ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

Analysis

max time kernel
148s
max time network
122s
platform
windows7_x64
resource
win7v20201028
submitted
11-03-2021 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a563c50c5fa0fd541248acaf72cc4e7d.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable packed with a packer named 'Dave' from the community, due to a string at the end of it.

dave

Processes:

resource	yara_rule
behavioral1/memory/1732-5-0x0000000000380000-0x00000000003A2000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

aOLkrjIygrep.exeMugkIqqutlan.exeXFgYGlljTlan.exe

pid process

1224 aOLkrjIygrep.exe
332 MugkIqqutlan.exe
1628 XFgYGlljTlan.exe
Loads dropped DLL 3 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

pid process

1732 a563c50c5fa0fd541248acaf72cc4e7d.exe
1732 a563c50c5fa0fd541248acaf72cc4e7d.exe
1732 a563c50c5fa0fd541248acaf72cc4e7d.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2684 icacls.exe
2696 icacls.exe

pid	process
1224	aOLkrjIygrep.exe
332	MugkIqqutlan.exe
1628	XFgYGlljTlan.exe

pid	process
2684	icacls.exe
2696	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	a563c50c5fa0fd541248acaf72cc4e7d.exe

Drops file in Program Files directory 64 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00601G.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44B.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_ButtonGraphic.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Darwin	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-6	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\tesselate.x3d	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\AcroRead.msi	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21329_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME20.CSS	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can129.hsp	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00177_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153089.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_videoinset.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Guayaquil	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.INF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\EXPLR_01.MID	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15133_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\LEVEL.INF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_09.MID	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15170_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\IPEDINTL.DLL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tanspecks.jpg	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Verve.eftx	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18180_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01196_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CENTEURO.TXT	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0186346.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msadox28.tlb	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Graph.emf	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01157_.WMF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\1047x576black.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightYellow\TAB_ON.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR45B.GIF	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WZCNFLCT.CHM	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationUp_ButtonGraphic.png	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\RyukReadMe.html	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Style\GB.XSL	a563c50c5fa0fd541248acaf72cc4e7d.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	a563c50c5fa0fd541248acaf72cc4e7d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exe

pid process

1732 a563c50c5fa0fd541248acaf72cc4e7d.exe
1732 a563c50c5fa0fd541248acaf72cc4e7d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exeaOLkrjIygrep.exeMugkIqqutlan.exeXFgYGlljTlan.exe

pid	process
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1732	a563c50c5fa0fd541248acaf72cc4e7d.exe
1224	aOLkrjIygrep.exe
1224	aOLkrjIygrep.exe
332	MugkIqqutlan.exe
332	MugkIqqutlan.exe
1628	XFgYGlljTlan.exe
1628	XFgYGlljTlan.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

