ryuk | 6dfef684475fcbf722f88337d630668b6fcb73864daa9a7e65f3642d3766fdfc

Analysis

max time kernel
107s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Size

544KB
MD5

526fa2ecb5f8fee6aec4b5d7713d909a
SHA1

51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a
SHA256

41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700
SHA512

f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4
SSDEEP

6144:0foeu9rlMfTOC5TGdQJEMpc35IA0dOYiUeinhn6:0fdsUCiYQJxc3YiUeinhn6

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TyorjXA0'; $torlink = 'http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://etnbhivw5fjqytbmvt2o6zle3avqn6rrugfc35kmcmedbbgqbxtknlqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (2509) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
2828	JpxEGcQjdrep.exe
1276	ZulxPQhYPlan.exe
2640	wzsJfJzCnlan.exe

Loads dropped DLL 3 IoCs

pid	Process
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
22196	icacls.exe
22204	icacls.exe
22212	icacls.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipBand.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\jsdbgui.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Cape_Verde	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\ja-JP\Minesweeper.exe.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Minsk	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\bckgzm.exe.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXEV.DLL	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-compat.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ja-JP\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbynet.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\720x480icongraphic.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_zh_CN.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_es.properties	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookbig.gif	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dili	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiBold.ttf	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Baghdad	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.properties	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-search_ja.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.inject_1.0.0.v20091030.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_ja_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.repository.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Dublin	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\curtains.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novosibirsk	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.html	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\es-ES\oledb32r.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_zh_4.4.0.v20140623020002.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlaceMCE.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msaddsr.dll.mui	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_MATTE_PAL.wmv	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationRight_ButtonGraphic.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\IEAWSDC.DLL	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnld.xml	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\SolitaireMCE.png	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host-views.jar	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZulxPQhYPlan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JpxEGcQjdrep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wzsJfJzCnlan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2828	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2872 wrote to memory of 2828	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2872 wrote to memory of 2828	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2872 wrote to memory of 2828	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	30
PID 2872 wrote to memory of 1276	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2872 wrote to memory of 1276	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2872 wrote to memory of 1276	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2872 wrote to memory of 1276	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	31
PID 2872 wrote to memory of 2640	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2872 wrote to memory of 2640	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2872 wrote to memory of 2640	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2872 wrote to memory of 2640	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	32
PID 2872 wrote to memory of 22196	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2872 wrote to memory of 22196	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2872 wrote to memory of 22196	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2872 wrote to memory of 22196	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	34
PID 2872 wrote to memory of 22204	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2872 wrote to memory of 22204	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2872 wrote to memory of 22204	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2872 wrote to memory of 22204	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	35
PID 2872 wrote to memory of 22212	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 2872 wrote to memory of 22212	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 2872 wrote to memory of 22212	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 2872 wrote to memory of 22212	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	36
PID 2872 wrote to memory of 32884	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	40
PID 2872 wrote to memory of 32884	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	40
PID 2872 wrote to memory of 32884	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	40
PID 2872 wrote to memory of 32884	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	40
PID 2872 wrote to memory of 33032	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 2872 wrote to memory of 33032	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 2872 wrote to memory of 33032	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 2872 wrote to memory of 33032	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	42
PID 33032 wrote to memory of 33060	33032	net.exe	44
PID 33032 wrote to memory of 33060	33032	net.exe	44
PID 33032 wrote to memory of 33060	33032	net.exe	44
PID 33032 wrote to memory of 33060	33032	net.exe	44
PID 32884 wrote to memory of 33068	32884	net.exe	45
PID 32884 wrote to memory of 33068	32884	net.exe	45
PID 32884 wrote to memory of 33068	32884	net.exe	45
PID 32884 wrote to memory of 33068	32884	net.exe	45
PID 2872 wrote to memory of 33168	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	46
PID 2872 wrote to memory of 33168	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	46
PID 2872 wrote to memory of 33168	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	46
PID 2872 wrote to memory of 33168	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	46
PID 33168 wrote to memory of 33260	33168	net.exe	48
PID 33168 wrote to memory of 33260	33168	net.exe	48
PID 33168 wrote to memory of 33260	33168	net.exe	48
PID 33168 wrote to memory of 33260	33168	net.exe	48
PID 2872 wrote to memory of 33292	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	49
PID 2872 wrote to memory of 33292	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	49
PID 2872 wrote to memory of 33292	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	49
PID 2872 wrote to memory of 33292	2872	41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe	49
PID 33292 wrote to memory of 33336	33292	net.exe	51
PID 33292 wrote to memory of 33336	33292	net.exe	51
PID 33292 wrote to memory of 33336	33292	net.exe	51
PID 33292 wrote to memory of 33336	33292	net.exe	51

