ryuk | ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

Analysis

max time kernel
300s
max time network
260s
platform
windows7_x64
resource
win7v20210410
submitted
22-04-2021 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

amused-watch.exe
Size

118KB
MD5

a31089dc3cafe77c39268273d689193b
SHA1

032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512

d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'N2QvTsXamJ'; $torlink = 'http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

vOzGaidlNrep.exeUKgiRTrPtlan.exeQiaeQznYJlan.exe

pid process

1576 vOzGaidlNrep.exe
1636 UKgiRTrPtlan.exe
1192 QiaeQznYJlan.exe

pid	process
1576	vOzGaidlNrep.exe
1636	UKgiRTrPtlan.exe
1192	QiaeQznYJlan.exe

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

amused-watch.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ReceiveWait.tif.RYK	amused-watch.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromStart.crw.RYK	amused-watch.exe
File opened for modification	C:\Users\Admin\Pictures\ProtectWrite.raw.RYK	amused-watch.exe
File opened for modification	C:\Users\Admin\Pictures\SetInstall.tiff.RYK	amused-watch.exe
File opened for modification	C:\Users\Admin\Pictures\AddDebug.crw.RYK	amused-watch.exe
File opened for modification	C:\Users\Admin\Pictures\ExitSelect.tiff.RYK	amused-watch.exe
File opened for modification	C:\Users\Admin\Pictures\HideAdd.tiff.RYK	amused-watch.exe

Loads dropped DLL 6 IoCs

Processes:

amused-watch.exe

pid process

1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2656 icacls.exe
2668 icacls.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

amused-watch.exe

description ioc process

File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI amused-watch.exe

pid	process
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe

pid	process
2656	icacls.exe
2668	icacls.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	amused-watch.exe

Drops file in Program Files directory 64 IoCs

Processes:

amused-watch.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.nl_ja_4.4.0.v20140623020002.jar	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.jsp.jasper_1.0.400.v20130327-1442.jar.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\RyukReadMe.html	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kuching.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR15F.GIF.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14997_.GIF	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts2.css	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEEX.DLL	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1254.TXT.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML.RYK	amused-watch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART2.BDR	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\Dataset.zip	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01160_.WMF	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105232.WMF.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\RyukReadMe.html	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\THMBNAIL.PNG	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\OLJRNL.FAE	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKS.ICO.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.XML	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03466_.WMF	amused-watch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Petersburg.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME38.CSS.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPOLK.DLL	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0232803.WMF	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\TAB_ON.GIF.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-snaptracer.jar	amused-watch.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\RyukReadMe.html	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215076.WMF	amused-watch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\RyukReadMe.html	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl.css.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_choosecolor.gif	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00170_.WMF.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105338.WMF	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MP00132_.WMF	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00148_.WMF.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01759_.WMF.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\messageboxinfo.ico	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02522_.WMF.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\TimeCard.xltx.RYK	amused-watch.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\RyukReadMe.html	amused-watch.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\RyukReadMe.html	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01245_.GIF.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\PACBELL.NET.XML.RYK	amused-watch.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Managua.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-BoldOblique.otf.RYK	amused-watch.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.GIF.RYK	amused-watch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

6952 SCHTASKS.exe
Runs net.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

amused-watch.exe

pid process

1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe
1096 amused-watch.exe

pid	process
6952	SCHTASKS.exe

pid	process
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe
1096	amused-watch.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

