ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
96s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Size

544KB
MD5

526fa2ecb5f8fee6aec4b5d7713d909a
SHA1

51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
SHA256

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
SHA512

f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4
SSDEEP

6144:0foeu9rlMfTOC5TGdQJEMpc35IA0dOYiUeinhn6:0fdsUCiYQJxc3YiUeinhn6

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (1214) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
2536	ppoeUPVVHrep.exe
2812	GutMdIiYIlan.exe
2376	JQhXpTaNElan.exe

Loads dropped DLL 3 IoCs

pid	Process
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
22136	icacls.exe
22128	icacls.exe
22120	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationUp_SelectionSubpicture.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.expressions_3.4.600.v20140128-0851.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\accessibility.properties	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\dt.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\InkWatson.exe.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\oledb32r.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Mazatlan	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\OmdProject.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Creston	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\GrantResolve.pdf	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Singapore	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\CST6CDT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.zh_CN_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\ado\fr-FR\msader15.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\ShapeCollector.exe.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\msinfo32.exe.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\fr-FR\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Tegucigalpa	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\TipRes.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Mawson	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msadcfr.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\1047x576black.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\pushplaysubpicture.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Saipan	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pt-BR\tipresx.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_CopyNoDrop32x32.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Chisinau	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\help.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\WMM2CLIP.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\ct.sym	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\rarrow.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.lock	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util.gui_1.7.0.v200903091627.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JQhXpTaNElan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GutMdIiYIlan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppoeUPVVHrep.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2536	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2380 wrote to memory of 2536	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2380 wrote to memory of 2536	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2380 wrote to memory of 2536	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2380 wrote to memory of 2812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2380 wrote to memory of 2812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2380 wrote to memory of 2812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2380 wrote to memory of 2812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2380 wrote to memory of 2376	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2380 wrote to memory of 2376	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2380 wrote to memory of 2376	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2380 wrote to memory of 2376	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2380 wrote to memory of 22120	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 2380 wrote to memory of 22120	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 2380 wrote to memory of 22120	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 2380 wrote to memory of 22120	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	33
PID 2380 wrote to memory of 22128	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2380 wrote to memory of 22128	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2380 wrote to memory of 22128	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2380 wrote to memory of 22128	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2380 wrote to memory of 22136	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2380 wrote to memory of 22136	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2380 wrote to memory of 22136	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2380 wrote to memory of 22136	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2380 wrote to memory of 41952	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	41
PID 2380 wrote to memory of 41952	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	41
PID 2380 wrote to memory of 41952	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	41
PID 2380 wrote to memory of 41952	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	41
PID 2380 wrote to memory of 40784	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	43
PID 2380 wrote to memory of 40784	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	43
PID 2380 wrote to memory of 40784	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	43
PID 2380 wrote to memory of 40784	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	43
PID 41952 wrote to memory of 40680	41952	net.exe	45
PID 41952 wrote to memory of 40680	41952	net.exe	45
PID 41952 wrote to memory of 40680	41952	net.exe	45
PID 41952 wrote to memory of 40680	41952	net.exe	45
PID 40784 wrote to memory of 41532	40784	net.exe	46
PID 40784 wrote to memory of 41532	40784	net.exe	46
PID 40784 wrote to memory of 41532	40784	net.exe	46
PID 40784 wrote to memory of 41532	40784	net.exe	46
PID 2380 wrote to memory of 41812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	47
PID 2380 wrote to memory of 41812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	47
PID 2380 wrote to memory of 41812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	47
PID 2380 wrote to memory of 41812	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	47
PID 41812 wrote to memory of 41392	41812	net.exe	49
PID 41812 wrote to memory of 41392	41812	net.exe	49
PID 41812 wrote to memory of 41392	41812	net.exe	49
PID 41812 wrote to memory of 41392	41812	net.exe	49
PID 2380 wrote to memory of 41968	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	50
PID 2380 wrote to memory of 41968	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	50
PID 2380 wrote to memory of 41968	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	50
PID 2380 wrote to memory of 41968	2380	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	50
PID 41968 wrote to memory of 41940	41968	net.exe	52
PID 41968 wrote to memory of 41940	41968	net.exe	52
PID 41968 wrote to memory of 41940	41968	net.exe	52
PID 41968 wrote to memory of 41940	41968	net.exe	52