a563c50c5fa0fd541248acaf72cc4e7d.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	aOLkrjIygrep.exe
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	aOLkrjIygrep.exe
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	aOLkrjIygrep.exe
PID 1732 wrote to memory of 1224	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	aOLkrjIygrep.exe
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	MugkIqqutlan.exe
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	MugkIqqutlan.exe
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	MugkIqqutlan.exe
PID 1732 wrote to memory of 332	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	MugkIqqutlan.exe
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	XFgYGlljTlan.exe
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	XFgYGlljTlan.exe
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	XFgYGlljTlan.exe
PID 1732 wrote to memory of 1628	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	XFgYGlljTlan.exe
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2684	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 2696	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	icacls.exe
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3800	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 3832	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 3800 wrote to memory of 3860	3800	net.exe	net1.exe
PID 3800 wrote to memory of 3860	3800	net.exe	net1.exe
PID 3800 wrote to memory of 3860	3800	net.exe	net1.exe
PID 3800 wrote to memory of 3860	3800	net.exe	net1.exe
PID 3832 wrote to memory of 3880	3832	net.exe	net1.exe
PID 3832 wrote to memory of 3880	3832	net.exe	net1.exe
PID 3832 wrote to memory of 3880	3832	net.exe	net1.exe
PID 3832 wrote to memory of 3880	3832	net.exe	net1.exe
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 744	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 744 wrote to memory of 2856	744	net.exe	net1.exe
PID 744 wrote to memory of 2856	744	net.exe	net1.exe
PID 744 wrote to memory of 2856	744	net.exe	net1.exe
PID 744 wrote to memory of 2856	744	net.exe	net1.exe
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 1732 wrote to memory of 2768	1732	a563c50c5fa0fd541248acaf72cc4e7d.exe	net.exe
PID 2768 wrote to memory of 1100	2768	net.exe	net1.exe
PID 2768 wrote to memory of 1100	2768	net.exe	net1.exe
PID 2768 wrote to memory of 1100	2768	net.exe	net1.exe
PID 2768 wrote to memory of 1100	2768	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a563c50c5fa0fd541248acaf72cc4e7d.exe
"C:\Users\Admin\AppData\Local\Temp\a563c50c5fa0fd541248acaf72cc4e7d.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe
"C:\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe
"C:\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:332

C:\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe
"C:\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2684

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2696

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3800

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3860

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3880

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2856

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
e845bf05ae65fde8aa4693e538fde565

SHA1
810ef4f75f82f1411aa512a75f7c9ff3cfbbffb0

SHA256
e6fcdb783c91a5295f067e9603c720dc43eb408843c5716531e7b2674471b4d0

SHA512
d67e82612ee2b4bfa217e512c9747d480e0e4e2300d39045aa84c44ce8bff0475cbff5c9e57e3337cb33158d6e01e7ff66b5a1cdfcc49ee9b5f1ebcc04dc5138

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
c641a0f77d9ae6815838df927166c833

SHA1
62187d48d2313d729f86e0bc25b9ad5b2be9996c

SHA256
2144c11c72f29c3f8f081e7e2e4169b3e30ee87f7c2ea142d616a147dd58d098

SHA512
0a6e02343be5d778194bc9c1bca689abfa4b830e4bbc0ef49a8fc79d894a1c63848499257e4afd08426cdbfb81a5cb45db68d2945f95a59abcef5ba9ccc596f5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
5000d7eefb705a99f15ba09c7a7bb95d

SHA1
549211da1ea794619ffff27a5ecb6fce69a99af7

SHA256
14750e3fd2c2bf026266bd6b603444ca3cd0d0a4e8d93b4a309de288b71b46d6

SHA512
aad1ce984597c2d47c405f21279ea90e31839b99b8baa90887e1540e0b212241f0560d9942b44e51408d7bfc14e172d1486e2293056911f7e89d6a0207beff43

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
c16bd00c39b76e770f14d9c3edea71fd

SHA1
e5dd4abb2ad89d9d91557173bc90d63873eecb04

SHA256
d187ad3d316a83bfbdbc7d9a68def9e464d53de25e6597717c242a190d4079eb

SHA512
24136a3192db60945c431e7bfc0f76c2398df18d92930db1e896c4bfe4c8439b6356aade9fd73924dac4b4e6d717f1824de440696e7c22a939241dae6c441522

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
e65ef5251db5a950d6822a1e365c07e6

SHA1
28493092e3e6936ca368be91ad417553b1a7bc35

SHA256
bd27291fd41eba87200a4925a82389c157970b64f1f5aaa656e45c282d9069ae

SHA512
e6f47646d34f574a3497fd5cc494b3a8364d80bb440526d8eb754f9928a737034c55b68982af3ebd834b3a10e7fb684744fe34b2dcad83c085ca1f9554be5ebc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
34b76529bf84b5f8be13f4d492283306