amused-watch.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1096 wrote to memory of 1576	1096	amused-watch.exe	vOzGaidlNrep.exe
PID 1096 wrote to memory of 1576	1096	amused-watch.exe	vOzGaidlNrep.exe
PID 1096 wrote to memory of 1576	1096	amused-watch.exe	vOzGaidlNrep.exe
PID 1096 wrote to memory of 1576	1096	amused-watch.exe	vOzGaidlNrep.exe
PID 1096 wrote to memory of 1636	1096	amused-watch.exe	UKgiRTrPtlan.exe
PID 1096 wrote to memory of 1636	1096	amused-watch.exe	UKgiRTrPtlan.exe
PID 1096 wrote to memory of 1636	1096	amused-watch.exe	UKgiRTrPtlan.exe
PID 1096 wrote to memory of 1636	1096	amused-watch.exe	UKgiRTrPtlan.exe
PID 1096 wrote to memory of 1192	1096	amused-watch.exe	QiaeQznYJlan.exe
PID 1096 wrote to memory of 1192	1096	amused-watch.exe	QiaeQznYJlan.exe
PID 1096 wrote to memory of 1192	1096	amused-watch.exe	QiaeQznYJlan.exe
PID 1096 wrote to memory of 1192	1096	amused-watch.exe	QiaeQznYJlan.exe
PID 1096 wrote to memory of 2656	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2656	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2656	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2656	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2668	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2668	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2668	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 2668	1096	amused-watch.exe	icacls.exe
PID 1096 wrote to memory of 3728	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3728	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3728	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3728	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3704	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3704	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3704	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3704	1096	amused-watch.exe	net.exe
PID 3704 wrote to memory of 3428	3704	net.exe	net1.exe
PID 3704 wrote to memory of 3428	3704	net.exe	net1.exe
PID 3704 wrote to memory of 3428	3704	net.exe	net1.exe
PID 3704 wrote to memory of 3428	3704	net.exe	net1.exe
PID 3728 wrote to memory of 3324	3728	net.exe	net1.exe
PID 3728 wrote to memory of 3324	3728	net.exe	net1.exe
PID 3728 wrote to memory of 3324	3728	net.exe	net1.exe
PID 3728 wrote to memory of 3324	3728	net.exe	net1.exe
PID 1096 wrote to memory of 3168	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3168	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3168	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3168	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3280	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3280	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3280	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 3280	1096	amused-watch.exe	net.exe
PID 3168 wrote to memory of 2908	3168	net.exe	net1.exe
PID 3168 wrote to memory of 2908	3168	net.exe	net1.exe
PID 3168 wrote to memory of 2908	3168	net.exe	net1.exe
PID 3168 wrote to memory of 2908	3168	net.exe	net1.exe
PID 3280 wrote to memory of 1920	3280	net.exe	net1.exe
PID 3280 wrote to memory of 1920	3280	net.exe	net1.exe
PID 3280 wrote to memory of 1920	3280	net.exe	net1.exe
PID 3280 wrote to memory of 1920	3280	net.exe	net1.exe
PID 1096 wrote to memory of 6900	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6900	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6900	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6900	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6916	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6916	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6916	1096	amused-watch.exe	net.exe
PID 1096 wrote to memory of 6916	1096	amused-watch.exe	net.exe
PID 6900 wrote to memory of 6976	6900	net.exe	net1.exe
PID 6900 wrote to memory of 6976	6900	net.exe	net1.exe
PID 6900 wrote to memory of 6976	6900	net.exe	net1.exe
PID 6900 wrote to memory of 6976	6900	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\amused-watch.exe
"C:\Users\Admin\AppData\Local\Temp\amused-watch.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096

C:\Users\Admin\AppData\Local\Temp\vOzGaidlNrep.exe
"C:\Users\Admin\AppData\Local\Temp\vOzGaidlNrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\Temp\UKgiRTrPtlan.exe
"C:\Users\Admin\AppData\Local\Temp\UKgiRTrPtlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\QiaeQznYJlan.exe
"C:\Users\Admin\AppData\Local\Temp\QiaeQznYJlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1192

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2656

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3704

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3428

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3324

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1920

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2908

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:6900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6976

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:6916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:6948

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "Print9m" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\hQSad.dll" /ST 10:25 /SD 04/23/2021 /ED 04/30/2021
2⤵
- Creates scheduled task(s)
PID:6952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:8820

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8864

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:8852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:8896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
8dfcba1b86e8babc84177a5ecd4dc28d

SHA1
b4291097e77329e8b34957fa81a766585155e7c4

SHA256
3cdc9880155f0da122be1801220976d7486d8e7be902ac7a94c33e0ee717836f

SHA512
6238dec51cfe9dd4e11fe6c9e2cb50b296a7cfe4bc7c119f493a8b12a12557d6ce770558b0adc36a87eb858c45ba94718a245ccf86200089282991259994d9b3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
9bd4cb0f6494128982262c222a3e3a42

