ryuk | 73521579fba19f498b9a325b0b40f4f25cc90c4b5143b00a7f01cfec2d63e8c9

Analysis

max time kernel
150s
max time network
82s
platform
windows7_x64
resource
win7v20201028
submitted
03-01-2021 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ryuk.Ransom.bin.exe
Size

196KB
MD5

2e66f487fedc2c5b3550a99c0f64e93c
SHA1

833b671237f563cf8bd7daa82b17850c139a8261
SHA256

4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4
SHA512

f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

bcVfNtDoblan.exeyuLRYRocmlan.exeNuPLalLhPlan.exe

pid process

1240 bcVfNtDoblan.exe
1224 yuLRYRocmlan.exe
1648 NuPLalLhPlan.exe
Loads dropped DLL 6 IoCs

Processes:

Ryuk.Ransom.bin.exe

pid process

1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

884 icacls.exe
1700 icacls.exe

pid	process
1240	bcVfNtDoblan.exe
1224	yuLRYRocmlan.exe
1648	NuPLalLhPlan.exe

pid	process
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe

pid	process
884	icacls.exe
1700	icacls.exe

Drops file in Program Files directory 8553 IoCs

Processes:

Ryuk.Ransom.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Riyadh88	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\visualvm.clusters	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Chuuk	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02845G.GIF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Document.gif	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-ImageMask.png	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Baku	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR7B.GIF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\CET	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105410.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\SAVE.GIF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7EN.LEX	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sa.jar	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01253_.GIF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SECRECS.ICO	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_FormsHomePage.gif	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV11.POC	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_precomp_matte.wmv	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\PST8	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS10TARG.POC	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Adobe.css	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsen.xml	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00641_.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBOB6.CHM	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\Passport_PAL.wmv	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\default.vlt	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18206_.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14795_.GIF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-api-caching_zh_CN.jar	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00218_.WMF	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_GreenTea.gif	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SpringGreen\RyukReadMe.html	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\STSLIST.CHM	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Regina	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Manaus	Ryuk.Ransom.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00633_.WMF	Ryuk.Ransom.bin.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

540 SCHTASKS.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1564 vssadmin.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Ryuk.Ransom.bin.exe

pid process

1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe
1584 Ryuk.Ransom.bin.exe

pid	process
540	SCHTASKS.exe

pid	process
1564	vssadmin.exe

pid	process
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe
1584	Ryuk.Ransom.bin.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

Processes:

WMIC.exevssvc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1104	WMIC.exe
Token: SeSecurityPrivilege	1104	WMIC.exe
Token: SeTakeOwnershipPrivilege	1104	WMIC.exe
Token: SeLoadDriverPrivilege	1104	WMIC.exe
Token: SeSystemProfilePrivilege	1104	WMIC.exe
Token: SeSystemtimePrivilege	1104	WMIC.exe
Token: SeProfSingleProcessPrivilege	1104	WMIC.exe
Token: SeIncBasePriorityPrivilege	1104	WMIC.exe
Token: SeCreatePagefilePrivilege	1104	WMIC.exe
Token: SeBackupPrivilege	1104	WMIC.exe
Token: SeRestorePrivilege	1104	WMIC.exe
Token: SeShutdownPrivilege	1104	WMIC.exe
Token: SeDebugPrivilege	1104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1104	WMIC.exe
Token: SeRemoteShutdownPrivilege	1104	WMIC.exe
Token: SeUndockPrivilege	1104	WMIC.exe
Token: SeManageVolumePrivilege	1104	WMIC.exe
Token: 33	1104	WMIC.exe
Token: 34	1104	WMIC.exe
Token: 35	1104	WMIC.exe
Token: SeBackupPrivilege	2272	vssvc.exe
Token: SeRestorePrivilege	2272	vssvc.exe
Token: SeAuditPrivilege	2272	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1104	WMIC.exe
Token: SeSecurityPrivilege	1104	WMIC.exe
Token: SeTakeOwnershipPrivilege	1104	WMIC.exe
Token: SeLoadDriverPrivilege	1104	WMIC.exe
Token: SeSystemProfilePrivilege	1104	WMIC.exe
Token: SeSystemtimePrivilege	1104	WMIC.exe
Token: SeProfSingleProcessPrivilege	1104	WMIC.exe
Token: SeIncBasePriorityPrivilege	1104	WMIC.exe
Token: SeCreatePagefilePrivilege	1104	WMIC.exe
Token: SeBackupPrivilege	1104	WMIC.exe
Token: SeRestorePrivilege	1104	WMIC.exe
Token: SeShutdownPrivilege	1104	WMIC.exe
Token: SeDebugPrivilege	1104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1104	WMIC.exe
Token: SeRemoteShutdownPrivilege	1104	WMIC.exe
Token: SeUndockPrivilege	1104	WMIC.exe
Token: SeManageVolumePrivilege	1104	WMIC.exe
Token: 33	1104	WMIC.exe
Token: 34	1104	WMIC.exe
Token: 35	1104	WMIC.exe

