ryuk | 2d3b8208e42e72b356add50649a91ffab352498a0cfe4a4c4828e6a331e63a6d

Analysis

max time kernel
1800s
max time network
1567s
platform
windows7_x64
resource
win7-en-20210920
submitted
27-10-2021 08:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

mvUGHSRogrep.exeafWgJXVPJlan.exeskpNXAATolan.exe

pid process

792 mvUGHSRogrep.exe
1652 afWgJXVPJlan.exe
684 skpNXAATolan.exe

pid	process
792	mvUGHSRogrep.exe
1652	afWgJXVPJlan.exe
684	skpNXAATolan.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\CheckpointResolve.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\CompleteTrace.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitCopy.crw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\WatchClose.raw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\MoveAdd.raw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ConnectClose.png.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\AddDeny.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\PingApprove.crw.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveNew.tif.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectReset.tiff.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Loads dropped DLL 6 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

pid	process
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

848 icacls.exe
1060 icacls.exe

pid	process
848	icacls.exe
1060	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonSubpicture.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Thimphu	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REMOTEL.ICO	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_OFF.GIF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187839.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00525_.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Tegucigalpa.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.metadataprovider.exsd	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSORES.DLL	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00932_.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\plugin.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\logging.properties.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0150861.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\jsprofilerui.dll.mui	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Juneau	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Syowa	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\add_reviewer.gif	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198016.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\ACWZLIB.ACCDE.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BS53BOXS.POC.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR15F.GIF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\TipTsf.dll.mui	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200377.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\BG_ADOBE.GIF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SketchPadTestSchema.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00095_.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14883_.GIF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\SLATE.ELM.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\mscss7cm_en.dub.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser_5.5.0.165303.jar	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299611.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02431_.WMF.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\RyukReadMe.html	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt.RYK	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

533272 SCHTASKS.exe
Runs net.exe

pid	process
533272	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

pid	process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1308 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

taskmgr.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1308	taskmgr.exe
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE
Token: 33	1724	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1724	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

taskmgr.exe

pid	process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

taskmgr.exe

pid	process
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe
1308	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	mvUGHSRogrep.exe
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	mvUGHSRogrep.exe
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	mvUGHSRogrep.exe
PID 1876 wrote to memory of 792	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	mvUGHSRogrep.exe
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	afWgJXVPJlan.exe
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	afWgJXVPJlan.exe
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	afWgJXVPJlan.exe
PID 1876 wrote to memory of 1652	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	afWgJXVPJlan.exe
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	skpNXAATolan.exe
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	skpNXAATolan.exe
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	skpNXAATolan.exe
PID 1876 wrote to memory of 684	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	skpNXAATolan.exe
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1876 wrote to memory of 1060	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	icacls.exe
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net1.exe
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net1.exe
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net1.exe
PID 1876 wrote to memory of 848	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net1.exe
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3036	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 3064	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 3036 wrote to memory of 1320	3036	net.exe	net1.exe
PID 3036 wrote to memory of 1320	3036	net.exe	net1.exe
PID 3036 wrote to memory of 1320	3036	net.exe	net1.exe
PID 3036 wrote to memory of 1320	3036	net.exe	net1.exe
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 984	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 2068	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 3064 wrote to memory of 2080	3064	net.exe	net1.exe
PID 3064 wrote to memory of 2080	3064	net.exe	net1.exe
PID 3064 wrote to memory of 2080	3064	net.exe	net1.exe
PID 3064 wrote to memory of 2080	3064	net.exe	net1.exe
PID 984 wrote to memory of 1456	984	net.exe	net1.exe
PID 984 wrote to memory of 1456	984	net.exe	net1.exe
PID 984 wrote to memory of 1456	984	net.exe	net1.exe
PID 984 wrote to memory of 1456	984	net.exe	net1.exe
PID 2068 wrote to memory of 848	2068	net.exe	net1.exe
PID 2068 wrote to memory of 848	2068	net.exe	net1.exe
PID 2068 wrote to memory of 848	2068	net.exe	net1.exe
PID 2068 wrote to memory of 848	2068	net.exe	net1.exe
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 30660	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 30660 wrote to memory of 30688	30660	net.exe	net1.exe
PID 30660 wrote to memory of 30688	30660	net.exe	net1.exe
PID 30660 wrote to memory of 30688	30660	net.exe	net1.exe
PID 30660 wrote to memory of 30688	30660	net.exe	net1.exe
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe
PID 1876 wrote to memory of 30708	1876	781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a.bin.sample.exe"
1⤵
- Modifies extensions of user files
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe
"C:\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:792