SHA1
b4a60c873e8a8d76fc5378ab3b320cf298f38ef1

SHA256
b046b543a9c06bcb6a3281263fe824c7dde9ef82fc010ca683dc9bccfd23f003

SHA512
47ece9f3150d07af3ad070edcf7097de68a7b4ded387b3f40ccfeafb62566c4d5da063de8e2b43b5c04c664a51f4cb1574efc201b1c7cc260687dedf52360981

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
1a5e0d5d4c4c7e982188d58e0bf38a0d

SHA1
8839dbc16067c209066274969474cb330782b6eb

SHA256
2eba086672366fc7df336bf50d316ef54cc167435b40d6117d0c2a10b34d5e3e

SHA512
4f9ee416418750a44dfeed3424477f501c98d7ab02ab84cefdaf5e8a475f4d0a4a9d38bff3264874577ed4f0f697d06541e318a36ddf9b32bada97e438d500c8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
1469d0e9f92f8e3063c8f83c5c55b1f9

SHA1
ae1ff3ad10fabe07c9370eeb7fae1064ee5d9e1d

SHA256
fc1b54ba9e2dfa66df99ec89eb6986b8e8f3ac5d50b00489c831ff194bcd924f

SHA512
d2770e6398e2c8473d3d4fc476e0acf473477806da5264d908d4a9473ece6d5b1908f043459fe12515b8e171bcb8b1022da9a3af6569be4008a45f79b9d6c9ea

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
d02cd92338cba0b416733835bf33f172

SHA1
4c5ebbbac00a0401e012c4d95367cf433ffad2ac

SHA256
0723655e9e6b5fc0675771bd14f385c0b7fbc20c7bee5f9be945e08de80360d0

SHA512
edee94de9a681ac135385bef9f424036ac50c09121f77bd97381b5824de2ce33e7fe3662e0890e7ba1e098b835bed340728bc9b80ffd171ee82734cf1e079dee

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
af9f1db35c876a47a6677a1f1c674179

SHA1
69beb6b9404b437fc69850867678f9b58a30ff0b

SHA256
515a9dd81044f9bc1dac5eb0e1604c3467b712e682f8d57a43b6616fb39d875b

SHA512
36b478fbb2513fe5829bed86fed49c9462be4df0de1d23f38d19c237cca90673249485e47b8f91b4dd04c6bb20aaa6781490ea38a651ebc7c64eaabc34224514

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
0a3a8c74497a9e7720215369893c1448

SHA1
42c3909ac202c9c674ab75195759395bdcea8257

SHA256
b1ba297ea9e7eafec87496bb8fab617ad4d1544e646e9e9a279ec80d6337df8e

SHA512
a638ada2c401b55d7152b63e5a8bdf8701dd1365bece670445977cfa28fd6328717edc4353563c0923889ef17052df8574754662fecb4657f3a50d05b3db792f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
c46c4f16e92a757cd2a75804522a1a4a

SHA1
95b393f4e5a5380c0cc699cec8ca362778434f59

SHA256
bc19bf60b23a11d1a32983ec09f2848280f7b0ea53f398c5cf0922c35ad3aafa

SHA512
c13513aa35e73e859ff42e542f5d7023502d26c26adeeee534ded0195f05ba51922886c432748c3d8cf8d4bb52ee897d09f74860da2c894fe3fde90bab685ae4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
f200e1e782e299c090441904dffecd16

SHA1
41b1dce31d55d818be6f4935a958b62cc1e2a7f1

SHA256
2be5b368c4c3df1e1e553bb6efd5d021039f2c881892b7664964dca0bff6bd00

SHA512
2773b130106628cc48c51defdd195fdce7e94af136277014afdff41238384cf7846953a2b94a6247d0ad6c849cfe719a58d8f4e91347c4b931ebe8e9748d4777

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
eb4588e6795e3da337cb428b9e80a26e

SHA1
a1bb6aae2c115f496b1a790baaa21f42ae127630

SHA256
07ebb09859dc3281688c268187b7d7208f6167d285f9e6eb7fb8775d44141480

SHA512
2c1014d3b62c979259172f1b6c6f585731afe39b1f0b8531b566413288b06c426d043de7fd7b7ec7e9290a06f74d82961033cb45ae53147beadb0185c81272b6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
fd18e2a21e84f261753410e14875d3bd