Suspicious use of WriteProcessMemory 80 IoCs

Processes:

Ryuk.Ransom.bin.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1584 wrote to memory of 1240	1584	Ryuk.Ransom.bin.exe	bcVfNtDoblan.exe
PID 1584 wrote to memory of 1240	1584	Ryuk.Ransom.bin.exe	bcVfNtDoblan.exe
PID 1584 wrote to memory of 1240	1584	Ryuk.Ransom.bin.exe	bcVfNtDoblan.exe
PID 1584 wrote to memory of 1240	1584	Ryuk.Ransom.bin.exe	bcVfNtDoblan.exe
PID 1584 wrote to memory of 1224	1584	Ryuk.Ransom.bin.exe	yuLRYRocmlan.exe
PID 1584 wrote to memory of 1224	1584	Ryuk.Ransom.bin.exe	yuLRYRocmlan.exe
PID 1584 wrote to memory of 1224	1584	Ryuk.Ransom.bin.exe	yuLRYRocmlan.exe
PID 1584 wrote to memory of 1224	1584	Ryuk.Ransom.bin.exe	yuLRYRocmlan.exe
PID 1584 wrote to memory of 1648	1584	Ryuk.Ransom.bin.exe	NuPLalLhPlan.exe
PID 1584 wrote to memory of 1648	1584	Ryuk.Ransom.bin.exe	NuPLalLhPlan.exe
PID 1584 wrote to memory of 1648	1584	Ryuk.Ransom.bin.exe	NuPLalLhPlan.exe
PID 1584 wrote to memory of 1648	1584	Ryuk.Ransom.bin.exe	NuPLalLhPlan.exe
PID 1584 wrote to memory of 540	1584	Ryuk.Ransom.bin.exe	SCHTASKS.exe
PID 1584 wrote to memory of 540	1584	Ryuk.Ransom.bin.exe	SCHTASKS.exe
PID 1584 wrote to memory of 540	1584	Ryuk.Ransom.bin.exe	SCHTASKS.exe
PID 1584 wrote to memory of 540	1584	Ryuk.Ransom.bin.exe	SCHTASKS.exe
PID 1584 wrote to memory of 848	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 848	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 848	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 848	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 908	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 908	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 908	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 908	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 820	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 528	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 528	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 528	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 1584 wrote to memory of 528	1584	Ryuk.Ransom.bin.exe	cmd.exe
PID 908 wrote to memory of 1564	908	cmd.exe	vssadmin.exe
PID 908 wrote to memory of 1564	908	cmd.exe	vssadmin.exe
PID 908 wrote to memory of 1564	908	cmd.exe	vssadmin.exe
PID 908 wrote to memory of 1564	908	cmd.exe	vssadmin.exe
PID 1584 wrote to memory of 884	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 884	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 884	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 884	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 848 wrote to memory of 1104	848	cmd.exe	WMIC.exe
PID 848 wrote to memory of 1104	848	cmd.exe	WMIC.exe
PID 848 wrote to memory of 1104	848	cmd.exe	WMIC.exe
PID 848 wrote to memory of 1104	848	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 1700	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 1700	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 1700	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 1700	1584	Ryuk.Ransom.bin.exe	icacls.exe
PID 1584 wrote to memory of 2832	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2832	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2832	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2832	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2876	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2876	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2876	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2876	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2888	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2888	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2888	1584	Ryuk.Ransom.bin.exe	net.exe
PID 1584 wrote to memory of 2888	1584	Ryuk.Ransom.bin.exe	net.exe
PID 2832 wrote to memory of 2916	2832	net.exe	net1.exe
PID 2832 wrote to memory of 2916	2832	net.exe	net1.exe
PID 2832 wrote to memory of 2916	2832	net.exe	net1.exe
PID 2832 wrote to memory of 2916	2832	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\Ryuk.Ransom.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Ryuk.Ransom.bin.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584