C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
"C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\ppoeUPVVHrep.exe
  "C:\Users\Admin\AppData\Local\Temp\ppoeUPVVHrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\GutMdIiYIlan.exe
  "C:\Users\Admin\AppData\Local\Temp\GutMdIiYIlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\JQhXpTaNElan.exe
  "C:\Users\Admin\AppData\Local\Temp\JQhXpTaNElan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2376
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22120
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22128
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22136
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:41952
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:40680
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:40784
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:41532
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:41812
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:41392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:41968
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:41940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
261514567916313f2c4e9597b52ff245

SHA1
05cf82ffe9f0af0bec4e1d2462b7feb34039f854

SHA256
1a5975aafa17b8ccfb50571f2538cc2a6e3aa481327392313fa0d66f33c63caa

SHA512
95869578b0c53d929d46aad4b5dbdd93e6f1bdabaeaeec469e1b3dc92baf53b96aaa40a3d2f6072dc4435ac2f7090cc4170d3f5ed20b5be75710407d58f8f193

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
4a39463e7640a4d55b05bb15dc54b8b3

SHA1
8c71be454b6c9cc9da40a038437fbae30b90a947

SHA256
61738cd1f38f32bf2527357e451521225afa635c52b88c8d5a732238c3ac16f3

SHA512
3906d30e0ef581ee2217d699a826407383efbb77327749a4df3e1fe8e74a78907474af91b5af52a134b62ac8103a33ad1ddb42ff12d2bbbd45df5f7e031e3e0a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
3dbac14ef3f89c9baa9b0694a52cee82

SHA1
4bdbe4ff90a2062f4ce2a43ff794bef2934cf253

SHA256
fdecf9e179a18280694dc408679c9a76db9d4186d1cf812e990d61052eddfb1b

SHA512
f7589d03a6306ce091a5c0de18af32d758caa0ebc05de68574f4122eb86cad016e55a8766baab7877452338d7dff1efbb9a05dd85bf7a1979b96b2f8756c5729

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
b44400f9a511b83738d91f8b817852d5

SHA1
987235af6bffef8f20810883262ef48926c74d2d

SHA256
e9e2fb4c725e33ba88cfd7a25432f1bc5d453369a57527a7e3baedbf4f8370cd

SHA512
5b3ae7e11c0edd992a462b8e805a5337c2160285804816fec981dcfaee4935377ba2ef0b444ce0611473facfa2b24ebb36c751c716e08a297866552902223f6a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
8cf1baa1877270bba073110adaf3878b

SHA1
753337b57e5ceae2e1a0c042428fe6718628f426

SHA256
5ec3a1c74c045eac6efee6c2d7242dbcab6c8e6881d5b8e43fbd9a603a42072f

SHA512
6d2718f4a43fc1af5eff83719c4c30bf820f4f58c190ee585f09a6f95f829713883015f6656ab13e613266b2a8cb67313301ae11d4b779344948f4b5c584dd12

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
27e3a1e1bcfb3d7ce561ae5bf123e0f4

SHA1
8f8ef8fa65002805772fa286098f97d16cea0618

SHA256
7cd92afef19cc82be58afe413333b5f6b4f7b6bf2b7962c6387b6ee136216344

SHA512
2e75813066e192cbc9e5ea345a4650da848f38ff6840c635f8014a0aca185880cf401301eb86caefcdae445d69a0461c192d302f2f0be1ae3652b17acad7c1ee

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
cf70be2f0a2d2368a0b510744cfae7e7

SHA1
b29fe1707824d2d514c7a32035e41888e2d882b7

SHA256
893f8f5e24e161b14241991d1d959c7e2052c985ddcd9af7a967f0d85c13f441

SHA512
db57bef013de8f1f8eb07cb6d217ecca8981476031a5d42003a45ef284e65405e8c31450610af5a89c07b5cf43e0aad712ac5b2642ba344693e0322465e52ada