SHA1
49710564c58a156f14056375ae21c9a593549ea3

SHA256
64fbc6b71e695d3777c5845ef1e4d55a1be3a7a75752440f6421d789091b6da2

SHA512
feeea453c44fce2435b5554b3290622702fb4437e5d7c6621525016e0cc291305ad0800ccbdc69771280cc39ea19318d66824ef8564088f070698ca5b142228e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
395e55037f4b57e525346809d59db612

SHA1
e5b34ee3ec45d14ee4d79e1b03cd8bf2137fc294

SHA256
9e9c57c056b1e7e4731f79567453b8751ed3a2ca8d4381ea2883206c907cc2ec

SHA512
7e6124910a6fdd10f6fa563faa7ce4c3e2fc16ab0f328894e6728abe4b16f59c5bf8ba244fa4703c3e080895cd26a665d685b5a3920520263e5d23585cf43ff5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
305f6d4d4a97ab449be87035ea609b1a

SHA1
8172ef07652c16ca589e445e204b7009e199f595

SHA256
d69b0ccd9cbc4b3c611be4bc084ee22f9deb24e0afcef4f70274c9fcdd02df5f

SHA512
0fdbf78e268d2cf772cd251528de33289213b06d79f697638c36d18c74c0ae34fcdf31b0423c60e184e27c0777e1af7506fd0e5f9b1f402905f8a41206b95fdb

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
58109b6b00564fe403a37216c12d4e45

SHA1
feac500ed92a6e8fa90a6f6c0a28cc1ac0571de2

SHA256
3fb9eb2c8c6ccf605574576d121bda38c90f39894754ff2fd7264466a2d582d8

SHA512
711466ce05ec7aeb8c8c63f2b84d0ddc6e8eff1fa7af077146724c20663449e904447d0a84c5eb1d31353fadeb235cfd94dead71bac6098e22e5ea6365e925ac

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
f163a0fb70e59ab1f8f5dee7f00580d5

SHA1
9e8d211faef5d8643e9d7f83c2b5ad41713a8b58

SHA256
5bbcfaf5fa393fe6c3c5784f6fd8cdb70ae445dedd59ef93f62907b70559ba7b

SHA512
b549a02b5caa3bca525fe5ae48e0dbd1a7b81564b0463a16034d244b601ce2b41579b21544f6501105a226e315072ce46560697b089e5d882a52f430fc016427

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
03b17659eac1f85d4ce32057eb4ab976

SHA1
6e776d24f4274dabfc08d47359907b04d2ed3327

SHA256
532ee75038c706fd60f1db5adfecf80ca1002f27316a9b84cb94f45f66d6a464

SHA512
6474a4336f8c107ebc991a82b86e3882983a6f882b3af5564de94f4e1caf55763f42541cecfa9ff795063de1f87b234566bbfc2c8b9a67071d50ef1634990285

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
994d030a6cece40b383e262c2b91fc80

SHA1
d7d48b12146658b6c1afbd5cefbe95d7d69653d3

SHA256
ec6c180d6e1ff1b0fbf9a73a86bcf193740fcd8e0ab1e6251de8266cc8f2115e

SHA512
e5e85c5e74ac357aa4755deba0c3ef45e11aa532a16bfb10a28893db5105b766cbdf7206eca9f6886e3c010ccb93d946c8057ba7cf0fe955e5fcd29acaef04aa

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
30e31704e6deed83bee538ac6e11dc21

SHA1
f87216122b25fdfbad220fe8a5a3683e2779fa1b

SHA256
5bf6dbd8b60c299011b3e4f9f540efa79fe38153e73657e68d931eded5c7a01a

SHA512
080b7cd3c523dbe0b680670c88aa0f3aadae0c3c3aac7d44ea6d5c31e01fff1af6ccf6a016f43a3986ae272fc0a81fb14cd776ac26d3c4c89152eb3a246b7cc8

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
57db7982eb2e5e917cfa6934764f48d3

SHA1
cecc64d19f91cc731b6f2bf279977486f928780b

SHA256
e10859d5efdabd3bae1a185193e66ee04ba341b8b6798c36855324c6e0ffe99f

SHA512
fe93278d8ca7bb5f14316a4061d0a57cc0eacb9d60ab0906ece9d2a9f9d52284021450f89b5e641668b388f69190bcaf5c33b3dda55e6a0cc6515e63c0862e09