C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
"C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe
"C:\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:684

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:848

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1320

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1456

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:848

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:30660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:30688

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:30708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:29896

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:246324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:246492

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:248716

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:250288

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintSu" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\WCfIU.dll" /ST 10:25 /SD 10/28/2021 /ED 11/04/2021
2⤵
- Creates scheduled task(s)
PID:533272

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:557480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:561612

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:557488

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:561604

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:993624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:993668

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:993656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:993700

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.39616e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.396188e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.400272e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.4003e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.779984e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.784116e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.788204e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.788232e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.014088e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.014116e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.018192e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.01822e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.042868e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.858024e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1.960704e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1.816944e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.063344e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.063376e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.063396e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.063424e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.248228e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.24826e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.252348e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.252376e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.60154e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.601568e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.60976e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.609788e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.958952e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.95898e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2.967168e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2.967196e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3.094508e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3.094532e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3.094552e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3.094576e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3.094616e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3.09464e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3.094656e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3.09468e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3.18486e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3.184884e+06

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:3.1849e+06

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3.184924e+06

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:304

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1308

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x44c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
f4989aa40ebb6a110af1f476c0aff505

SHA1
d2acb8be83feac500a59f26655d46d77f32717df

SHA256
39e31eda656486625266ced8803a9b7f08644936a60eaf6f9dbc4f9cba6e4c68

SHA512
3623c4bb24568b002f4d2a06f5355ac3f985f0d2b1d5cc38290bdda76d9be0262a2605d849d55f138403feeb83099d446685a46215d345be29987601e25e908d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
MD5
bc3993af7dc66c8542d7bbb1c13de47b

SHA1
12a8a2c0c8faa5c70d619c40a9552038a10084bc

SHA256
8c4a74d0de31c4f1626416311f7031566c22bb733e8d55fe1ef0aa6f07569313

SHA512
6628d1d250837ba5c59fd48e07632529dd5f956f33ddb3f9b66dc916a4488c73ee6401a87f90d6de5a110bb5b5ca2fe0d3be19133bec581d6b792d7cc8ab5c5e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
MD5
2df1277c44614634929992606a923062

SHA1
986e5dda1817e1f6eae6444926247d097fd5dfb4

SHA256
a074b91146b5d4e6ae12e7deb85b998333969f41e550a016f029e69b7786365a

SHA512
1fc61e7ce3ec9b0ac5f110ce79526008f5a8a6b1121363db8a2e600fb271a1d4c794aceebe4c199794a81b1b71e8ac811b8b3cb01bd840605e12e3a3a99e05da

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
060b9a023365ccbb640a6e9b78728205

SHA1
7dbad4b04b5759309550f068d49b81a3818ed276

SHA256
6ed42d9431b85828b2edb4993519c45641b54d0d7d5c2e9aa1fae0c1fdf2ff47

SHA512
ccc0d32fe90e4fccf80e8ab207c0072f91909c9a52daf0a44e7cbaa490aba014453ce59c60a5a7b85f75f769ced0883c0cbd2601e7025f59f5f7d2461efea690

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
MD5
c85312fc9ee3853c538c96a92dcfdb04

SHA1
ef02b720f2139ecd61a81ecf3f2b2afedb556a9d

SHA256
702bdffdddf44d5016d42ca9d70a5c33cb4956cda5318ecf7873eff7df0ddc0b

SHA512
562f7be6abeed42e0e0e84a3f8d9837541e0ee509bf2c63a9aa8527f9fcb65e89bceaa1a10f9ac4ed6b1973963ffe12bbe2b58b79bfca5902dd2690d2fd17565

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK
MD5
57ebb9d2f0e68b40d83e7a4081bea244

SHA1
9f546f778c319938dd3c73ebc732a74fe3256921

SHA256
58018737790f7bd1fff4fe1808d7d7774a9ebc7ff11efc887439046136ef09e1

SHA512
daf500295764ff1476c186d7c684b8f84f4620b0dd95f2fe69d29f38d818f68d03e8e0452db4ca5601a9c657976f642c865f3fb36f79bec2cd0278f1405ebf29