C:\Users\Admin\AppData\Local\Temp\bcVfNtDoblan.exe
"C:\Users\Admin\AppData\Local\Temp\bcVfNtDoblan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\yuLRYRocmlan.exe
"C:\Users\Admin\AppData\Local\Temp\yuLRYRocmlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\NuPLalLhPlan.exe
"C:\Users\Admin\AppData\Local\Temp\NuPLalLhPlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1648

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintHt" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\PbnX7.dll" /ST 10:25 /SD 01/04/2021 /ED 01/11/2021
2⤵
- Creates scheduled task(s)
PID:540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "WMIC.exe shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:528

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:884

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1700

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
PID:820

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2948

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2916

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2992

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2968

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3148

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
4986149053443cc9ec153a0d5c843b65

SHA1
535f08ca7dfefba36153f16743f98cccca81b656

SHA256
091c5de22fce4f37435f298e7097cbdc2adbdfae96301d4b53c4fc73a3e18e30

SHA512
3a357bf0a9a7656d2e20f41eed7ea5d7ed4cd8cdfbeef9893d205649ee15231f496cec78a1a803277701ee66491754957c17ecb54e6d41c0ab577cac32e71100

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
2a144bbc0b1216617b3adae97e9e6898

SHA1
12b108f328edfa2dd42437454fbe16bede46ccee

SHA256
3fd4dcbb4f8ed46370438b367f4aeec4604ef6297f6a0257fd37c467576cd059

SHA512
97b8ea12c37b4f916fcb9354a7f1dcef58bf160bccb334f92d9ae8b30e0e20904ebe5cc9cfcbe1fa21622f7d2c8fac8c074a59fe63a3729025b00bffdb1b89fa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
f2d800e8309604c3a725c6f868f27947

SHA1
56cc002c6e30a0b5ba9172cea625c342eb1f2387

SHA256
8646e8b9495b073dbec9e143c39b44f13082ae2ae4f464d7826425ec3a666d64

SHA512
994e0d25cb3df9e192b2c9c5bd514da2773918332eb9ad59588003d2f5d52d0edd854865af9a08aacd4c9be93b1cf332a3158c1d1492558b753d5cedc0f4ebda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
49f93cf147e333b71c09c4b2e886266d

SHA1
1e72538cb5e23a5a725a14a584990bff8fc1d358

SHA256
3effbc702c2ad3d16818e5a2717af9e5312bcbe5ce2fce4e3851f9442fa671ab

SHA512
90b9032b078ba16c312bcd46ac96a571abcef63793ce68bb610d93009a2587a65fa15422c02c7c9ed64299d79f38c01a9650018c40f53747b76af43a66380a4b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
7238e6798864f6d750a614ffeba30b08

SHA1
2e08147ff7865af51cb1ed348a26785a97de31a9

SHA256
51ff830e8b21365165abef37d85f553193233339e1e74efaf7aff3659a39532f

SHA512
87a98c4959de91ca8b0745e865e2b6cc1dbc78a9c3b599dea3189711be1c77a1bd7ec75bcd8113421f46a1046df4d35d997ee6c4c8bef805f4fbb995245cf3b1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
143fee4965949ddb79d82d587b4b268a

SHA1
64545b4e9d8283f890cf5b658ea3b5d8c82516db

SHA256
6b62dadda938f9b8477b303f2c6dcef7b72ebcbcee7a0435a4d431fd5fab6e56

SHA512
f3049c0ea69cd44c8ccf973db9521b6f56c8b1764057bfbc5c27b98eec99142d74c11f7c41f01a83882faee5407405eaaebb08555bf51fc745b2156ece5ec203

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
4e8a8c3cacc53bba969bdf3e916acc87

SHA1
9e648a1fe52b20940da76e18be5852704b2ed878

SHA256
37d8e5595965627cc1d2a80423b2eba2dbba4d60f18dd8ad06a4140c34b179c3

SHA512
69cc2f9881050d21c86de121a600bd9806cc0a3ab9be3274e52ec03cfd89ac87f62a25928ff0e712e6eea5166544778321f8be3b895fb4c626e36b76255690f5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
35d47ae1dfb6370d763ee5cd214b3387