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
8aaeb85fe7e209e61184551d55b8edc2

SHA1
706c72e22ae88b30594eaea38ef11f09bb2a5570

SHA256
a38fc5a1ae9a91d63b13ae826f30be537132905115bafaf06875e1823de622d8

SHA512
11f89ac838444d911687c1d603d0435c617b38c999dc7a9a49f3776d994f3bf4b1fc48da397cd0be3c8f65333bd1f4c5057797737e347cd73d70573ab2bf604c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
c3eabcd928ff9fcfb2f5ad3966e78a2c

SHA1
fdcd81937823106b58220b6f262da7bfc3fb74b4

SHA256
e5fdf7317aae8c76b251a214859d2bef2b6c4eb6eee387041924a92991eaea89

SHA512
b6ddc41e7714a2da02627d882149d501895fdcc2a81794886404b1c8ad9dd37cfb68cf1b06bd43f62d15d69abcb679ac5e22eced7a720534392d4321f94af6c3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
f42bc3a71efd3609dd638ce64f279629

SHA1
95ee978f28e461bcb73c4e3e986d1e28a53d35a9

SHA256
998b1146fc1e1c5e80ed45283e5ad7f42e8ab3b907356f51b6086efc427e0fef

SHA512
c86c3803479d44ad6165197dc435e0aaf7e224e07b29702c203a1a7cd4310e433f67bc3d9087517de7e3c1d53a7d0ee1b52f2f17e8f9752462aabe2ae3407361

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
497108b9b2208fc4b7416987e00fed5e

SHA1
b3d892462949024954ee5f9bb9801a24c4157916

SHA256
328b4b68dcbb18c7b1733aff9b6b64ca98bba8deeeac8bc6014a833a7d37ab70

SHA512
195e801f147c175909900625b4bf5fbdfdca9420aa3b14e10a4f19208f0925676ba0f02c47f37866bf025693c4f8a4ca9fbd7f03f6d52ddbc347d0e6f0e08880

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6df10403802d268ee82aef176c36ca83

SHA1
9d2fe88adf4af9ebeeea28ad54dd3126225cbf59

SHA256
4df84da551e04a91667541c37aacd716a94aa73a391f5214deb9d08319649894

SHA512
247c0c05073adf0ae5f213b92ac16f72dbe6efcd1360b4367e978e95eeb065aa5e0173b8483458c3d679f5d33f2b82ee578a1f06fec8f670e6a7bce0c30b5fda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
d8edd91db5ec71fccf09e23d8018028c

SHA1
d6e7cdf415a44d32b7c2ad5aab027815700a7407

SHA256
28e7b7bd55883e767e454a629ff8499d32eb4358026ef545b18f6e091f145278

SHA512
89fff882281565bbb24e89a47f7f64754cb0f0ebd9256bc84a79c2e2f0a1f3950d1c8eb79fd23ff535fa7e4b7e3100664fb474fe176056b5ba725e4f8161264c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
284cc38d6eeb8f097b343b20576d0129

SHA1
c81dfbed609651c63906a7e741a5351e723ed9ed

SHA256
a4f17d921d8f619d0fb229d843623e6c2e4fadb6202fe9e226c6d32271db5a23

SHA512
86cf894d98b1066177bbd9f564ee9cf2b934a26020c1fa83a3be740a37c135292e8d04ccd5d6a1cd9fc694780dafdd555b68fe0914cca3ddab41d2b730f69f57

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
85bdc99c5f2685296b6d2cf4ea4ad0de

SHA1
423a3f13898a73ffe0fbceacb3c8cf8f213eda49

SHA256
7c4318a9df786448bb52c2a6470bcbf2f7f33f2824988ad9c33130617da99fd7

SHA512
5370a44615adfedb375f5ab34fa7059f707f3b145e25ab48d70105b0cfa19bd5f155e4e4d5c8fcfe659d96069d9c3b1c0d71475dd1d80cd07cd9869b436cae86

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
f2bfaaf1c374f807281a8dbac9a0e576

SHA1
43956793067b6e7f1285cd1d2aac4baef6cb29ee

SHA256
c0ea4e2819644ecc2782275ad2cba5840b628b00080647eb185e06ca3c6cbef0

SHA512
36e697c4f0a2be62cf7a25373ad813314d18e73a43fc0bd30235aae222fcf0795fd52e67cbce2e5b6a395109f5e2100a4820fcd3cc4fc236ee63f797d1244627