C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
"C:\Users\Admin\AppData\Local\Temp\41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Local\Temp\JpxEGcQjdrep.exe
  "C:\Users\Admin\AppData\Local\Temp\JpxEGcQjdrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Users\Admin\AppData\Local\Temp\ZulxPQhYPlan.exe
  "C:\Users\Admin\AppData\Local\Temp\ZulxPQhYPlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\wzsJfJzCnlan.exe
  "C:\Users\Admin\AppData\Local\Temp\wzsJfJzCnlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2640
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22196
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22204
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22212
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:32884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:33068
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:33032
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:33060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:33168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:33260
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:33292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:33336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
1666fbb9711059e8408292a65f3a8f30

SHA1
a76de38f2f52f3ff8a9f340c470fa5d0c551a4bd

SHA256
2a675cd8ea024f26a1b89aea894a81f34177c95b69908fa42b4854b32f167efc

SHA512
38c70c4f4bfe560a0d7dc013075e06562adbf7f6f7e320f54783fa038682ac333af48600604ac19cd3503ac8c871ec9770a8342de15dc0f43184ad710e0a4a1f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
f6942eed5f2d77ebe930577abee79eef

SHA1
2906f0d5305b703194a10169bebb791145b628cf

SHA256
a7d74c6380b206f2d12896664a7bab09cefd7a9d24f15633c4cf2618bdf402fd

SHA512
7559a6819913d4e2816009dc68ff051018268cedd2cf1ce6a14644f93ca38638cd8bd404c9a46e9fd3a88e86f6d14414f02cae4d9611178dc6bfc57ae3bb7dc2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
0c1de14230e4a5d272f9bc856a74bf45

SHA1
5f40af7f0faaeb9b6c5104a39e71ba7b5eb202ed

SHA256
4d089da71c8fd909207e6b0cb86f722f48449821b4f0eb0da80de92cd75b7423

SHA512
e58dc20672abb97f08ef4e95ea9347734da05929481518edfabe304cc965914548144e4d1621cff9908d81bb66d67af3cc00cec22efd0358d3a2a94f825f1072

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
19938c4442c12733f2e400dca050cdf6

SHA1
a4f710446a749933f6d26366916924a0c8f25243

SHA256
4d47aebd5725916b3423f8b61edb50484847d971dfdfc2498b4cd50b3042804c

SHA512
3b074202f97f01f6c70216830c15a5e75281faf3702389adf1375188df9fa6dbd791590da74ca997c6714afbd01654f1d0c426a3f419b8568434303bb029d80b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
16489f1e17fe045c72d84056db91fd09

SHA1
f5074e9fea5eab1d3a2e2564247c55fb3cf1f437

SHA256
942a027b1c880c040655bf8527bdd7b90b091c6439ec094a6e56e7007e1b9cbc

SHA512
a9b431fa24a2eb00b0d121b523902a67c86780e2d445c3971f846979a5565ff78bb7e47c5bbe28c4c6e845dc3015578230af2df402247102f4aa003686fb51c0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
466603a515cce0309dcf54a826b17893

SHA1
53d3aa20df32c5c93ba1e4746896ab33d082e8ce

SHA256
aa31033e7a4554dc66128401b315e014dbaa4319104850062eb60748aa3fd52f

SHA512
33d1fc8e2bb425959d7d0177354d53b910ae928b85da91d01803e8532c999fe6dcf9c3dbad94bde1a0a50195bdc6277936e282d760c9ed820a02777f63fd3d2b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
f9639a6465231b95778f8ac27b3f1d6d

SHA1
89f45584e8a54f3f699175f264a7e0b47c2fed93

SHA256
cb8840d77580f9258f172ffae2667b330e2e066c19fe0b2ac9c6b002cafd57d4

SHA512
eab0cab968d25437c49ae8b9d679437126a66f2126c54237101d21c4eccf9415d8a0d0aca05967994276c445ab1aed7e2e3aa2a8fb9607914abb6c4d06c9769f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
e2a468d140a7928620133dffaf316030