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK
MD5
d21ee6757c405722c91866233618faf4

SHA1
6d592d38d67c3671e938c69801d074a15ff59a3a

SHA256
811e18e7b8a30c49fa50ed64416f8d78497fbace8d17e93e610c4726a8d3faed

SHA512
bcb0d13f187d5ed2218be46ebafb5d8bd0e5f62431bdf31ae787d241950f407aecd8a9ca0e3f4c6a37d5a784049b74fcd6b016869858081e9de1f2d70c58aad1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
76bbfb2118f9be9ed233e2ab8ee8171f

SHA1
5115c165fbf69f7757f9f8192ab0f88225840473

SHA256
c20a37f81d02b3020d3986d98f72310786c01bf67ffa89e29d735e94689075db

SHA512
d68a822064cf46d54eda9d84458a303e52e30361a330dfa51de8da6a45f84dfc9232170904c73421b5ddb38b1a7188fb127eefcf8a3869631b39b91a60436da0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
MD5
aad8d5d7ae634697a375260261bc4c39

SHA1
6c984c10ac2553ba6a2df9084ee5fa76341ffcf7

SHA256
421249338fee56d2058c10300a5dc738295792c5e10332eeb7c8e54522a3bea9

SHA512
78ef19828d823932f2c5efd53d4a5d2deef8edf22ac38d900a648a65e88c2b82c0aae78122ad48cc0b4bd2974541046acf4f187286323f328bad0a19a4f39c88

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
MD5
5fd4ed74e32a0343be24fc06b6a63a1e

SHA1
0ed92d949fb2cc143b7e611f80045d46829bbe32

SHA256
cc3dad35d266cd7efa0b4ea651e416599f5acb40e443f3ab1a5cc6a12992c4d8

SHA512
43fd0ad828c2c2958531667fcb71b81cc5823a47ac9d9bef2707cb4be5600538635bfdf86cda8b2a24c65f8eaca2245f2a2e11d471f63a0fb7bdf33b74fa1ba4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
MD5
42c6518cbe30ffd760d63e678b375f94

SHA1
2a9eb97871f6e7419a64130cce63bc7963542778

SHA256
16ee53b8f1120fcffc9fc86a38fb5ff1f8cb83a8f5818f0111061b0c3b7cdd25

SHA512
f91a296be9e425786604914ebff19dde406c6ddd327cb6eac9e15956daa2e6027180663b4c146da35b5de476aedd5f3139a2f5e315d16b6504652ad10866d284

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
MD5
c06c3b484b2a6e298e6811a147b6299f

SHA1
62417c2bc29cd9afc64fdc6ae2659bb8c91d6067

SHA256
4222752289e8a0c5432023a6e8e341afe0653c7163aa7282d1a15649066724e9

SHA512
6e3e92c66717b0664119b512d55fc16c551c22c5b754dfdf3e0662539e98ce98b52823346193f954e89687552447cd74aa27909608e7a3555640b3bd8a463999

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
0381472594e147ca6d64e46e76fa573a

SHA1
e340562bba953fa36b778babac6d65b057c88cbb

SHA256
f61f810f3631f31df334593206ba67f6429221e2ee5c5e8be482b4e5d6568843

SHA512
86cf3a6e3253881666735df9ba042efc02ddae46d13f42643ab36fade75012da526aa8666a3f0cc64aec9554c4c07fad9327c819db489774b98201c8ccfb3669

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
MD5
e5c34ec1e9a7be5b5aba2f7f3aa2aee0

SHA1
2542a998269edac99e2209e45660d93cc39acf15

SHA256
4f0dfbe0d1b4bff758628d0a59e3749ad446f73b3873f856966a655923175074

SHA512
a20f0f106a587522430cae5d5da475fcfec54b26636d23006a8f341cd326c17f41939de171133176287a16c0537dd5778936e547552796fa5786ceaf856e2258

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
MD5
eeccc1484846af117241155b265dbd2c

SHA1
dfcdf1b96db847aa4a3a20ab60209334744287f3

SHA256
e47b1f2f1dd0d2be3262c70d351f05492cc44dac6e3399b372ce3af012296589

SHA512
aae58ac80eeb7b686ddf340a71436dcac38d9201fa1eeab657194f81376010beb9e255e49aef6f6a202b04ac5788c79278dedc3eb6582a8609746a2c84430f93