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
da88a1ea1f8db5c078ad13416ee48e9f

SHA1
cfd2a32587954617767daf488421fbdf76dfb424

SHA256
9482f898ce97d39bc500d93fee9e06d8cb544de1f3fda06fd63c895509612953

SHA512
78c11af0ec8210b363b11fc18e09598a1197a2f3cbf50f3b801bfbbfd1c62e4402ef9d95bdf53debc7d9e1cc92540a4791d336146f3bfd678d1c9d3d6a22c07e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
309f811a1f9f53efd8c8073deefb13e4

SHA1
6007e28ac003abf9dab6e6f6a38cb67c97cdbd00

SHA256
6de7607370eb77b8e58053781e2dc114483e774923d57c18c085ff325326a7c1

SHA512
4c38b759d806e322523e344daf5459cf22682ffbe1998fd29d010ce9382dc5713ab26185463380d2befe5ae5ef3b323049aade22802cdcc9ba7dae63bae89fba

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
f588915cdbb77e7b6d882a6e0d54c805

SHA1
7dd0f85db49dc3f12d199c1382759fa6d8d111f6

SHA256
4b444bf7641a6fa39615ac6622b173323d086eaf55cf819d8cb405b839d93553

SHA512
4259c4f22b4d4377cfa7ffcd66d8659bd0c59bb5f85fd3550c0b857c32065f6078badb2d62b2b73ef8a926ec9da179c733e1b678f3697f6a24b50512948461e3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
306ea6c946b32b2326e5b9d3c8224163

SHA1
acddf38541f3348737325fd1c1c984ad4ba3953f

SHA256
c9f6e1df19d452b6832540459cc3efad7d164cf1cd786b8db2e2218f811c3d09

SHA512
87ee1dc95149acd19bc488faaebacd4ea41cfaaf9d67717391471beaebff57b3eca93feef0e293ce620c5ce0b8eeacc253528537852ee48241f9260971257367

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
22c10aac9ca7866939aa020162561e33

SHA1
d99e8625fb70df74ff0545e52888cd463ec042a2

SHA256
24f7465a7c10d106fcd86025135bf6f5f47405b41c1e314bfd7977ac815ab288

SHA512
95e4f66d9cad3fcc1242abaa9538862e920620151bc746145c5532aec9d8fda4ffc198493c709f65f6a6e5a2054129c883796873dd0b785259669ad0f62c56b4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
edc6cdf19cbe3584760492b6e62e0887

SHA1
2cd4221efca5e204e5a263f5d5940632e40d52aa

SHA256
af68b7603dd782e0fce0ba1e26f10bec57233756523d9024567a830863146a16

SHA512
9c98e007cb74c57f4b01d7a91bce726bb4ff4eeca7c3d0a62a03a2392ca68a310d66a4a1513bfa84f503561f738f806222ede61b2c476f42f3cc969985355823

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
32355ac7f0851d27ac3fb5e576f62f09

SHA1
d63af56715b94ab25971f82bff81b99fa8b5ce39

SHA256
208ff291b253f218f67071e5ac0f0c8d89660090efc37eab2d991b91fdd0e9e0

SHA512
675fb86e13299d1db56b01ddf557525a3d0d0f6e2a2f94ed502fbfd81a8e462701f29ae9bd7e8496bc4a274bcd19adf63fbcb98d8ea4caa7d77e7aee1933e0b8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
20281dc8bd6b49eef82203e5f27267cd

SHA1
574037da8329c3d1e7d3fdbb25598db92978b8a5

SHA256
5742de0b602b253018ad5b4547479eaed5136ba2c314faf53cd7392a0b742695

SHA512
60bbc014fa1cab1488eeb2c6a3f92ffde3aa4e20d46616fcf1e856c978bee608e17e540f0df841c4e825b213fdca0ebc2f0944d1df70549ba196458845a8cb5a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
33fffc8d32b46ef786abb7d013be9817