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
ecde21b617a6185963e0b845046447d3

SHA1
3839e5df76548e799ef78096e19ec234336c3685

SHA256
cd271c726b75a60ecfc20b77fbfc39bcc6f67fa5e9bf92a1d0248a64576d3081

SHA512
290e850fb85ba035935967133a733345dbda12a404714e121e1d0ae0d924704f3c233aa8c35c8c449a0edb555ca8e4f714461bd38dcacab41c37c6eabc306ff4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
d3068d9d3559f4f27fb7550cddadb569

SHA1
31d455f97e3c3667786fa40227231876dc312fca

SHA256
3ad9aa179db2b8e9dc99d7bab469bbb2ae4d0287261ede043f461aa517de4362

SHA512
07d51f44088bfc3bb4d5cd4b52dbcc59ab5e78b63d639c2db983d5221e3c0f398213087f432c175dd7d749ef5cdd3aba3ac114e066a412dffd8bacfadf8ce207

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
c03f159bddfdedf9e00919947a91c97e

SHA1
cb59b1eb880462140f2a11cc497ff7a85e445a43

SHA256
f5bb877278bb6cfd571eb67ec4720d23fe433e7264c02f4d68f2644c0916a983

SHA512
59bdb19eb0cbf38307ac3c3f71be45fbaccc554a7dfa1c8a42eb74f4703cd39026109636dea114e88aa18503b9f10d9f76b8b90c776b37dc348eb0f97236856f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
873183eb30660fc2569b15be2c0f50dc

SHA1
f2b77f04143990208146dd5768914eebf77e5031

SHA256
329336059d80029b9dbbfa94780942738e2a7695e3fb7ac46c0c2bf6e60abe73

SHA512
6ca5be99d74f06a84c37cd5b6cf28f3793c2a5c8fd0be43f9938e2bb2de65061165eec636d9a52a97a0c2ee73f08bca7ba106aeb1c3add91aff5a2950c2d3235

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
526bdade38ca17cafbd3766106cd620e

SHA1
848beb313480977b43a6296be289005808f2e184

SHA256
ef1342b56cea091fe9f787cd376314ff905fffe825018df18574110f7eeda367

SHA512
d451f46998594cfc05655153cc2a8e0844893a01f2da68c3be3631e2642bb2e02901407832c33da46c5d24f0a3863ffccc3bb1744acfa22db60190bf3efd3186

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
17e4042810816cb9af4e21772b7c315c

SHA1
1ab65afa8dde4cf187ba828f455b1b0fb6de6c69

SHA256
86f111c164a48c358c77487b7753b9a4ad6337ad618fbfc2e8d77ea7f0f3b52b

SHA512
0bf48b9965fd00651476409e4f0dddf8e59029671352b2a451aa4be77057455a1cc56529cfcade6cf44308826506969fcf6e54875709e85bfeffb0de530b6dcd

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
2a588c4758538b2ccbe2ab6eff753c0a

SHA1
f23d0a67c0e98351e0ee27a20bd16089f5d6a745

SHA256
0f966b7b54584aeb3b0802f3c6dc6208b1716f98b67388f1f9996af34538c654

SHA512
13d11b7e087bc12a960cc654710d1d72492ebdd3b99fa7751bbe4b57e74e92bfec1888814f3107fc049bd8778717b40d54b810e6a78a366a67fb6df0a021930c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
c709cfca052cc95e3b4b4a7517420fe8

SHA1
bd2e481646aed65f3abc0f256da62cdb336e9ba1

SHA256
02e91708913a857276c128a68b4242ccd1e126f9e15f3962ec073bf59be04417

SHA512
537c96d78988bf2541154a48562e3635221f5aea888fcbf4a5d0e46228eb67b340b42c5bb9fd74e0337ad494f47176173bf764bd73840c74ce1555a5b8bfba36

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
ffd06d0cb79f3bb4476760c2f5d6988e

