ryuk | 6e2ac459c37d1193fe411683221d62747648f5628f53b9c0dd1c0d9aff619994

Analysis

max time kernel
90s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67849a6a23fa2e3a3b6e717bf992c5ab.exe
Size

922KB
MD5

67849a6a23fa2e3a3b6e717bf992c5ab
SHA1

5dd1c28989b7420d3b0bdc2770691bfef8550f06
SHA256

6e2ac459c37d1193fe411683221d62747648f5628f53b9c0dd1c0d9aff619994
SHA512

ec52232f1fc077f9557b6e08e2e541204e066fb63b784e2aff1a1e9775dd633ba8a7240c1109d392a987415927e23b5b06d8408da307993216f174600377af25
SSDEEP

24576:q9neo2D43MManeo2D43MME8neo2D43MMc2XCq+ZAx8K12A:snmnZnC/K4A

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (187) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Executes dropped EXE 3 IoCs

Processes:

hsJwCJLYXrep.exevFTMpJjnVlan.exemjZqtnNovlan.exe

pid process

2768 hsJwCJLYXrep.exe
2696 vFTMpJjnVlan.exe
5672 mjZqtnNovlan.exe
Loads dropped DLL 3 IoCs

Processes:

67849a6a23fa2e3a3b6e717bf992c5ab.exe

pid process

2536 67849a6a23fa2e3a3b6e717bf992c5ab.exe
2536 67849a6a23fa2e3a3b6e717bf992c5ab.exe
2536 67849a6a23fa2e3a3b6e717bf992c5ab.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

23920 icacls.exe
23936 icacls.exe
23928 icacls.exe

pid	process
2768	hsJwCJLYXrep.exe
2696	vFTMpJjnVlan.exe
5672	mjZqtnNovlan.exe

pid	process
2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe
2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe
2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe

pid	process
23920	icacls.exe
23936	icacls.exe
23928	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

67849a6a23fa2e3a3b6e717bf992c5ab.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscht.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ko-KR\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\IpsMigrationPlugin.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\InputPersonalization.exe.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\rtscom.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InputPersonalization.exe.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mshwLatin.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipscsy.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\FlickLearningWizard.exe.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Notebook.jpg	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\TipBand.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\AddInvoke.dib	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\micaut.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipRes.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsnor.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\tr-TR\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\rtscom.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\rtscom.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\tabskb.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\RyukReadMe.html	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\mip.exe.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\symbase.xml	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	67849a6a23fa2e3a3b6e717bf992c5ab.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	67849a6a23fa2e3a3b6e717bf992c5ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

67849a6a23fa2e3a3b6e717bf992c5ab.exe

pid process

2536 67849a6a23fa2e3a3b6e717bf992c5ab.exe
2536 67849a6a23fa2e3a3b6e717bf992c5ab.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

67849a6a23fa2e3a3b6e717bf992c5ab.exehsJwCJLYXrep.exevFTMpJjnVlan.exemjZqtnNovlan.exe

pid process

2536 67849a6a23fa2e3a3b6e717bf992c5ab.exe
2768 hsJwCJLYXrep.exe
2696 vFTMpJjnVlan.exe
5672 mjZqtnNovlan.exe

pid	process
2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe
2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe

pid	process
2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe
2768	hsJwCJLYXrep.exe
2696	vFTMpJjnVlan.exe
5672	mjZqtnNovlan.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