SHA1
044a75ed92e912069d4f5c1d5c0b0efa36895dc7

SHA256
1f7454b29430377c4517439f964a28702373c65d3a935d75f77a1d02d031b700

SHA512
f877640cd3348c92582a4506e9301bc6e69c889196c16714d0e34959129b435da25d6f9e6ddba5acd14f24e0d44d7a609dc3f96d55a79a2daa6a06af971ad59f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

MD5
a50391a68d60d3e65a18b8a788de277b

SHA1
7fcba683edf053f7023476c7a1b12cfb444bee88

SHA256
7ac267bbda839d505e81254b596c21a8150b9f326b7e6402b14521a4716aed03

SHA512
2b2487f4ec958ddde2d659fdb174bf2c2fddf1a141411e9ccec944a8a9956aa0ceaf898f949cc56c356777e8e34cc294b300a8b26b83821ddf6a4517d02a0a27

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
8bdd3cbbc8ae4b9aca0a750ed3bc6bc2

SHA1
fa2cfba9ca9fb04bfcf0fc0c496f3712788a895b

SHA256
1292c75812875847a6046ded5e1a2f540eb4db2963c85816c611612bf240d320

SHA512
1cc42647b8fcf7a0b635f193b31afdacd8a4d675488a967a7ead031565d3edc16bfb05f768dc9683100a6df0b8afd427bd8a9dac95eeab80f9e6d4e9b712a0b7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
9a20dc5a0b43a19347c80ffb2925e611

SHA1
f4585367bd247eaf42cd891a220551eca8d1a391

SHA256
95ce69038db2ae2852e3ba2dfaff94302758a946d509a92718b3fbde1baf517b

SHA512
2000ff6463ccd447c9f96f156c63cf12e7f3d0eeda3e073c4538dd93cef71f4b54de36e448ed6edf833cdffd2f408c5f8801ef1423302f614ad2136c5ea636b2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
b233c821697f3fcefcf77e5277b0f751

SHA1
2fcc68223cf5c7e97ad55c4100f026a208be4d62

SHA256
bad082c253ef0bfac93341695560cf55dafa904b878ee5c2e9824427324fc199

SHA512
51d0e5e9b795c97d84135e2a524c52c17668cb37cb2ebde4eb0c67e6840e978a7233831dc539c70d869b0ad8dd3ed27bec368f3dca91ed79f3b3a75666641116

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
ad43577e0221d37bbfdc185f4b82bd91

SHA1
5caa50c71f3cbf9a8d7d1fc518961261416e95a9

SHA256
bbbf449d4e9ce107d23142884fa4817f389841ae2289c3d62628ed55befcd859

SHA512
f9c27bf0b5725141b434ac734e8d506ad079fd389a25322c0921e8f562235c15c8490a8b6d2b8b0743cee9779ecf60f004cfdcad0c7bdcc716f72f30d32bf9ee

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
27e63a3d4e53dc2e257872c05c852039

SHA1
6326cbf048d9fce2cf55e0dd7f1c299fbb63ead5

SHA256
e2041cc08f68fb36d00da96590d5c7670e08126467c34a10e710f90fbf381085

SHA512
5908d8e4af7065a70f6aec990637c1085f95b150b4a00f4298288b99794e5488a6b59cfe5eddb6ca2cca8aa94379eba4b1b6555091820bc7b69cccbe54740bb7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
deb8db178d80cb6b78533156d0255a63

SHA1
baa75a4ff31dd6bac8dc05237e455714c2411bb6

SHA256
14af51409f316baf951dcf91442b5f3c06db7aea153277930fbcc867faccef4a

SHA512
9053dea0443a0d4c19defd1b80d2002e5fa40fc861221ef8f968ee1083bda1b04f8e03d2663ab24d0e5c81e6f771b7cea1a7ca57a380901519ea3849bb9e3e1e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
dfa94f359775516e152679c79a25ffb6