SHA1
6d694d293964993d6d17647d859bafe706bc1079

SHA256
4e25a243bd14e3791dbed4080a446c57d19a035adb6a2bef7343d1693ebf3762

SHA512
e5bb96f6e515bb489de45009d1920af87f6ff349d30f4ce9e756299c91e1b1f110579f3c5b24448b95851d0ccfd2a6f011a4e06dd4cb412cf9d02a773320b6bd

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
5a62959dabf75e711bb67e9366844959

SHA1
e17ecd0b32f46c70b8adb973b25eada12ab27323

SHA256
bd079fc11c57bfdd7e779dd5336e4c45d114e0c09a637b1b4225d7356c1911a7

SHA512
86c3a3d05b636ea9c9f69a100009dd38a8c8c611d4f7e80e3a0853ceace4f00d9f5f27897fbf3f08bc15d660a6bb6144d8a651168a9dd9d347de81bd56daf23c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
b154c9b67fa06a2204695580c2486a08

SHA1
3d00223c3bcd6f537996d1bce96a147cfb16029a

SHA256
6cb98910d1c8ca05d76b2e04329b514e31ab1a4758b952549928c88ff91b4635

SHA512
fbbb90d6008f0396d8a88915aa685d0519cc8c2a3e0e49d83ac2bc1d977386b9873386a20d60905cfa0eb99fe1c3ce821ac5bd3e095e1933a0cf3b22334e55e5

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
0b28a408dbc1252f3286e550e01f02ea

SHA1
c9f2d1e944f0b38b886b56db980aa5b221adfb02

SHA256
44700a3ed56f16b99cfedf364d577a85ecbf8eb2006d502c2e746967e754f657

SHA512
ef7dc14adf1646448be7c999594bb3fd247af080f70ffef7bd34a440e56c4df23480030cfd99bbcdc2b79feb9be0552ac11a59be5f7da562036b1c36b5e78e92

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
d201546b87bca346a37237137f936584

SHA1
61c78d179385c13a83d3db044b848de64c587879

SHA256
2db5aad3d0edb2b888d11ac3ecf14dd8de29fdc32382e3ec73ed1d5e5c9b9335

SHA512
2388a3051b958c77fad0101eaf21730f7498908d3ffc839e5034ead524ab9ca4b728fe789d6789c1266ce9d822a4daf6091d93b83815fba878ed102a0d671da6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
bd107ad5e3f1388a44b98bad832fa180

SHA1
80f58ad7d539083f6cc3cf42ddc422875ffad331

SHA256
2aea5bc06a75e5566236a3418238bffdac217fda99bc588466b7a6e33c3255bc

SHA512
5bbf7c5d97b9e22fe8300be9ede268a60c2cbcf9651b9a5dbd8bfb68da17e7b9439fc04e0c1227752e241f85b24e80d7417601c2e7070ec27360d75f5bc76f29

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
864dc9e4ceea466be6e52e7a81c3353d

SHA1
24d43bebb47f7ad2541d37ebee9b57bde24a0d00

SHA256
216d508ed5d5ff41307cc706dd5a443851f0cd3f0f319f65404aa2cb7faa97c1

SHA512
3724542ee8ec8146834746754f5af5f8ede57e1aebecd062524fd22ac9669f0d3396ef7d83c30fe7ab5b7bc8d1585a6d1072d414c4dc364fb86517c55f4f0094

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
4faf19abcbf2304299cf65b438bb94ec

SHA1
f51501b31eaf366b4c77c297ac3bc0d23c4ecfad

SHA256
8de57fbf819b4bbd909c2af6cca57a9e7e08ecdb14a00ca76da635e36b6b2537

SHA512
e95788e816af14fdc9f1bf49432a70230bbe73b8f73812603f5e37364a0dd09360e5bbaaf5a07dbd69759c37f5cc14ffe93a3a233e36a7ba1d1e94c64bf0cac2

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
449847dfc20d1cb1599dff0298b89372

SHA1
3bffaefd5f4d00ed12ad7c284b5c756d7017b8c8

SHA256
84a8867548bbf29f08c5eda3680b1589df4634503f9d688336372624d6d600cd

SHA512
b4a1869498b5efeb90efbc14a58abfe28b14c499b1950cdd0bf813d56eeeb73dcba7b22f3b68b761b3534e05a2fca507a7aaf78f06660cf73bd71781d6d8c93b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
0cb0771471033120c2722375c0fd2a85