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
MD5
c38076a1c92b0bf13e1e0ac5cf8315fa

SHA1
4a78fc888bf724e2b8538dee9639c9f70e93d7aa

SHA256
4a9d58ef0a7be2af7368908e966465c18f649c0305f8fb50a8fa4e3a480abbd6

SHA512
49939f6f8cf37d2e36d4c333df7fced3582abcb3997bcbfa148e50e64c351b2e9f4e2ba2b1143e4841fff002ae32980ab1b5efddf6e48d89c4ed4ef065a7d6ed

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
b37249cad061f45df465298ebc151eae

SHA1
4837cdb2b32954ec4036c482ba8c83947be7dc73

SHA256
c9ac43736041a1e17932d76edcf66f812d260d2e401ccfd75bfd3c2cdb14c219

SHA512
6a8f522da60600d5af82e107520c320966cb4a59e50360ef2fd84929a2d851d436337ec1796fad2ff9a7cf2e0428a9486ff1d46f7734f5a7f8bc1d0f2d8285d0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
MD5
cd66faf06a67418192b44d486c2e775f

SHA1
c46c3f56351cd71f7e16f3b2ab836378eafe7f2f

SHA256
c724c827bfd57aaad9315cfb441b3e28ed49124139622692bbbc4bca6742d51f

SHA512
996463b7fcb2540da111f0131e67dd5e85260dc32cf4720001f2bc5219c2175d757f5790f38c97d1cc6f253b9eba0b94e4b45c08f25540080f6941a3cf9b2831

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
MD5
e09a3220965e610c3c5a00c0c7414378

SHA1
2d1271aeb23ef79f0b1902f3ba0d84309cb0b8d3

SHA256
6b61051f8ab1634ce1063c9c3ddcb32639774146911e6efee4bb6ea82b009acf

SHA512
4e142d0ffac217ae7207b628a5bddda958f88d47abf03b8bb33240ec612930ce93ec4511050da9bc325b27ff0f691b3efa1fa0ad12c4ba4b5df01afaf97c8130

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
MD5
eba9bb0f19526e0806d97ba055436cd7

SHA1
9832e34931bfcdf7f46aacd445f56c02d0aaf5e6

SHA256
9bc2b6a3c4377adf29042aa155ab9cb1ecd2f0eca5944fad4412135d0055f821

SHA512
d911737f7d8192fe09daf72deb81ee146074edbdb6c101559f21ccf89f8efd09df006be2dc888ce98562b9ee1196511a42cce87a89b01440d02cbdbd21d4bb86

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
490a4554c40c2077f7559061f574c8f1

SHA1
8e532a6d70f99bed5ad88c57b13624624410a21d

SHA256
5321b7e8962df8bbdf23b49d8f6837b70a8f0a14cb80201d6a4b43825b6121f6

SHA512
10fa0cfea62b27bdd31dcafb2fd23fc0eb0d4e71ab735a61a42df6e39dcc59123a4c66e2e4e32be3444562014d8a1398181a58ace8ebb030e969ee226e306c4b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK
MD5
06000ef0d284c312654cf2ef04b113f4

SHA1
2703b56d6a9375b1900dc7524ed527e11fa1c486

SHA256
26aa9c9795fb4ec44975ff930f700d9c65aeb172d68cca226af66cdfcdd3ed83

SHA512
cc5010a6c98c5ad1cd7c14fe4fc5f803527dd4670fa8dc304c67cb17466977d8493e9d50c36de2f7c21f8a4fa97eb924a555eb8ff1d9730ced82db15472bfe14

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
MD5
136bb4dab9c03f36ec4c2794582c429c

SHA1
273f93c85611fd0945687b818df6a1e8522f611d

SHA256
bfc86daf60024204890e6b5646fd59249a10a6330b9a041f1b27c25f1cec788f

SHA512
59e95a372d8e4d0206c39ae0704fd4bcddb14bad45083d431cdc5c24e9449636d2795f5f1ec5ec5fc1e8a6419afe189915f86164df09136abc764462e213fc35

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
MD5
40df11714d56c3fa93e98e6fdf85859a