SHA1
14f6dfb6af920d8c21125259e4cc627f2072714f

SHA256
f8a20219a34ea8e9c65e514a8201abd8777c572519a8a2c50e0f98a347e7f9cc

SHA512
6f9fa521a1677fbfd991f3bf79d69f54f8bcd1b232d3c6da97e0458629b567afefd8c1bcbba64e98b9ef9fec57ff5c11a1fdefeffb7cb00100ac4472ca92a84c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
0d317a68ba7ff910ca409d132940e5be

SHA1
f5474caf67fded11050ab50760b09c3b70f5ff60

SHA256
1af99b5d0b7cb87b758161bd0cba0dd70bfe42ac843f57fd5831bbec24f3b8e0

SHA512
0c618ffb8db6aa112b2d165246f954c93121d355b12ae8d89b8edfec0b635cb3d85d06e4e41cef106c4b31d7185b022a310969904ef90ed1cfb7adb756432777

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
5126cd5d9f7476b49796d0ba5df6610e

SHA1
96c5506349903990d442d2e331cb9fe804adf5b6

SHA256
daef52645f769a59f9dc06ff73a3aca5f9a833955561997d9d36162013e60756

SHA512
75027122cad6a86c2da93f6770738e82483830bb30d48f9bf4ff4520cc9052586feff11745404e27aa0e65ab031e8f0dd948871bd8834580373ad07533780765

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
5f410a4a687e09b5078f0b60244fd2d4

SHA1
b2dbbea8cc539a24b6fec32ef3385324c7d0f732

SHA256
b2ee8059e085815f36aa198ca4e8f097a477e9f95cc7c00442ffa1cad9f03e3c

SHA512
20e8f8c8d75dab1a789637cfc64a1ed41f12d2016869631ed5c5697dc49306f5e315d506f9bebc4abdf3af5fb425a24887b734f3fc6cfb80738b03ff4264dc0f

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
e6bfe399d5250bdbec8efc66e10664a7

SHA1
64680298307663af769235d481429810fd263719

SHA256
a21b189a4059594f6481905820ca48f534bb8cbfb7ac3a2ba48e7166f248711c

SHA512
9179dce6068bd075296490be1b361bd00d7041f86b5a4062f66cd892ddf0783daa35cc41769479b6e2b7b6c526f64c38469c4a48925bf5557aaebe2863892557

Download Submit
C:\Users\Admin\AppData\Local\Temp\QiaeQznYJlan.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UKgiRTrPtlan.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vOzGaidlNrep.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\users\Public\RyukReadMe.html

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
\Users\Admin\AppData\Local\Temp\QiaeQznYJlan.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\QiaeQznYJlan.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\UKgiRTrPtlan.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\UKgiRTrPtlan.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\vOzGaidlNrep.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
\Users\Admin\AppData\Local\Temp\vOzGaidlNrep.exe

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
memory/1096-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1192-71-0x0000000000000000-mapping.dmp

Download
memory/1576-62-0x0000000000000000-mapping.dmp

Download
memory/1636-66-0x0000000000000000-mapping.dmp

Download
memory/1920-138-0x0000000000000000-mapping.dmp

Download
memory/2656-75-0x0000000000000000-mapping.dmp

Download
memory/2668-76-0x0000000000000000-mapping.dmp

Download
memory/2908-137-0x0000000000000000-mapping.dmp

Download
memory/3168-135-0x0000000000000000-mapping.dmp

Download
memory/3280-136-0x0000000000000000-mapping.dmp

Download
memory/3324-134-0x0000000000000000-mapping.dmp

Download
memory/3428-133-0x0000000000000000-mapping.dmp

Download
memory/3704-132-0x0000000000000000-mapping.dmp

Download
memory/3728-131-0x0000000000000000-mapping.dmp

Download
memory/6900-139-0x0000000000000000-mapping.dmp

Download
memory/6916-140-0x0000000000000000-mapping.dmp

Download
memory/6948-142-0x0000000000000000-mapping.dmp

Download
memory/6952-143-0x0000000000000000-mapping.dmp

Download
memory/6976-141-0x0000000000000000-mapping.dmp

Download
memory/8820-144-0x0000000000000000-mapping.dmp

Download
memory/8852-145-0x0000000000000000-mapping.dmp

Download
memory/8864-146-0x0000000000000000-mapping.dmp

Download
memory/8896-147-0x0000000000000000-mapping.dmp

Download