67849a6a23fa2e3a3b6e717bf992c5ab.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2536 wrote to memory of 2768	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	hsJwCJLYXrep.exe
PID 2536 wrote to memory of 2768	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	hsJwCJLYXrep.exe
PID 2536 wrote to memory of 2768	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	hsJwCJLYXrep.exe
PID 2536 wrote to memory of 2768	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	hsJwCJLYXrep.exe
PID 2536 wrote to memory of 2696	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	vFTMpJjnVlan.exe
PID 2536 wrote to memory of 2696	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	vFTMpJjnVlan.exe
PID 2536 wrote to memory of 2696	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	vFTMpJjnVlan.exe
PID 2536 wrote to memory of 2696	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	vFTMpJjnVlan.exe
PID 2536 wrote to memory of 5672	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	mjZqtnNovlan.exe
PID 2536 wrote to memory of 5672	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	mjZqtnNovlan.exe
PID 2536 wrote to memory of 5672	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	mjZqtnNovlan.exe
PID 2536 wrote to memory of 5672	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	mjZqtnNovlan.exe
PID 2536 wrote to memory of 23920	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23920	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23920	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23920	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23928	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23928	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23928	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23928	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23936	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23936	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23936	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 23936	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	icacls.exe
PID 2536 wrote to memory of 42856	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42856	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42856	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42856	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42884	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42884	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42884	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 42884	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 42884 wrote to memory of 46608	42884	net.exe	net1.exe
PID 42884 wrote to memory of 46608	42884	net.exe	net1.exe
PID 42884 wrote to memory of 46608	42884	net.exe	net1.exe
PID 42884 wrote to memory of 46608	42884	net.exe	net1.exe
PID 42856 wrote to memory of 46620	42856	net.exe	net1.exe
PID 42856 wrote to memory of 46620	42856	net.exe	net1.exe
PID 42856 wrote to memory of 46620	42856	net.exe	net1.exe
PID 42856 wrote to memory of 46620	42856	net.exe	net1.exe
PID 2536 wrote to memory of 46908	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 46908	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 46908	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 46908	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 46908 wrote to memory of 46932	46908	net.exe	net1.exe
PID 46908 wrote to memory of 46932	46908	net.exe	net1.exe
PID 46908 wrote to memory of 46932	46908	net.exe	net1.exe
PID 46908 wrote to memory of 46932	46908	net.exe	net1.exe
PID 2536 wrote to memory of 46956	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 46956	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 46956	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 2536 wrote to memory of 46956	2536	67849a6a23fa2e3a3b6e717bf992c5ab.exe	net.exe
PID 46956 wrote to memory of 46984	46956	net.exe	net1.exe
PID 46956 wrote to memory of 46984	46956	net.exe	net1.exe
PID 46956 wrote to memory of 46984	46956	net.exe	net1.exe
PID 46956 wrote to memory of 46984	46956	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\67849a6a23fa2e3a3b6e717bf992c5ab.exe
"C:\Users\Admin\AppData\Local\Temp\67849a6a23fa2e3a3b6e717bf992c5ab.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\hsJwCJLYXrep.exe
  "C:\Users\Admin\AppData\Local\Temp\hsJwCJLYXrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2768
- C:\Users\Admin\AppData\Local\Temp\vFTMpJjnVlan.exe
  "C:\Users\Admin\AppData\Local\Temp\vFTMpJjnVlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\AppData\Local\Temp\mjZqtnNovlan.exe
  "C:\Users\Admin\AppData\Local\Temp\mjZqtnNovlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5672
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:23920
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:23936
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:23928
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:42856
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:46620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:42884
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:46608
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46908
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:46932
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:46956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
1⤵
PID:46984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
320KB

MD5
6306b6dcc99b48e0e422636455ecdea2

SHA1
2209e3fee5fb1f3046fd9a37ff3d13b458dc126f

SHA256
e196026d46a772fed111a75944e19a88604b28f08f53de2685e3df8a0324c61a

SHA512
65e3fbdf703353cbb22d8d43196ea05b10a3fea7337800400d27be5c034ca3584129923bed6ae5e0a4a8e7b0738f618444822d2f4f0c4e9919df2204832b483d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.2MB

MD5
eb6162a186f6f91d09db9c43b94d3687

SHA1
adc82862bbf8b71174693f007e125711bd8cd56b

SHA256
16ada040901b47b58aca3d1c11b0bc99c69a984c8fb54531ff5153dee7605671

SHA512
03ad6f9a0b38d39e49448ac5aefbd503b50a4708358e13c6a39433cbc8cf08a860730067ed64f7fb93ce31aac9d0d3cc04842eff60a34a794e7d9b6d4466d6c4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
f8e2fa193862018dc2109b5f160731b7