SHA1
330944edf8cb18130302cf2ddb4afe0762f52e0e

SHA256
5923e4711ecbc6688816e7022ca45d00eb49aecec0df2da3d8a3804b9ac6404c

SHA512
27050293bc02c0ed11b66dd7510298d79a335e5b369aa41da7908e95936f79d5102e28c44918540b0ea33a6d55337336b2934c7380afefefd8671ffa7a2743a8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
e201559f331fcac7d2deec8f4ca17076

SHA1
a71333b4a6a5aa942198afe488d8743508d1b1d2

SHA256
15c7d9e2f46edbb0ae6adda2597fc795ab2da101325458411ff02f57e27b9b93

SHA512
cc63d3ba0f7275a974dc3b8050f2987102e610ab85f0d7b1d7e8cbb4800e9daf59683c7762db8e5e7bf458c7d6cf167727f23e42ec7441fec9c721ec4fb8a0c2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
cb0ba3f0c7556f664fc746adee498145

SHA1
bd8aae24d9b6edaf20488ddbf3f4f04a140e4d94

SHA256
3e981fc8b3e35ec8754873af7eab22470daf231abfdddbcf04a06cd188861f26

SHA512
8adee53f260aec8466c89c8029fc8fc9d104e1927a3c390d4ebb48bfe9f3abfd704f54ca091cfeb8cf5bacb58d49caf91d7afb853dda0de3f6503f04b200159d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
70869da6ea05c23e587bda94a05fac0e

SHA1
a9f36cfc582c658a2512b52086d4aa455afdb099

SHA256
8588792688ee840f23da6dff302b7f02e025b5fb8da256bd959bae3078bc48d3

SHA512
d664a3a39f7856ecffdc94b83b77d692047b4e8ada80ec49b3723390f97e69ef5bed1d529acc50d6bb25ec12e8d46a88ff106210f251a75b6bb54d4af0d6a3ca

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
a8df4fc796eafd4fcb466ffd89bf6774

SHA1
69f7bb0d5aa3c38da5827d0a8c5d3a2ab600b138

SHA256
cc7739e2af1f40f535a2a54d9323e5302a93a35f79e86b2e0492a1a07bc4a0b4

SHA512
22685cc78cb304793b820167c61455961394bf626cb47b99cc12bbb9f21337271a56485477137f11d79a6848e042f8326add73a53dafabb1bd1ab05d6bf7921f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c12d4ff642b5b4460283e5a09fd262ee

SHA1
89b7dd38617828a099a3ebe5291055d1b46b4216

SHA256
c04b34a7d35e983d6f6bd642ea7503d557893f69b35d9eed4f5f23e3b273dfda

SHA512
4a0438b9681a529ccd01e134a37983ed249605ad07fcbfec8f4167c454fc8a68a535352b0830c19b54027d9dc1927a9c03591bf820ca3b479682de4c5eab862d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
d847a278d6bbc42a55f577577681158a

SHA1
dc8cf799a9d3f2a563d8d30c21e6f03272c21181

SHA256
10cd85056d79711f5d5ceaec283261b841e9534ec69e7fabbb8ca80cf274dcac

SHA512
63e0f11ac01106262ef2909858c0f353e22c805d5d835029506ddaec327e7a7bcddc9b80cdb64c4036b291e820543ba6e243e3cdbeb54db8449228fbe4133fc8

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
c438774acd57a714eb163202b315ffee

SHA1
b7f26c086341168b5c091339b2586f96eb20f15f

SHA256
8d255b7f5247c8401fb79ab7016c48247ca0d017a99d11a74eeaf8ce81a6d359

SHA512
f4d994f7f5beadc9fb8d1d74790ca3dce273fb2544970cf3f6b61231f1403659df8bb436dc30c4d1bd3753dc569a7b6221221ed512de1c9b9400ab916bcbbf45

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
ffbbc6f5843bafa7647bc44af3336096