SHA1
10bc4e1a8d3e95370cf0f5581c0a0fdb14871353

SHA256
737b13e89dc3e788fcc40450939cd4dd2d5846737f4a137672350399ec9fdfed

SHA512
6ebd5179cf9230aa7826fdd34e779da0fef134e7a577b1a9c56212e3c4043efa8353dd277c9901bea5264d6bb2fcf7100f89d662ce01c2548cf652586428c5e1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
754f7949c65f1395ca6ff1c3340aa88a

SHA1
f94c0691feb4b42297815e06f7978c5568155e60

SHA256
c7a43ee47bce383698adeca6793c0fe95b7e7538816be27b0fc219829822f419

SHA512
150b1aa4b8abf6d2c6763edf3726ccd02c0a6d78edf3c99d45d9414795e995817fc4ebde541c32d91e84f24aaabf7795158d9fcef57495c4d6d3ebe92b0720a0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
779112259795f79e719b44f43c254d54

SHA1
f4d21ecc26ddbe516e0d9389da84c8dbcc3ffde0

SHA256
ae30903426786e6dd045140a7a415ecc36009163d5f2bde76c6187bc85eb4bbd

SHA512
0e81e129199a9fdd042f0fae046e97fd2b0e6afc1440eabf62d6c1a1a85b1d9225d0fcd28dbcde04b61b31a49c1d4cc52f37d0700539408c33a580764593fea3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
dc6df801d0d58809dcdca37d590f7202

SHA1
9505f524b3748ca244b419819968f490ef7ab6a4

SHA256
31f734157aec9c638370411af27151000be49f7c8f9ef2ea4eaeea3be186602b

SHA512
e0326de23e8dc97213e253bf9829405d8f66862ce1a1fa6707061606c6ce0e1a90cd2dcb478a7994f6119265023d36b31d158a9f7b143892f48cef536f802541

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
401099ee81ff20585b26788444658135

SHA1
c7f326981ff69f2d2ececde8b078d6ef9d97bba0

SHA256
a1870196ad68a3aea5c57ee751b1866adbdf1eed90e47f6a875e5456ab0bf3f5

SHA512
1e3799b02864d08714f57f255a2f5aae038bb55d2108117c5e9c50fda6623e17b261e52e99151dcf5d4709c7d1fb7756454155a95af275a2688ed7de96e79a44

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
0b548187090b413371021a0f0260057f

SHA1
3173f76d0b96e88272685d157a93770caf3e8d59

SHA256
3a8f0bb21cbcedd0ed75023bf7ff96b2f4a99151fa51508bcea9aa360fdc8505

SHA512
50230410c96c9d4f41cc407b1a3135c18cbaec5bb0ca7be072d0a16713c5ad044cdb3ff1256edce49b41dd1cb86fd65e86202f282a8b79855f070f5088923573

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
1b9834a0f3b702ec7b6575af3c5dd6e0

SHA1
f6f72d371d9a5bd9d85313b7576cf1b7d7733737

SHA256
38c4acc99e07e43d6b4b22bfe8b642cc4d7e9bf4d0b27b419ab93518754ef4b3

SHA512
8bbb747fa5693faa726056cc66966fc3ec761b96316df4f012992966ce983d068adccba2126809fd9ab22bda377e85ef51496c4b043553a11e378a8b9cfc05e6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
7dc9c16c73c5352b068a7fa886fb2feb

SHA1
affa4569183d8f99a353cbf0f4a50b8d646b9100

SHA256
484145f04f76a84d571f495626152d614ba439620755aa8fdf8584570d1cb38c

SHA512
d379f2a89d0b0dd57b7f7f84943bbc00e741ccc5c32a7e0ccaa51344390c58c18a667b73cae430d7f54464c6dcaf90aefac3623c62577e55e4d61a280d4c7e65

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
ded79dd1f84f59face9862c42875c121

SHA1
5adca97159f482e6ce856b22fb0732564ec13eac

SHA256
cd0ad50ddf17b6a58364f8b7a8a0ca0f137d80313aafa9727d3524b92fb489e3

SHA512
3c4ff366e35381b64e6aa6f7befec6e2851490ff154e6836ad745a3425a7dde250a35298a228888b6a6a4943dfdbf9f160079fe7b8a3e508b05a2795e552bcb1

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
edc9810429179d251572cfe129be118f