SHA1
3520382fe516ab1f53702ea73eafae12455913e4

SHA256
79dbc3becf99b86130b58844dfa9ad353bf5f519ea01ba4f2e7b12f794f29703

SHA512
c6408c3267107f60120fada78ca9f7e4b3de4ff2d47323a3a98583093321f71b3f6a3de1d78a81929f10e7ac798edf4c52f8f4650cf29143408bcbb63541fa16

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
121757c7d8e4cfd8d524d47d2d2f3410

SHA1
581d73791f582783d304e9314816dfb5c30461cf

SHA256
5b0dcd028c219e1b737e2e97afbee7e45bd757ceea2b4ed049b5f066cef558cb

SHA512
3bf71c323e72a670cc4a88901774b2656c930c1317ff0371310cf0e3ac70b143f38b2726c145c14cedca8e5eadfe81b7a318ece0a9e42856a136d7b686e22eab

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
f9f8797f468a246983aabb184f222695

SHA1
9dd4be749068009329ee59b2c2655876f20286d6

SHA256
beeb070e9967a6577ab539bb35f74f5c92c205e8fc2515ec8230fbde60d52e47

SHA512
af33e3e87e21162201221eae165527b286af758452ae4b9ff2b630e08f78ed7e7c4263895b86a559bcd285d0fdaf25d0dbbca6f9465e168a90c2b7fd97021e7a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
2e8a563670b2dceaa78bce07e9411682

SHA1
ba6ee8a18612bfd39dff255bf7a01f9254ac351c

SHA256
18e3e1f393e1f68eb388f1ad8bb242e0b52bf688b5d562dbad7fcf46b226051e

SHA512
1918e2d8c13604bee3dd2649a4749e7ba68100fbd51d5c01265f3293a0219032aeb357e2fe2980235fd4a7fbb722c535ec3fdf5461be3ebfeb117541d7430c42

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
bd61fa4c4b846879e31222712a4e065e

SHA1
85ecef8e84a42c2fb07f50a7c0988a7d8d3c2033

SHA256
11d58e49c25bc96f3f348a0e4032416ab71e9cad98ab5f383cde91511397f9b2

SHA512
ddd2ab4fb14218f32194126f5e9e44eece8c4d17f9be58f801653006961557aef22ec0fa30768e291da53e20746ca97b51b959500f26a56b9248c6b5c930b66b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
e3d8020164a07f1aee73b3b36cb0575f

SHA1
6265b2c6c2675aae6b89143396dbc24596598d0a

SHA256
e0f6a7fb10f642f8730ae4c7c08a14cc0c6dbe3beab5cb1e632994defdd6ca13

SHA512
61a94542a1421c92c60c2336a64742a82d74a961046bfa5fadcf29b11db094838322cd7fc5c740bf08b5327af24f6253f09ce806787462a39a7db6a8ed0afcf9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
edd57b16de54b1ea17b25f16b995cb13

SHA1
a5dcc5fb2a39270c245c885583e5e2c69171edbe

SHA256
542809c1d011607bb2e991d6f93dd247343394c4058d9ce0437ac7199bbef25f

SHA512
b49671092439cbc609163e5fe4b7b95af82e78af4df3972cbc2b71b4c7dc2f095709189fcc99277c7ae967184900da0ea588af2ad62ab57203b52ec6a6b1f210

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
7f8395b13a59a461ff0b150d99ed07cb

SHA1
5429ec0ca0de9505b27fff5e1fbfa1556d42244f

SHA256
765f33c3d63ec53d4792cf55a51d0ef5f28c16a92ecccc2ec27059be95c33844

SHA512
5995857eeac0d20a2ffafcd77633cf92659c20d1520914ca4f48aba5d90db0a3caad0ddd778cfef83778e99bbec919ac21b82bdb600d0b839d27f51338bbc4e5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
2d0562d9f1c4dffb9a45470540985370