SHA1
88af856022e39dd256eae8d76805a1054da3758c

SHA256
3f40e0d2b55120d452d61c41a550b96ac142e51e7d8fa2c75dac036f4dced033

SHA512
47d3d5a3ee3a975374711d14fac5a3bddbd0bea4d4a654826a803ac3659a5f3bce386554d25d77e1d33aac1d10ee19fda8684a2f8cb270790c7c817cb360bbb0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
b4f5916134f8088446300a8b4643e88c

SHA1
0d4fe6e540422de8daed2a7ab2558d00c7930967

SHA256
91758613aea2994734be8634df1a17174ba06d555f9b6a89a8b42225c97a1218

SHA512
47485c1814aa4f7708ae230aa68017223718bcba037afada09181abd3bc1d18f858ca02449c33bbbc415d10a6236ce27f7d55241077a13a8f26247d1dad9adc5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
016f33a736c2dd3c6eeec40c5020c4a3

SHA1
aed9060965a663bdb345244b83c92003dad29127

SHA256
5ec00c4e71be545c38d24fd6bb47015de1e655c87e24bb61ab9042d764119c7b

SHA512
e7300e6a1bc41e13b69c513b58d0497913c43bbd26ed29a6a1791a2c937dfbd5de0a2d174a322b6816f431b28f3a4e7655397ebc635e82a4ac6afc86815b8083

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
2e3c68a5554545b27f3c2ff8aa80b2de

SHA1
fdc475be35f8dc63de32e44b62c2fff4a56d1fb3

SHA256
d6b91831c6671cdc153e8c4ac33a359753336964f4b5ec7bfb6201fa35623cfe

SHA512
94a2d594d000c62dc82a7d4ee8137800eaa2cbcb91062318a9ac42dcd24e8af9e46180f6235924a7a129cc562a3259a59263076fcfd5c0cf5243fd5045baad69

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
9f4975b85874bf87635e89daa48e1a3c

SHA1
a8748f8fd5d9d6ad2ed62995562b1b2f54f79615

SHA256
091b550e8123aa8855cf2513d45b69b0014e5813b992cc41752c3b823a97e18a

SHA512
1dafed76a58b8ef7157497bd856c8baff969e6b1d945c0d916a0c66112dc0f7fec726bb42f4ca38c2c5e59fd29da6a0a6fd0f95d55cc7dcf45e2c299fcd67d68

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
da22f1da4b86e82ba61267bf5bcadfbd

SHA1
609995e2ad055e6adb8712180121fee5341aa1cc

SHA256
d82e0499fec936802246c8b718ed3b5cd3cae1bfe347e5c60937ef07e8cefef0

SHA512
71d9aa56b56f82b727c6949c788439ce02552bba06cecb3e3ec89ffdac24adb9c897dc0e5c70e47d3bff3c00c01822aa76725257cdf3c6beec53482f28b510cb

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
10c284a61ecd3f208c9634f1b444211f

SHA1
ae6cad1a2889051860d94e700c29613e7483862a

SHA256
05ef939e96f97521a44a00bcc0337b98758c7c85eb2f79237838323665ad4c7b

SHA512
f3e9e7c6ed1bb3347007f31bd6a092378b2ee8c2f2fb984d17dfa2fff3244db9fde69ec9969781197e0d81439d45cb40b61a730faf2d18fea13b602ef4ef844e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
84492a8df375b9ff82e13edfd2f829d7

SHA1
70c5c101ad8c5d94dd584fa0c0cac85fa51b8f16

SHA256
3123806c50d010e1e5ad721ec516536fc5fb430b0367336641cc53f8f9ad2f39

SHA512
8ff69c87e278294b6db817bb2f22fe1e75de3838a5e05de853ea68542b6cf20a20ce33f120819989c4af442c6a0dcec300ce05c71598bf329b8660239fd4540a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
419775f990ef25c242e176bac8320d25

SHA1
ff5730bc180047a7f9c4b30e6e18cdfd20c0eae7

SHA256
9e9f79f8e2a521a942a86bff6b82ca348a5ceb7e439fffc07e2141fa9f5b1593

SHA512
f2280f39d40a71cdf142a9b0e013fd45f3710cf32442f2145fa548ad3a65763b03a0b362936994cd33a21c1d9fd362c7b9244c5bad868a9ea6ce3d1ab8ad60fa

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
a586dc61185c2b43c4415c0ecc434498