SHA1
1870f98884014e972761e1eabc9e564906023929

SHA256
e6e6ee0b82a6d508ce1c6c8a433eb98544a972ddcddb136682e8fbe88261b8a9

SHA512
43f153bbf18c7aeb2c583aa0fed1c34f6a0e5a3b2077bd5f3c00a51e5dbb22e8b0256e301e5065de86dab48c54ac82be9b9fa0285ba7c59a28f1cfed9896f73d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
36081ba00fd1bab44a43f67f59683ffa

SHA1
f1c43b70047b572ebc8938dc734cd1177024d0cf

SHA256
95670d8433fb12d5f0300ac2958198b35171edb1bd2fcd658f07e6de393a7855

SHA512
cc10f83e8edf78bb91352ce751e423a1221f02e4da39e07664d280ffcc7a7217e4641879b5dcc3c82a7fcdceea02f7e1a1e8b1a568f3597ef59c10fd24093d86

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

Filesize
14.1MB

MD5
aec41eab1c621543ac61322d5cd67485

SHA1
76d244ca06c5ceda4d4f1cd29dea06c6647f872a

SHA256
759af9c903070556b7ceb5179ffd835b0ac02f78bb628f2869caac605a85b182

SHA512
f552a87acf978b2e790d18f7bc6d469b1902fad6885ee77a1e7a9793e3c449e61d571d3354f324fd82fdfe673061f3da355417dc3d82035bd5699d359fa33f67

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
75e42ecb20326780caf3a84adc83d4c6

SHA1
10cfe161e1eec60707a798a16b73033db80d312d

SHA256
fc39604aba6c872f2a2d4bb57d9eaeeb59e387ae5434fa3f02bd829d97a7d52f

SHA512
20c28f8e9c85672f8ad37244f1bcafdcd6dfaf40570b4e7e3ff1a7977a17941e552f362d9f924d41999bdaa0ecc9fe5d34e1806b68b11d655184980dc46c361d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
ac23233b93bcfbc5d90ac5c8e1d21f98

SHA1
3cf39bc5d66139b14bbc198149e01f2b07236704

SHA256
31f2c61c9eda95122077b3aafb2a89e8e19b7e2b6e3f851270d862164b031e78

SHA512
1e445b460a94674fed073c58ccb9326bec697c4d9638b014741b93b278d712bf4e2259ba6d2566d7e49744a0ae88086c02a0298826f9b640af9dd274937cb347

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
4f51883ac5eb3356dbd11b3c8314e38e

SHA1
ec37927482852d2e9370dd72d8394b8dafe2843a

SHA256
8ad3bb9cfde582647eba3165bf5c954e3f92779e4477aa9f830a7eded9bfc364

SHA512
9d6562bdafdbdd6eb637e7966e1ecf5eda96d30d12767969ba9debf09903acbea0564ac75306ae9f860242a28b3e505111e0e91c48e4322a0b69d523a98eec74

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
fe9777f81d2302b791a48568c17dd6d4

SHA1
856ed39ea722c093bff466aa7a1a7863a13c64c8

SHA256
7bbe48d0a69afcaf96170707de4633b38ed25c5de34a4aa24fa334e7fa4c9142

SHA512
71e00cc0eaebe9d7abbde1b97b6a3a1314b269d13f6dcb4332420828200da4ebce1c60eafbd7059a4d6df2d0bf553b852f8303f3378bfa36121f03f33348ff41

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

Filesize
41.8MB

MD5
0fbdd664f7ed00a2eb15b16a8d4a2c21

SHA1
0d25a53082c4d48d8d7204a4c543f76228c2b1cb

SHA256
db5f86ffd5e1d6ce553fb1b585f01e1d0c4b1e695b8396cd72a680a00a268e16

SHA512
2b23251233a346f29f787d7c87222b4012199369709dfeba73ecf8f9103399fa067bdac5caf8907880a91c55da3a563665c15dc1c51131bc8a19dafdf2c0e186

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
6e952599739d3c80e0537f8d4e7fbe72

SHA1
6f656042b15f155f1ec9d32e2f5452ff346586ff

SHA256
98c90cc82c5ed19f68160d1293a284f6dc2c64f99c4e7e3c87d33e1ae2c8948d

SHA512
065829147051593d1c2fdd548a0b23a2d1d8a09594c0de512fc2bacc588e3543ed7b1dcbd0a13f23f125ec8bafad03f4dd68ffa3f61af3ed440b145028b556c4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
806067a969a91c5da9675343e5f634ba