SHA1
bbb26d9cc88874611641631980335e1dd6224ee3

SHA256
b6b14ea3c89da5102e18df96d2fe2d5e82525cbd8859bb34e210aec11c68e5eb

SHA512
da280b7417c5b3c4a035488515ea49295ab72070e180f9e0673ee3274ea2867ec33668c40fd5c70e035598d466528123d7fb8c0d377956f4a402456031eb3e8e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
3.9MB

MD5
e6226c272409a876a374a0edc844ddbb

SHA1
54c095fbce43fbad0df7036b42fd04e720801b2d

SHA256
9a5df7097b538687f6e33616656d11cfe7a716148e6d9a0881c1bf7fb04c6378

SHA512
b7fa51165a2969ed076a2ebb3d6cd7064f0f361fcb781bdce4aad2000bcb9f92bd9b79628c81965ed550b7eaa4b0c516c019b6256904f202265377ab638c89f9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
6ca7add891122b9d551a10d28e711972

SHA1
1d030750c4446c97fb29e7042c0b2b5158dcc4be

SHA256
3c44698d34d25409b69222f9ac7320c186140a765e825fcd2be73bce8293f4d7

SHA512
cbc62e4365adc80ceb1402685b56908d8e3180944cc00b8d1f076825c88dac21fe1346f133faa6cd48a365a2661c234354c2c72dac1c514257454f5766fb1eb4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

Filesize
3.4MB

MD5
98bdec02eb338fbd0465aaa11b0d6005

SHA1
0f56b87e89706a8ea6e707eb11355a96bbbe6446

SHA256
982442f5cf8b7d326a2423dcd18105c572f98baf37d7baa4db9fbfb22823b2e4

SHA512
0b3c9aaa6a848b3e7db35bd8c088db40e4b405c62bb7ea60059f3f842081a90885a2af6990814def486456d1d80fdd7803e1bcc1205a2e94c82978d39b7d8b12

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

Filesize
64KB

MD5
69606fd6dfdd9fd14e9c91dde398eab4

SHA1
f8ab1f25de030d10f989fa659f92d2d4fa440315

SHA256
50e75ee0c3671cb978789f1ef1036dc6e08ed54246933d0e55644a2af4c239f9

SHA512
ff6048aa7cbe2dbb74964a999cd751a59c39b80b6128f85109773ecf6fc68b8444a3ef23f52e6b3c76e5fc94fbc572eb7846e73e61c7709642459a15e3a2c2fd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
eb76c226b40f0949ded05d30b19a59a9

SHA1
156f81199887847011bf6fbf91a0c73be329b9bf

SHA256
dd6d63ad70ad88787a07ae279399dec53cfeea853c81afaad97fa5764a9e6642

SHA512
5b6ee56ef3b7a8c269baf10072a05a997ea70c4792b16e4966ee9a2b9b80b0608fa02536d434665e96d0dc9839cb5372adb8bc3a9d18f5abe7d0e326ed444143

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
ec1fe6efc1d505cc443fae568efd87eb

SHA1
972ff168c5643a8847a5ba98838805a40183db87

SHA256
c8c2ad1ec1d96a067c5c4079ed38a5cf6a5915755f8d0f2fe43ce2564fdebeb4

SHA512
0cdc440609fb8c4c1b6ca697af49c6da4520bc2db6fde70005a2bb181d372e6eaee0ce9f8a78b6cd12c001ce862f271dddd49d38a251be2151692bf105a64c22

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
3.0MB

MD5
506d9d0d96a89f2317bd1803c3a09b4a

SHA1
39de42e1e344f9258eea88060b00662be2dd8539

SHA256
8fda97e9f055192ffe49f44de903081df195a32dfadf5fae6ffd9ab519898a2c

SHA512
afba76adfd911f94b10e558958a48fded25c06fcf403020a4ffa551e9bb497a86e7a263c54408a83693cc2ffb906ea3360b350674c86208ad47d28984e9cc3ef

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
b8bf8bd89da4017e1a2ecad3d039b19d

SHA1
1e825359b08652bcc32e9318e6de2434d50feaa1

SHA256
ea1e6d3659417d64dae563c9ce92dddad36026e6dc8b1edfb4cab15149c5ee2d

SHA512
6fd775f1e103fd9a988abb1e4736788f75bbb6acf31c518efd3a33f3c43c53b26eb6933ac1f8e1c0443fe98fd4f600e690b1a3519501743784d81eb3f3bf1f31