SHA1
e43ad22ffd22393504ba9891867f78b663afbca4

SHA256
a4efcc9e46b85980dff47d33d1beae5b0f7f765d6d96de48a49edfe56a015f5d

SHA512
bb1be644bc472c2ed4c70ee44cd412873b222cdba7bd58c67b6629786862029df7152846ecbcf0aba82fa34bd4df9ffe7b46e289085c3f13ddc3eebdd2530163

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
f4c2c4b95d073fa9baeeafcbe4690cc5

SHA1
39e4c8ed99158fbcdee49b9bcd38aa69feacb75c

SHA256
e8344f38dc8752c8268609a21b8f0d31eb98f8cb67d2d66f3aa6e820cdcbed3e

SHA512
e11bb47e20f4d7a700c0289f1473a8db634e9f7ddb9195720d7d38e6465b05534f0c4912c90ec3265ea99d9ce1175f873ed63cadf330be09eaac0cc0b49c5877

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
4855f9f6638ef0dc2194d7330c51e2cb

SHA1
ca522d6c8ccdf83df56b364224f5ffc539421987

SHA256
ced743e8413cac0633b54d53a5d8b47abf228e99384524797afe6d0964cd3978

SHA512
2ceee24ee3309ad4b418041884416c1e57f314ed029733de39fa5f088935f3b5991b89b96794ecaa80981b31318d22e57760e9704a9bbdc74204220d7dce66de

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
0df59a545f062f18f7763e412422b29e

SHA1
9c1f7175065245bebef9352b46c9c6293a6dbc4f

SHA256
95e4f645254bcf57538093e6b302a5af5ce79a5f0e794c9b61722981a3b0b4b9

SHA512
e2cadd9430eb3d4065fa6f5b0de99eeeaeb57cb64012bda86cb5f17ce7bdceb81ea795216b71b0e1714117f9367dc28a69e2808fb509477fa884bca8c54d04cd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
38a2bdcdff80504e17d66200b3b4d590

SHA1
6f3c261d34d7041ad920e37242a958177f0e71f7

SHA256
4caad907f80d1ba4d9b7fe9659cb423c6450e7de2cc9c7b7c88827187ca4f0b8

SHA512
607fb6711d31d4a5477e4ce796515aceeaf1cb59e46b3caceeb981237356eb4e5a1823cd712c4abc8bc51b5a59163b4c27e1621404695c41057609448b67628d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
6668cd6a60767ba9204e7cece7b28cbf

SHA1
1339fcc4dba27c7d98d4f9aefc482cfe782fdcc4

SHA256
503a48e9aaa2d3a9987ccbf48d64a262d1423366b357bcff40299c7c6e89a321

SHA512
3c0a3148cd04d866d401aae7d9515301c3d4f5b5af2623c098d887a7507fa30b8d5164ef5e9295162e6a990897dabfd9bcebe2e01ae531e71f29cfb4b2701d9f

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
312cf90b92a0e1b46be2f23d9557934b

SHA1
8b5eef7c9dbd078c55d482050b118406db779727

SHA256
1c7e0f48be1ecbb6999fd28a3f8fc0aafd9daf6ada2179bd514758242628c570

SHA512
0794795c5442709b9eab91076554543b10a6641e426fcb473a7edcd0f2e8dd80fef4c69eed6e9fdeeb5d385d108adb67531311262236b49a34c1b8e8332138c5

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
\Users\Admin\AppData\Local\Temp\ppoeUPVVHrep.exe

Filesize
544KB

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
memory/2376-1035-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2376-10291-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2376-44-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2376-2724-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-7930-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-1033-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-1-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-10289-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-275-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-9370-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-5363-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-38-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-3989-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-27-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-2722-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-12-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-0-0x0000000035008000-0x000000003500A000-memory.dmp

Filesize
8KB

Download
memory/2380-4-0x0000000035008000-0x000000003500A000-memory.dmp

Filesize
8KB

Download
memory/2380-3-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2380-2-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-15-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-9253-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-14-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-10290-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-2723-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-28-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-39-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-5364-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-42-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-276-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-13-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2536-7931-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-8899-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-25-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-6504-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-9761-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-45-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-40-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-26-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2812-11244-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download