SHA1
bbd9aa722408af3e77142f7952923ab5b03d17f9

SHA256
38f3b8219c5fdf1764d063c26a5412bafcd5cfce9ab51c61089ef5f3b3a35f92

SHA512
c127553effd5105cca1fca02ee1312155d511e87a1c28d6c0769db36956444d66d85f5bd9b912fdc6843131be28df4250f2497d2e72764ff901fe54e4d658df5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
d0edbb18de6beee6cea8ed4e2b6520eb

SHA1
8cd721fe33adac9cb97f999dd922f905f7c5aab4

SHA256
93aef629fb4ce13b2c4c0e82aa42343697afb6ba7e153bf8244775615421870e

SHA512
c73f39029a3746c7765db060ba440c270a6b6392078b777bdc04c2acf2c8d4872c34029bd44f7cf7b5ad5fd01a08fd2c0a641dad277838680c8ac3111e59eea9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
ccde6e8b273a774846601cfd722f25d8

SHA1
ebff348008a18717770a2f89731f938368483648

SHA256
edec7685645d8ab6afb4d24c8a285d6b29d562c9e58f89e26d40abe09cb6e07d

SHA512
3910be802a0eb9812568478b978951270ed2c32c1a47e4f97c0344885573a46eed52b884abcfc5d87bd8b745000ba1a942a62113926c64ff80efc0f82bc37703

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
e7c01016c72178ff770ae12dc5d526ff

SHA1
a55e175dcb9c56a400d5c46c9300e2c25b16e6f0

SHA256
67346d49db1cdd1ce79bdeda35c4a237ce25568040b740afe0a7768fd43a8e38

SHA512
f262d7e33d0d7fe1d9482b058489eea23caf3771a952c6dda92f05427e1562244bdf68e35e51d71a2adae98c723012c9a7b51bea3c32cc4be30edcaf59fc6a12

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
36036da0fae0c8b62a180be67160b1f2

SHA1
992339ab67c1b38002f8aac2704a237f7fc875e5

SHA256
d55d47dfea8797ba0c2c59c62705a3f4fd0883f2f22f237f0537995f3c186e2c

SHA512
8fd17cf80d166005fb63295d73075839dbad633a30a91ee033baac38312872a1186cdc7f5e60f7b44ecfa4d2e87e88d46a97d2cb628a6341581dc6111114fe2d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
97730f249c265e2c0b9ede11bf78a710

SHA1
8e39784b2d8ca50087469b41bfb7ad12e56c12e3

SHA256
07095d8ca33a9482ddcf540334def7add8e17ce2ff05b2977c9ea8e2fd37d7f7

SHA512
deb96a32300bd43f676935144263232e3d4ef9b7a96c7c8bab6b8c013294b0325947d946daedb9a6cb5c4ed0c6cb02cf234fd98891f05183dc2f8c867a7a17a0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
6f78ec7c1bb276be1d39ab74416daca1

SHA1
ee35332a7d950a26433d7090c69d0b8ecfd254f8

SHA256
c278c07830c19c63f2c8f530f38a0151da4f6266857b61631fdbcf98f570bf54

SHA512
c028f5c7f5090a97df6d0b82b95e4bcb09e38feb7d87fec5d49f5e457af88f96c5cdccd82de356ab1a1d1701aed0e2ddde7be94b68a18a36fba5d0f255cdd4eb

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
81d38f904dea918b932f80ad0d2c167a

SHA1
eadf586d7bb49baf1983e01b99ebac9ce56ffab2

SHA256
0c162c12db9401674d32838b39e10f24876d646faa00b082c92bb033740ab8e8

SHA512
e382a27680e34926c3eb0dbd84237a41549ae57e311f8f7342fb58aca4992f4ad32e69fa0e7f3185fb4aa120cfa0a2f276f070a6d1943b865874ae824fa0ac14

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
8a6f0b37a9f412393a2a44db84b02fb3