SHA1
aea488d210eebb776179533b7f9f8ce1d90f62fc

SHA256
722b568443e3791e12ced5e1025d65446f5d50597dc2f0e6cf0fb3347f4657c1

SHA512
a914b9c56df4aed18830b84d595226f3de573189b731eaa0c10ce06c6c7356050880037ff779ba35f06997c649c06a1e683c35efd797c98a5cb107507a25cb49

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
46ec20d7d3b90a50d8d722387952e7a9

SHA1
82ea54dd7b8ed1194745304364cc0ccb763ff6ac

SHA256
358f40ce2f7c0268be06dd9bb1d882c4ce47a3fb695fd24068d2a6a81aa6043d

SHA512
b831bbe11b0d08ace8dcb90f6a26638328c9ce2fc70aac0e3c64a1a17601e72b7028f6d14a8918ecf53dcc7f532cc5f6a70b06fdb02ea0f63c2b7ce4b884c3ca

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
9258c2a7e8bb73e9742161a7042b3531

SHA1
6dd8c8f87fb503d53eacba9da5e33079f3572be3

SHA256
e08e373802a6eacf47ab4863fc2ed89fcfba9a5f478d9bc610a2703553ed4b00

SHA512
e2d6a028ea5010bd233ac39290b87e2390fab0ede9907c2bcfda490789ee155c214ce54682001bf6be20a80afac0c70f3b9e2b6f1a609a9e31487e3ed24e9629

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
3e03e3db411e98fb693479da1a58b92f

SHA1
baeff9ac82b9048eea03b035cd5402f8e5ea8c0d

SHA256
405922a386347ff1d09d7634b39108ec57b062b3818b765ce52821095b919e39

SHA512
b1aaf24d84cbea9aff3aeae7579dfd7d1ff16dfcfdbab32e8b6df5030a4d486e5808bc434836e88fbb1f65ffe57b4123fc5d33bb9f3e03c8996028690a68ccbf

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
6754e44cef80655428baaa32cdfeacbd

SHA1
b93d2aff8f9a3c4bb692d89165a1153142be3d1d

SHA256
4b5e5093099d5b8a956921ea52b240a1205ae2ecee11052e6086b7d364c1929a

SHA512
97917abd31475fcdf3f9daef1767b891c8fe6bae3805504e9ba146a7cdb3cb2162f50d88100925a3fdc8a7ef37fe1d87834fa3ed48486aef234640b78e87e39b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
eb1a572926c30c9cd01c26a6d8167600

SHA1
cb4c539bfa1c8cc18cfb9e8d1dfca1132253d74c

SHA256
5988eea412e3fbd17c23a169640f88b85071819ca2f26ed9c31945afc249eba9

SHA512
c456c4c67e4c2b3080d762406d0ef8cc87db66d90a3f269c9dcf4b108236b74c14f98dd8fd64d8fe6c28c517e3ff33002eb6a7b05e0f94e7b453c2f648bcf005

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
e260646be47a363c81e686d3f9ac593e

SHA1
a7a4797f7e79ce31a7515cc60cf5454f7da058b2

SHA256
8bc3dc0aa8d4fb41a3feabd9454a77f66ec9a8377d343f4113cd54b0455db495

SHA512
fe27908a4105e7cefecac2047b65c419c3452b33b608d5292f2a8575090b6a63aa2baf080553cd29d6ec099e9e128843dfc96e2b70aae0979be69a32148c1f4e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
f839938f7786c5840cb81485af4f20fe

SHA1
3ec79716d8bfc2297dacaab65524d24f4dec1ec4

SHA256
a0c402ff60a38bc42e2d2baa29b86964d27e05c94ff97e21ee625e7b201b320d

SHA512
6cbad0c9402df66d35778f973d51cfa95ee94090267ac0e5fd1d09030fd438b553ed28a46fc2d95085dca0ddbf9609b7a270925792c8b2fc6428c7734f01424d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
e87b5c4a60693fe649bc08d90c270394

SHA1
588d0d46a7b95d2d1d54f8e5cf95a6ef231436f4

SHA256
ee6f6f2f2bfbf11e4d17a2c147780a38a6cef7899693cc798f3c0f70a60b9e69

SHA512
e36e38e8be8c9739af1d5907801de2be39a33cb28002fdca76622d9ccddd1610377c8583c85698d219b9f0e1ef9017c635bb2b2d339c50f6d21e9553cfbaab0a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
7440371ecf1e9001cc5c54c33200aad0