SHA1
6a98fa3d333b5e43a8a87a741470055967014cbb

SHA256
766e0cbda04869ffc658f229eab76fc9ad0292f47257239b9a2b9bad8a49f9f1

SHA512
445be6a184637875797d2a1fa851e14471162d8975d5f0c0e74c8118b97a6ff8206e70ad3b5b41a8eee56ad5afd3b80f4790504e3f7b9cc0f430237586a5bb21

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
9074ad08000cc7aa424ad03418262707

SHA1
5730694b84d3ac9b080571f38d74cd37d24b5005

SHA256
2a757c3412f45962a8d9ba1a09103f5a747d8a735568342a320317a70bc49809

SHA512
e96d3bb5aa07e891cb85bfe923bcfa3bbc7daedb5d575c6e74a183f8891e9b8e7f7229db779ea57365924651447c9592b213de1ffbd6d48780ad5adce5f7c89a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
MD5
ed48489d5416dd678e338ffb35d83ec8

SHA1
ba2d227608870bd5ef32bdae48b1eafd260e25d9

SHA256
9672686c859021b92ff73c352dc0d35cc56e1798a2fa152b053d1b85c3374811

SHA512
a2337785872681fc587681f1b3e2b7b5b9a49032a87c03aef0da96daafdbb91927aca7397207af6ccc6f927b2e3a3002e2f4b57008828e1228ba4673d7002f5a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK
MD5
61ba3231b78e16722fc6244375ba6558

SHA1
f23043c39cf304ef9b81256b26888636159d0ae0

SHA256
0345612c86402eef935ab0cf1508eaab23ef3948304dd941900319385f796e80

SHA512
8d53f3c0ef6fa4cffcf6a676449e67ee06a75c3089763c96d9733c3d009b42aa3b33581dcc5f122f8761e929fedcd1bf4fe6fe5b042ddf8500250432c3527580

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
MD5
1d14caf0d0c06caa2bac3f9b316a8a02

SHA1
e288c51dbab3728fcec88aa70fa6b1306eeddb94

SHA256
cb34e3c3d959848a2f060dbef8d918db952106b4a6e935bd3585266f4b7f750f

SHA512
e7bb513c921d76cbdc06cbaec0733b4aeb7b927a1be051ecfd95ebaa5982d2b1189933349b3674678641e2d718cec2f5cb00fef1cca49bd30d41ec7b9672eafa

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
MD5
136529400c1041500f14ca627681d180

SHA1
11199e39971c36f0814dacfa902716e64aec735c

SHA256
2c3e045790cf3526b670681c9c5916ad50abe11d38f2a1865856eec82e5a8fb1

SHA512
5ff940e99fab6af5485122ba2a4f6bcd4956b129b0f5d489380344b4239dd7f324ea0b8aef221eb9e8a13f30981e0b390017d85da641a92236859a409208bb74

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
MD5
28f0c82eef8b00320c9b80e5ed0cbb49

SHA1
a0a0b54c1a0fbc2b94d1caa41e7255544ba31c26

SHA256
74ee94eb90a706ff76127e7839d6b85f68e35b7e338db5f7b655aaca544fbe75

SHA512
3924225e5bb80fdc8723041c1372a051f0a9b3bd55b690f55c292f7c61df420e61e23b94cab79d03948a204cfcfe89eb498dde461f66aaff665eb4159d5d0aad

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
MD5
26b14e58d4f549632bd7607bced0a8b5

SHA1
49cdf0b8848c968e6641445426541004fa0cc7a9

SHA256
45f341046a34517a742ab9757458be0aae3e2fb1b9c81fa725e0087a895c3de5

SHA512
05533e810284a100c4db349ea18f98f99dc20f253b16b76da9dfeb8e5c30d8fd7908625cc46407dc1834e522dd01ef14fa19355ae02c40231467c1e43231b5ce

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
MD5
011831f36b528b35b305cd29b7aee90a

SHA1
7c02879ef8399e058b2ac072d09ca075c75b2575

SHA256
627677aae4098db1c425ec4a5f4c1220bad96ee4957510e20b21e01b9fa15b71

SHA512
23784b8f3ffdf65f4431136f2b314fa181cb02f9ec43dbebf7c41bae7581856f33a433f79ec93105e48604593ae76840a60ca9be5c1e6db65847099b921c079f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK
MD5
03b329de14bfc7ac957f7632c0191d6f