SHA1
0a90d256192fec9da72989984974113bfbdebd81

SHA256
0e29cf142911229625ea49fed2d165fb73b3e69b6cb263042dbf3a9df40d7809

SHA512
0a214a7cb919709ff6991e9aa063a4340b232b4e43a3cc9cf3fdcd233a3abbcbd186d1f5e91fb2cbcf5eac47905071d82e5f073c36373a09cbcd356ac7faf085

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6e19e09186dfef68a374b6dfd9c32849

SHA1
9ff300e1fef7fe742813f1e0a0ce96e293512818

SHA256
c43d7f630796c50364c429c8fd714db38f474817f1b5e78c074bf9dba994f176

SHA512
df7b9f12243988105488f353b3dc64b92d7ae19bde8c5a4c95c3959e6fcdddff133b27a32bddb9e69acb830ed84b4a763511318b31bf8227f58d32c542f12616

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
62d361a4060a9c161042a4414986d343

SHA1
4b2ab5a7fe139cf6d1b40ced8177240940c266ec

SHA256
695e385859cbb1de50f190767735a1740f6d683b340d40b5ca1b91aed5f743f4

SHA512
5de3f73024e7e6dc70472dd0908dfa653fa0e114ac0f5de25334e53288404a8fe9b5901e2c83ac332c44934acb9b9976d600de6e33448427ae2c2359ade04eee

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
d1f4b66d6c01ce45d0d45cc06e2551e2

SHA1
aa853e322871ff57604de47d858f8f223a8a030d

SHA256
c004987caab4b64e01018413163f2dfe273b99a893b9faed72ae5ec3ca249ca5

SHA512
cff53ae00345e78f97c260f6d23de624850b9777c75f0189cf6a77018dc11dc453e166450a910c9472688d189b377cd6cef1ecace84470cbe6da16a0282291bd

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
16793b7e0e521c92617ddf227228441c

SHA1
6984467450304843f2d6a47e3361ab1be55d44ac

SHA256
7738e45e2d18c657f9451efbf14d1b4e44b9b257dc0b3a9c02d2cdd80954bdf4

SHA512
c3686597c1e0c7948c51ab18926b83af9733b94db21f5d20f307a578ac6575a91b9c6f78f7ef441c20665788a70c140bb31ebf3cccc764d3bb6411c71ddfcaa1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
b9035d4909d02b3c067e8c0a89284e87

SHA1
d5c7daaf2b0dcd00d5299a573f3393949087116c

SHA256
5fc4712455ffbe9aad0b52d35f8fdf7b551a6370794d26f3b85f580789df934a

SHA512
b2b408e349dde68883eb48741f5d8e630644857ec8ffbc0aae8b64d93053f9014244f1215984c7028ae7905b1a6b323a32769b8b5901c5af04c13f2125e147fe

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
0be04ce209b2154e47b12f70d7ccc8da

SHA1
e635dcf6c791a48b2ade28fa9905baec222b576d

SHA256
8638ec18ec58072402b7852eec0e3343762ab042ba3be7aa8256a46e4117bb00

SHA512
39c1a402daf22b9653f42ac0398a9156f16f7a8bd253aa929aa21972729084cf4aa50948d20e8cd95062eb07b4c3ea387ec3b67d0e1b74aedbc3c2c4e5a1c7fe

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
78d0b0df0543159ec341aff6dd9142f6

SHA1
98879f83e328d90ad749a0a6e3fea6b7a0df0f94

SHA256
fe95df865a71e63e02c9af31a2321cd07933a32b14e1a4050e8dde6d6ae3e278

SHA512
34accb3f06119865df2462ac02b6a3bc4bddaf5e28d9d708704d3d03cf9f8618842c0092f304fa57dc6a76224040d62cb8550d44e3cd8dc0dd54912e20a95a41

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
fa45c3fe38f5f3b1bd30d2c3f816605b

SHA1
af344a5ad06c4b499936934a49103c342f759376

SHA256
6cfb3a09358a637b205de623f6dec78ccdbe042f92b0f60f4cc786f65520c585

SHA512
b8ce6ff346041283061db038d9d9a0edf7d0a488cf97eca8865615fb10f330f67ae0a341fcedd5e04682916255b448492ae2fab9d5be610ae9f9973ba63dc6f1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
0a61a8e9f2f86b16073cb2aa1d443622