SHA1
65fe8f13cdd916cdfac3814286c63a65ba8490f0

SHA256
021c6cf5e5729d8ee1f036440cc984888ef032fdd58c7b6730be88d3320d9678

SHA512
5268e83f5f61ff5e8efb984e28c76f29329d76b271453859636da75fb0bd55b07ed0e2c8c4af62183d232a8cf32e24b8e6bb605ce90a80180c60cf40b867896e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
e063b34767ff36066a6666deeeb67e9f

SHA1
fafa27ef0fff8320df4a86a310332d28118e0172

SHA256
5ca64723794d5d744364d3d48dd59082e0b67c734fa0094f24b3cc2f81116552

SHA512
596a386c4c5ed961747816d47f0c66cb4c89ba7757ab78320f00b44c8ad162ccf534da099b784bea75d8a51ee1cc1fb5c1a0f84477f310615a18d5e28e02f82a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
bda422efb24ff94639073f7351cce2ad

SHA1
0745fcd37bcffbc257585eb92b8b70e2bbdb20d8

SHA256
053cdb477b60bf9e1265f0285fafc78c215a3629436d8f99e0e440958f0f0caa

SHA512
65cebbcbf7b55be9cb22f15fa43a3b060cc03660a701d3fb745ea60d5383b1a8493e37c0b786a84a55988e48e5d496d26f08c63a47d1ff35dc85adce82e69157

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
04151fdba2dd112cb1f2a6b420fe572f

SHA1
d6e70fad442a9707ba031773553efb8081aeb3f3

SHA256
f0f17d90c58d86f283a41cb015a6550292f34d23e482a71cc7168d5a6d6784fa

SHA512
e80610d6f5b2517002bf246fdfda1e358be50fbfe989ca9e4658a89af633051d208d2fb2da040323ae96db98fee25a721b9d03055c495790f1c2c0082f7491b8

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

Filesize
15.0MB

MD5
78e47ecb8bc63c2c9c34a817d49468b2

SHA1
8c8e3d6f393e90f7c65efe2efa99089b97c9c0f2

SHA256
51dd78ad1f2467a64c94b19b4b326127c40ae523257c51291cc3a39899db54fd

SHA512
fc47ff192208a78f9d0fed2e49bb262a79457deac985c0737a01a1875c5059884073e4c2e124a311201e3eb1aa0712bf5da198f3ce8f574262ba8cf33e06a5dd

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
022cdc016e204620009dde027e3d0bae

SHA1
f92128d7a8a50e4ad44c16ff67ef24cc315aac76

SHA256
453248367365b4db8cef433d61a18d0505aa6739784dc4ab6d4b9e226e9c8de7

SHA512
2309ed91fdb1bf48eba20df7856603f1925b01a883b15ccdaeb7b21808f9a1a11df57b4c21406af0fecf6f9715a758a7ff7127046b8ab0424176c1b040d4f7a3

Download Submit
\Users\Admin\AppData\Local\Temp\JpxEGcQjdrep.exe

Filesize
544KB

MD5
526fa2ecb5f8fee6aec4b5d7713d909a

SHA1
51aea2a2b88fb44d5b7ec5d52b47c8b83d9d724a

SHA256
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700

SHA512
f8859f16c605622edb196f58d013058092824f3d20d207d8b0ed26d2aa4dd8d2c2d1034d5d9aa73974a605c2a41f4c569f33d43d1a6c640f2f9723c721c9e0a4

Download Submit
memory/1276-11256-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1276-14442-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1276-13182-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1276-45-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1276-25-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/1276-26-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2640-43-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2640-13919-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2640-2259-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2640-441-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-13-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-2142-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-42-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-225-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-14-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-15-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-12154-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-32-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-7458-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-4610-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2828-440-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-2141-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-1-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-4-0x0000000035008000-0x000000003500A000-memory.dmp

Filesize
8KB

Download
memory/2872-31-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-392-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-4607-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-7134-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-27-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-9542-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-2-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-12052-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-0-0x0000000035008000-0x000000003500A000-memory.dmp

Filesize
8KB

Download
memory/2872-3-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-13810-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-204-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download
memory/2872-12-0x0000000035000000-0x0000000035090000-memory.dmp

Filesize
576KB

Download