SHA1
be85faf227b9ab492a008868e3e7e9aa092973d0

SHA256
76bf30655c661527871b89c54c768e967f861246e55b079d1537a09f477d11df

SHA512
59f687b25b543e5590b2f5a0bcf721bcebb664123552379ebdb0542225e3cd6488328688f2819b5d5d2a278692fa7e61928e5380625b34bbfe4a94fc7347523e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
MD5
4150128ed968064ec9ce78b990eb54fa

SHA1
808f7e4d65eead65911ee769e54916daffea7372

SHA256
02b22472a79ec685e6314c21f2446b34bec05556efffde019551d3ce71a11d68

SHA512
f76d5f5bf9b7c9205278cdddb980e32f3b6d723cb47a1b67692e546ef8d638251cdb27a5efe798cb8133e0e228d28586fdcba8a4d715c51369fededb73fc7de2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
MD5
4e1e0d7079abb5002f13e3e68c38c45b

SHA1
03a00b1ab2c41fb0e491733e8d0a00166cc767a1

SHA256
d5238761461fe1cc6080582b5518b69ed4315399328f325608b887957fbda114

SHA512
213af3fa6d364f522455e04a337ce972098b66c37fbeb388d3c91552fa5928da3da37f4508cfec35e3091b013455be428f988c65abf5cd2d5dd1e7f6a6f64359

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK
MD5
b24c660508f92d1d0b143606ba5c093e

SHA1
f599ebb5f3349e4d48ea165c3c84e74524bc8c45

SHA256
d3fac6e949a126859c64957ce06331385af37189d22b94855535b7b47321d93d

SHA512
4f4b41c61087e166f88b19e8cbdfa619e6652d9b3d51970b472c16b18169246e7db24879f23e1c868240fab25b6a0b5ab64ce6db50b367b6674af2733aab4040

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
MD5
738c54ff4dbe3647f9779459376f454f

SHA1
4c662c48804e69b96ef9c92f98632b73accb8a3e

SHA256
d2f74e7355cc61e962de9c675be10385a1aba90d92cd790c7e82852c6c1590dc

SHA512
1c36e99d7dadce22c3da7144107055aaf354ef2a324bf5acc0d509ab52add734d1225a5f774e0ddff8775b68d38f96f34697953b4dba7d0785a35f70939b2500

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
MD5
6ac51453dc3712b2b92e89fed2d8ac15

SHA1
8ec74503d18ba07a2383475f66e11f14ea65892e

SHA256
9eddc6f4757002d738657753beeba309416b1934d1db9b44314739120e3b304a

SHA512
34ff0bd0083cf290bec505cbac2d53544d10953260c50b05fb67d6d17870e971978db6dcc157dd208cdb7da2018a5a78f7330f309ef9273e086427c688a232b7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK
MD5
5c461070aa8144ddb5522c9696fdef88

SHA1
b42b74d54211797c3dd5b8592f30fed3a1abd8cf

SHA256
482c95ebe745c3a27b9199ac3b47cd504c565d68435fded5c2033ed13eef8d07

SHA512
461aeb7e6642485f74c9acca8231bd6cbe0a40e901df7f917e79eb5a48b6e499291450546a1c39a4180db3fe2bd755051369515559976693ad3b2bd7311ad96b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK
MD5
1a56ab815f2d0c04c1a43e0adfc0f281

SHA1
9aaacb0334253d58e09bd1d72dc1cace9b48b510

SHA256
957ce8853c556481d2fa6160e19bc4d9232c58e1f1f16d1f842f5bdae06b60f2

SHA512
2983913f20842e79a27bcee0b7566d77d2d81fcb285b0145cb50f0e0e4e08fe41e62de394fbf6fecc0ca771d4fb1ad2b5683446ef951b105a3971481614438e5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\afWgJXVPJlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\mvUGHSRogrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
\Users\Admin\AppData\Local\Temp\skpNXAATolan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
memory/304-67-0x000007FEFBFC1000-0x000007FEFBFC3000-memory.dmp

