93c6165293d27475d3f230916

SHA1
422e2a9c9d3e2a08240645a1ed137156b0f0077e

SHA256
c5f2550357031e1ab3ce53d9d11643030039e37abf72e50a12c906c0f54cd7ad

SHA512
fe58f9b80b168b05756d8292ed4a39a9f22ddbcee39e767c331f1f5cb61c62c507e82a86bf46ab1cc0639df76070abd7dcd446410f22e1faf1646202ab74f7e0

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
b7e37af548ad56c547f3da1e2fb85c60

SHA1
cc8f6528c12a161693a6fe0133a287a283fc7f85

SHA256
24f9baf7d4d60ce58081648d5783e98e0c68bc32cf8b3fae5f0b9a750f6b9ff2

SHA512
39ab331a980a4df41fd5eb07758c8cbaa2585e0d1554a04eaccdfcc3ec0331e1b523cb4c851be6214acd80219443f16016eb493e771fc3bb330e57b42b199496

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
5cf0c19964f2de308f48433e78e3d24a

SHA1
9a14fcf00d68f64647f4b9d807685d5c8cee2573

SHA256
f5e579c28356cce59dd74dffac7f3c066b42e08ec0754a40f7464a9a742c3f42

SHA512
2ef4bcb6d4e246618827b1c0fe293a0536a812107ca38836d6fa51e0a10ffccdd705a1ab10b1ab0a2edc9a2ec3af65e938a14ecba014e8de19b55931a5c511bf

Download Submit
\Users\Admin\AppData\Local\Temp\FdmWhdYRXrep.exe

Filesize
279KB

MD5
5df4ac6e94ae7e9f9eb28d8f7f464946

SHA1
79f222f94fa265896c5e4578b91ed4ebc100058d

SHA256
3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f

SHA512
18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

Download Submit
memory/2032-4-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2032-0-0x0000000000450000-0x0000000000478000-memory.dmp

Filesize
160KB

Download
memory/2032-8-0x00000000003C0000-0x00000000003E6000-memory.dmp

Filesize
152KB

Download
memory/2456-40-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2456-74-0x0000000035000000-0x000000003502D000-memory.dmp

Filesize
180KB

Download
memory/2648-31-0x0000000000270000-0x0000000000298000-memory.dmp

Filesize
160KB

Download