SHA1
609d50b6e9dbd74a1064bf8b2068d2006993a000

SHA256
c9e36ba5ecdb2d5a9471029909601d9ffe4d6c4f8b64c22ac75f34f2405cc7f9

SHA512
774b172d7b0e2c0d9238f2ffa3c68222864067629552b158399daabd7ce91b42d1db001e9458bd04ca78813c4b6bb2e74207a52ce858b0884d6838a6f7ab643e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
500aff8db717330adb5075769c196d53

SHA1
c0cd3070a237ca8a01552b8ff331b181f614721f

SHA256
ce67e718c9dd83fb083e1b8984e4eeba4f7bb990a3e526eb4e9bdc950553c4c1

SHA512
fd206e1887f4b432ba42de50d3eea9c9ef1ac6830e329e8977ed9dc35bd71bffa11c6b5fca6f202db70b3db47815e8484f09ba4797f760dded4f56a6912d8f2b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
b17f4f4d4dc9742a8634eae16acf1289

SHA1
208e8a2f918777f1caf99641ae872d9e4c69f38d

SHA256
6ef535f1d38cee1e12c8a64e4bbc9ef324ec4d485c50b7602ffba1d43261525d

SHA512
8773bf2e743d473dfe79ce56a75a15f578fc198ef58aba96aca0021856120e8665dab193c991940d4475d1adcff17b33c1ad1fdec679a6996b7bdc31982c5ffd

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
5bbf6044531e7384cd30890889879141

SHA1
20b3f9d54428efd8855a0ace82f651a4f804b3c3

SHA256
50f84f43ffc24eaf1d393f34018ed6619d90df250cc177191412f34495b47ae1

SHA512
7bd732f7d9af59fba29acb94332b4c2345970e0001ec271db2dee298ef4e60c9ebc3aa75a9a503d03f5dba9ae7ecca27c0ff7c5d1b9d45128a3fd4fbc1e3b080

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6f39f079ed8d2deb82c7a69b9ed4755c

SHA1
b6db3a7f39680b7f4de62e076e6642216ee42ecf

SHA256
8a89b10be08d432749fedb3bee4646f73bf35e535ef94fdc750e11c1b213294c

SHA512
c60d34f89eced2723b5e7f78a95a31b389e08162c621063d1f4ea0bfb183ad56c931c5c11387616a68cf95a33c307dbfdee4be6280697474f149909799b09a02

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
12fcd4070184ca5707960133f9519ed6

SHA1
d35b1fe9ecf9637b5742d93f5d4f40ab424f3a5c

SHA256
d107bb5624e1f5f08b0d98e2b0d380ed6f293f8dd0d1274121d05c34763e5a5e

SHA512
2efb59e6058ca755fa228a5d36403f733d350320f44c64765892b51facf5e2506e977d81a8062e703b2beb21a9f8099a6467ecccdb4b2c2a94bcdce6c710499c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
492083750e5ca3cb11ff4464214e0c9a

SHA1
bceb6ce0819c24729b7e021524e1a206ad653144

SHA256
1b992d8e8b0cc22de902530a959567ffc3bf0a5a173f364c2c73a9482c4e6425

SHA512
c263cd774cc3eb2af741aad7b71bb3cae0971b9fb20c068732311264b787ae71046602100b11827de7a0f05f8f63a83248d54ac112fce5a62d7df31534a6b35b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
8a097379faff626ea0a386cff9a1636c

SHA1
b127555345546216706fc89dea234af6d11ab334

SHA256
ad8d15d0697bcd0a28108a6dbd4f7aafb19fb27ca5147890ae5503ae19cd86f5

SHA512
27dc29c2c588cf7067f68518438e9f2942a8106cb37b39de7c2c84140a0fd01c872a395dca79ccbf884cb2f9fd71902c65dd98e1f019cbc014e7898890c18aa4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
f06c2c48065b51f60e2d9751390fb02d