SHA1
0325642611e15bd444f570b39dabcd78606d1a49

SHA256
60e78ef04deae95622c359b954237706e07648ade3e14997a5249ae8b01bec08

SHA512
02803f7af0b2d952097dca72b1042c86c308b53f9ae516e596dd679be242064980f61b580f95314256be5e1bdafdfb5f2bc20a07ccb092da168988a0459d72b5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
e63c9d01ee7c42cd5e7019e2f9aa558e

SHA1
841daf6a067156ce0172b3385c79c7c05c2c34a1

SHA256
f3da4f2d486cda600f94abf75ecd5696503fb5633f126928565c1c8da3e58f61

SHA512
a9f76e7adf4588958665f3d8c908cca2392109b4e3d95f9d7ca0188881cf05d2b1cf5cbd75185883ebaf334464e00fa6f53115fdf24ae80115b24701acf2f132

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
f65a778b3878ff5478923b8e2988f04c

SHA1
95bae34717eb2651b4518c8b999316ac16d1a5c1

SHA256
74df759e42af4c795f3daddc9b7658d5802bd2c46537e8c900f3e5c671e1e94c

SHA512
2d241b8ae7fd4c7124827ec796c467752d1e3174877f09d9ca47d0c99e6df67add04510052fa0dcfbe59bcab3a9b4024015540e97868f747cde5a4fd7c5aa541

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
7d8ddfd225457736c94e10b2325c6ed7

SHA1
538338e95162c1555d347b05a07f83e7a4d5798b

SHA256
248ea89b61a1ae7ce741670c9710081f25edaa0854ae566d086f45066bf5ae49

SHA512
928a976d76662d4755d1a87819ac99e219a7c566e5e08d0e0ceaca4b8bf8072e4d096b44f440adfea6feabbe069d3593c1114175c5a4c30e01ef387260d9eeda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
9da63d5ecb2d2109f9ff6f43a6ae1a90

SHA1
18851fbb00522552b0c55503f3e3458a09b09a53

SHA256
e75dab982a85d2fe5df618f0e0ccdfea18c830f01fc2847334571617eb833418

SHA512
c33c83e4482d82bdbf737438e31549783eba60abd10bf4c91c6aedee7b928347269fa89c401300bfc7a9201dd14986626661f64f90f72cfe4af8ea858941ec98

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
bc32dafdf830bdf8e43dd48c886f1c1a

SHA1
80c2207487522620184114799dc92c5d1e2a155d

SHA256
64ed9aa872d7b1ec19467d8859f5dc154b7b1e0cb72a5e44e77c009ff407918e

SHA512
42276bb6d13debff2af06a5c92cd4b03fcd638a6257856e606ac42b0f1b53ccf70051aa989e57b55c65c4f4e976cf6f510954a369f335231ac5f1938deec24f3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
85471169bed1eecda30d558a6de70281

SHA1
64d755a456b92981a71c664583175e1585289e1a

SHA256
f009db7bf70ddde233beb97fdbeba486eb69ef16dd300eb94d53650735a28a89

SHA512
d4995dd558b090039c41a1d5ef07fa787777de1a7e40209f15cc4f6187a4c7e7db149e9e30ef879f9c9d6d38a430ad5bfe03e47886ada75f1cd8538b66deacb2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
44247b73a1d0072c4c08809635e5d155

SHA1
26b975d7e324836c4caed39cdee1cfc0a4860c3d

SHA256
daf4c3266d72112c2ab28d45ffe09a02138284b1da44523bae8f68ae048f4cc7

SHA512
bc3bd97302f66dea31a5afec3529d6a6933f28341515777d1eb0bbfb41db1b05f29cdfe5b994b6c498889b33f5334420e917aeefbdcc140dff82b54075d2c646

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
a18d2697ac3d6e294a6554ba80576799

SHA1
0fd7d24ec25263421b51fc2116bbb259bab4191b

SHA256
a7265f08f501f92c2c05248b8f4ccb90632c6f77628b961ccc7440226d0558f3

SHA512
6b0f39d48721ac1a2539720f8b27678f5b96b5de53003f5c5e022daf7b731d891421cf733b42884cfcfc2eb68959c9f79fce9840861581995af7a77fa1452092

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
86568d36fdfee8d17b474ced521285b7