Filesize
8KB

Download
memory/684-65-0x0000000000000000-mapping.dmp

Download
memory/792-57-0x0000000000000000-mapping.dmp

Download
memory/848-73-0x0000000000000000-mapping.dmp

Download
memory/848-133-0x0000000000000000-mapping.dmp

Download
memory/984-129-0x0000000000000000-mapping.dmp

Download
memory/1060-72-0x0000000000000000-mapping.dmp

Download
memory/1320-128-0x0000000000000000-mapping.dmp

Download
memory/1456-132-0x0000000000000000-mapping.dmp

Download
memory/1652-61-0x0000000000000000-mapping.dmp

Download
memory/1876-54-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/2068-130-0x0000000000000000-mapping.dmp

Download
memory/2080-131-0x0000000000000000-mapping.dmp

Download
memory/3036-126-0x0000000000000000-mapping.dmp

Download
memory/3064-127-0x0000000000000000-mapping.dmp

Download
memory/29896-139-0x0000000000000000-mapping.dmp

Download
memory/30660-136-0x0000000000000000-mapping.dmp

Download
memory/30688-137-0x0000000000000000-mapping.dmp

Download
memory/30708-138-0x0000000000000000-mapping.dmp

Download
memory/246324-141-0x0000000000000000-mapping.dmp

Download
memory/246492-142-0x0000000000000000-mapping.dmp

Download
memory/248716-143-0x0000000000000000-mapping.dmp

Download
memory/250288-144-0x0000000000000000-mapping.dmp

Download
memory/533272-145-0x0000000000000000-mapping.dmp

Download
memory/557480-146-0x0000000000000000-mapping.dmp

Download
memory/557488-147-0x0000000000000000-mapping.dmp

Download
memory/561604-148-0x0000000000000000-mapping.dmp

Download
memory/561612-149-0x0000000000000000-mapping.dmp

Download
memory/993624-150-0x0000000000000000-mapping.dmp

Download
memory/993656-151-0x0000000000000000-mapping.dmp

Download
memory/993668-152-0x0000000000000000-mapping.dmp

Download
memory/993700-153-0x0000000000000000-mapping.dmp

Download
memory/1396160-154-0x0000000000000000-mapping.dmp

Download
memory/1396188-155-0x0000000000000000-mapping.dmp

Download
memory/1400272-156-0x0000000000000000-mapping.dmp

Download
memory/1400300-157-0x0000000000000000-mapping.dmp

Download
memory/1779984-158-0x0000000000000000-mapping.dmp

Download
memory/1784116-159-0x0000000000000000-mapping.dmp

Download
memory/1788204-160-0x0000000000000000-mapping.dmp

Download
memory/1788232-161-0x0000000000000000-mapping.dmp

Download
memory/1816944-169-0x0000000000000000-mapping.dmp

Download
memory/1858024-167-0x0000000000000000-mapping.dmp

Download
memory/1960704-168-0x0000000000000000-mapping.dmp

Download
memory/2014088-162-0x0000000000000000-mapping.dmp

Download
memory/2014116-163-0x0000000000000000-mapping.dmp

Download
memory/2018192-164-0x0000000000000000-mapping.dmp

Download
memory/2018220-165-0x0000000000000000-mapping.dmp

Download
memory/2042868-166-0x0000000000000000-mapping.dmp

Download
memory/2063344-170-0x0000000000000000-mapping.dmp

Download
memory/2063376-171-0x0000000000000000-mapping.dmp

Download
memory/2063396-172-0x0000000000000000-mapping.dmp

Download
memory/2063424-173-0x0000000000000000-mapping.dmp

Download
memory/2248228-174-0x0000000000000000-mapping.dmp

Download
memory/2248260-175-0x0000000000000000-mapping.dmp

Download
memory/2252348-176-0x0000000000000000-mapping.dmp

Download
memory/2252376-177-0x0000000000000000-mapping.dmp

Download
memory/2601540-178-0x0000000000000000-mapping.dmp

Download
memory/2601568-179-0x0000000000000000-mapping.dmp

Download
memory/2609760-180-0x0000000000000000-mapping.dmp

Download
memory/2609788-181-0x0000000000000000-mapping.dmp

Download
memory/2958952-182-0x0000000000000000-mapping.dmp

Download
memory/2958980-183-0x0000000000000000-mapping.dmp

Download
memory/2967168-184-0x0000000000000000-mapping.dmp

Download
memory/2967196-185-0x0000000000000000-mapping.dmp

Download
memory/3094508-186-0x0000000000000000-mapping.dmp

Download
memory/3094532-187-0x0000000000000000-mapping.dmp

Download