SHA1
66ab70078f1c589dc928e477bf18d300289787aa

SHA256
26c7ba670299be7bdc362558e38fb75c1ccf8368748eb91f5d0673af89c64819

SHA512
8140fdf3dc9b66653cb924e9767b4747e5b7dbbbd136d98e734d537679b566b008199bf821975cf056e42a71cbb6b3f3fb881f96d9d4c174c44c2a84f3c314ea

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
6536d95b94109ad54dced22d63da3cd5

SHA1
ead6e9e73c1fe2ab84b05ba2d288a1d8ea8eec3a

SHA256
cfee37580f7a2414a1eb965ae42b6969fa53c880494ca75f51f0f0f1a8518f7d

SHA512
1cb96da8b3d52398b4fb268ed19f4cc7e05f39a863aec102beb0b738c458811ec1022d7362e86b6710ffdcaeb88ebbae15aed41188d69d2abe9a690975270402

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
703f897e522628700df700ce88342dfb

SHA1
38f64371da305fcecb0fa48a0af5b9428d39db2c

SHA256
4228bcf5d6116116e41363f6d7c7eb24294bf85dd3ad87a23b574c034adb47c0

SHA512
1d82c277703cfa9f65b2cddd194dab9dfadc9ee58917776a6843d6ba4ff57d891e788c16f75507c38e30e3057fc021f9cc14c2c02f97e3c9e5d7cd5c2dba2482

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
3a775ec17c4fc4ef9bd1bbb562798126

SHA1
25e0295428e32b7ffc68bd648946c24177d80e48

SHA256
b12b2fa4b2532b91deb7eed528b2a7825d82359e0c57895853243ade77df4ad1

SHA512
8addcf9123fa8bda76454d5f77f5979f9802b1b41d4457e6794c0e0405926b8f52a2e2471525559240d08b86274541aabbae008cc22e4af280d9d52bcdfad400

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
cee4822212f241bf8969d8509571d7c9

SHA1
b59dec3f9702cf482c9a41327b8d975cd74b2d27

SHA256
9feeeff9f51b4704ba65f3fdbb862616667db6a2000fd0e1a8ce4523d1b376b2

SHA512
0e544a037407fcc189f7e59bcdb8ce903c69b3057e1318250aa9822b6b40ad8f2c401194a8f8ba8ead5606b8782865177b37f83eff03ed6099613ff42eabe3a5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

MD5
96cdd2bbee6f9226da8f00f4c346b00d

SHA1
14510523491e5864476cd468772461438cac1ff5

SHA256
7ecb5e14e5f578652621cca91e2b71f8de329dd4cfd8f1101f8517328551b629

SHA512
65cc93c3df9b6063571e9e3da60ce93ed179d283ab999401fecadd9a67f42845a03e65c73c4afaf6b1a8cf807f1b6f26106c681bfd0c7c9051f0419622f1bc80

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
97c566b763a386a6573414d6bfb43179

SHA1
63ec0df4a5c459e618c5aa3873916711adff0e25

SHA256
d2236e53f33c9728b4b143f2fbb24b4fdf6a29ac79cbb58a9cdfe9cce1a09f38

SHA512
78b421c88b477bde60b15c892cf464ab262714bff586beb06edb6b305ec01e77e408a5331e8bd3ad21db8dc35ceb50908213e7a38a969312626d61761460926b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
36d0caf24456adf87f843d90e4a51571

SHA1
cec301e3075c9ad05917eee724ae99d1cdc6b363

SHA256
507569262d77f92d4c60dc7ef94b373f54d3faef60fef7d2010912bbc1604110

SHA512
e7808acb747be333068e319d982343f07321dc54a2effa8fc7c0d0d4552bae65e8d057a8030853c60af447a46f92438f451d7f7676d236cdf7b7beca4c3730f9

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
64397229352b35ca39d69ce68c74d1bc