SHA1
2c780250e215afd1de0db2995906c230f9d50114

SHA256
794cecde55b089d15c84d67e25d39af59fef5a7ed30901200e046c99f3b3bec7

SHA512
d17642ff67f286c133f4126eeb013f0e80fd3fdb1e5a0f6b9605a6774b5449653b664c362472980031fcb399c0894409b6bbff52490321a4f0569ec68ecf73d1

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
f8fe9aef81e8b8cdaf7139468c3e74f3

SHA1
d893d5acacb84f6deeb82fbdcd4dc63b5b2ce147

SHA256
5b3ac6df460f059666698771aab2ea1bcfd82caff0f13e969104b22abd139051

SHA512
0a358309400909e44ceff2fe04380c49776905c127f7dfa7840f7e7789960642a8903a21210220da52a355758a415a4aed19ea05308384b2403973b7c2c57c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\NuPLalLhPlan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\bcVfNtDoblan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\yuLRYRocmlan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
\Users\Admin\AppData\Local\Temp\NuPLalLhPlan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
\Users\Admin\AppData\Local\Temp\NuPLalLhPlan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
\Users\Admin\AppData\Local\Temp\bcVfNtDoblan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
\Users\Admin\AppData\Local\Temp\bcVfNtDoblan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
\Users\Admin\AppData\Local\Temp\yuLRYRocmlan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
\Users\Admin\AppData\Local\Temp\yuLRYRocmlan.exe

MD5
2e66f487fedc2c5b3550a99c0f64e93c

SHA1
833b671237f563cf8bd7daa82b17850c139a8261

SHA256
4a64e31b6f1712e0eac920b8440bdc8fea1c3831405912ba483c3f2b18a28fc4

SHA512
f25c94e6abbe0ba0577d14dff4609401f5a2c8866a4acd2e5771c020c94ae8597c66f9186543981576cc6cc368145b557aa19d3b0e29e82a203db0b22ba95c58

Download Submit
memory/528-34-0x0000000000000000-mapping.dmp

Download
memory/540-30-0x0000000000000000-mapping.dmp

Download
memory/820-33-0x0000000000000000-mapping.dmp

Download
memory/848-31-0x0000000000000000-mapping.dmp

Download
memory/884-36-0x0000000000000000-mapping.dmp

Download
memory/908-32-0x0000000000000000-mapping.dmp

Download
memory/1104-37-0x0000000000000000-mapping.dmp

Download
memory/1224-18-0x0000000001F80000-0x0000000001F91000-memory.dmp

Filesize
68KB

Download
memory/1224-15-0x0000000000000000-mapping.dmp

Download
memory/1224-17-0x00000000005AB000-0x00000000005AC000-memory.dmp

Filesize
4KB

Download
memory/1240-8-0x0000000000000000-mapping.dmp

Download
memory/1240-12-0x0000000001E30000-0x0000000001E41000-memory.dmp

Filesize
68KB

Download
memory/1240-11-0x000000000048B000-0x000000000048C000-memory.dmp

Filesize
4KB

Download
memory/1564-35-0x0000000000000000-mapping.dmp

Download
memory/1584-2-0x000000000030B000-0x000000000030C000-memory.dmp

Filesize
4KB

Download
memory/1584-3-0x0000000001D50000-0x0000000001D61000-memory.dmp

Filesize
68KB

Download
memory/1648-23-0x000000000028B000-0x000000000028C000-memory.dmp

Filesize
4KB

Download
memory/1648-24-0x0000000001B60000-0x0000000001B71000-memory.dmp

Filesize
68KB

Download
memory/1648-21-0x0000000000000000-mapping.dmp

Download
memory/1700-38-0x0000000000000000-mapping.dmp

Download
memory/2832-94-0x0000000000000000-mapping.dmp

Download
memory/2876-95-0x0000000000000000-mapping.dmp

Download
memory/2888-96-0x0000000000000000-mapping.dmp

Download
memory/2916-97-0x0000000000000000-mapping.dmp

Download
memory/2948-98-0x0000000000000000-mapping.dmp

Download
memory/2968-99-0x0000000000000000-mapping.dmp

Download
memory/2992-100-0x0000000000000000-mapping.dmp

Download
memory/3148-101-0x0000000000000000-mapping.dmp

Download