SHA1
f968c16092f429e52494db1aa318492da95bfb51

SHA256
3952f3e488f32116290fa0486afb707a2e5738637ace2ae7200afb8b37869bb0

SHA512
a4d44e5be7a9c39c7aaca6c55ff03082871fba5ef3c22f6d279fa9240bf5c5493c5eeb6d9d70d885e72e9cd858b16775b2b0dbfe95c422a66e8b768e3baf6a95

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
27bacb8d6db0875a93433f3cf05afda8

SHA1
6fcf17b2c40a756646d5677734abd9608e2754d6

SHA256
c03970267ba1f97eb95f31057fca22e6b290915f25c1305c191f522812950faa

SHA512
065809821a3edc3864253b9c5e4a633fb5390ebe4b394a0a9b47532ddbe9186152fe1af2ff9cb887794729a58581f03ccbceb8ef4e01e6053d9701fe62941c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
71b210667254a8faf56f8b7767803e06

SHA1
0ec61777dbd6d84cdaecfff0bb8acad1cb2e20bf

SHA256
37d3de5b8a383cd7a7d94717e331aeee91bbbb132c2442556583c82cf9b418c5

SHA512
9b888b1f8db08ce9984befbd58646984a1112d471558ef25d20d2a0bac77d1367a98d638c14a6ebd1e14b2f7a97badd24b63bb00ac967a28c2803e463db447c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
435c3543badaa7d967b522a0324d2425

SHA1
738322327d5c1bdf6ecf8325760b0b40f5bbb984

SHA256
65c5689d9cfcd28da2a706d9b6cbb284ac55693ad29d34ae9ca4ef52360b1c76

SHA512
beb7324aa54fdf1e83396a5acde75bb32dfd3d74e47da2852bb542deca7a7708be04b689de63eb5bf064b6ef4c907e480de6c10185fc40d651202bf0c1720411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3825035466-2522850611-591511364-1000\0f5007522459c86e95ffcc62f32308f1_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
ac023c730f8d52441720e81eddd24ef4

SHA1
3748695067e049445d07ec9d7e7437cb03860d75

SHA256
b0d4bea67ed7daeef34f732ec7038312a02787de97e29a06083280e3a7cdada6

SHA512
ea3a7cd2dec42a3b55376ddd4d140733e5530104a91019224e30f1332133470a66ad4bf467727302bfa5d84a713da7c832103f53f92fa9882371b4b926916449

Download Submit
C:\users\Public\RyukReadMe.html

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
\Users\Admin\AppData\Local\Temp\MugkIqqutlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
\Users\Admin\AppData\Local\Temp\XFgYGlljTlan.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
\Users\Admin\AppData\Local\Temp\aOLkrjIygrep.exe

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
memory/332-16-0x0000000000000000-mapping.dmp

Download
memory/332-21-0x0000000000550000-0x0000000000574000-memory.dmp

Filesize
144KB

Download
memory/744-90-0x0000000000000000-mapping.dmp

Download
memory/1100-93-0x0000000000000000-mapping.dmp

Download
memory/1224-7-0x0000000000000000-mapping.dmp

Download
memory/1628-25-0x0000000000000000-mapping.dmp

Download
memory/1628-30-0x00000000004B0000-0x00000000004D4000-memory.dmp

Filesize
144KB

Download
memory/1732-2-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1732-5-0x0000000000380000-0x00000000003A2000-memory.dmp

Filesize
136KB

Download
memory/1732-4-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1732-3-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/2684-34-0x0000000000000000-mapping.dmp

Download
memory/2696-35-0x0000000000000000-mapping.dmp

Download
memory/2768-92-0x0000000000000000-mapping.dmp

Download
memory/2856-91-0x0000000000000000-mapping.dmp

Download
memory/3800-86-0x0000000000000000-mapping.dmp

Download
memory/3832-87-0x0000000000000000-mapping.dmp

Download
memory/3860-88-0x0000000000000000-mapping.dmp

Download
memory/3880-89-0x0000000000000000-mapping.dmp

Download