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
160fe374923822ca9315117ab4534298

SHA1
d7f6ac67d6089b6a8bae38be413cfa70e29151be

SHA256
124518ad1dde8e370198f73396ffe3e77b68013221948120f9386a1ac6e2d4ce

SHA512
ceb295581697ad085e8f5be6c03bc4ecadbd1c802302c89926c75fb68157b9f9e9044b09979d6faeb5d7b298a977cc8a1ec78a5a10a58608312136420b6875d9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
e587c217a25f2ec734d0bdd8451d44a0

SHA1
60697f9c8f2f18668debb5315e779d9cee77108e

SHA256
647a17541de1a82be207a4342a9ac1293843803333fbf041cdb80a664d091b42

SHA512
bee5e76e3e44ed4866e328e8a9eaa6b51b58c81b8688e4302aa4d0e08de0fc04cf87df4aaba17c9c7a7a33fd931d585882eac0675a5df7b4dfd6cca02f3cdfad

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
804f710daba1811003d3eaef83bb3404

SHA1
56190f42f1e699fbee7e49cf4927e835c7db4feb

SHA256
8227fde54aeea10a9d0639add1d40512bfd486e931b2071efac223636531bc70

SHA512
1067a8f63a442e960b830bfddc53b5bd125d94a0e030090f211dfac4ffe7ce3bc2002a918c69fd82ea2b5438c54a661c6fb7b463fbd76da710dc539c2ec23ec1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

Filesize
2.4MB

MD5
7554364a3a6e96e8569dfb7a53f2a4b6

SHA1
a9471bc539bc9c9912dc994e034bfc93f31586c4

SHA256
8352d60bd33842a178647eb32e63c8416265ddcaa735de52a97cd03722f1e6a7

SHA512
392c748cea7c9b70fa2e30e0d990fe07a2ac1a0521e3b772a23bdcf6e34cb1e17d3a9ea26f028221fea260c9cae827a2d712c9fcce36481e6885ea9acfdac0c4

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
8e3fdd08acbe718c1e3225a1bd3a6e8d

SHA1
e9313a65256d27f79a4bd83c914d5d7a4c3d0d25

SHA256
c2a375b00082a4b29cdc51b76bc1e8fe4b9b626d861c8c530e01879a3dcbbc5a

SHA512
b226fba8eec4e498bd71d85de00e35af77a2252b26818ba42b7f149cb7d3b8faa5322b212945c9ad21fa5c0ac00ebe1cdfdefad68ec530439fbc0a889b47c8c7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
2.4MB

MD5
5756db36f79535e3de1c68f49af00f36

SHA1
daefc3be2dfcc79cd4f9f581a9feead2a7ff3452

SHA256
60f200cdc6eec84fe51f75ee6991df1eb90f2eca09096d31961d764f55c24da6

SHA512
0df2434fc4f2001b40dfa7ac43454e3770c5fa64094efefc7b2cd41499f2347f2eb1f08be1d7bb767fd2c86d9be356bb2a24c8041727a6d41f61634cba0a5152

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
07c9733460d4539da67ec9935f4b1ad7

SHA1
501fe88f41ab14eea78ecbb376d758f8cc3a1afa

SHA256
86c9d5a5bd7296096e80e3fc8844043a7f3bec09f999985c73b5b5325d7edccd

SHA512
b8633d30d860260c4d0580e82f2a47cefb3b8defea3da72ba8c5a30321fe1d20ce1214a203eb83858be1a50ce32ac752c430642963664bb7c59057da97b31a00

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
bd39080bec81c9ee209853a017777e30

SHA1
abfe99d135de6d910783453df761434ace570b57

SHA256
7d90eaa4c13c14c082f13e5a36e1a9078cbf94f5fd6243c77da42133c0a7d78d

SHA512
44f5179693f152cbda13d338beab4778e0e1825c23fd81cb08d56224c5cc4ac189dabc74ccc3b90fd05e9de60b62f956ae515843758d675a1db1eab77e62812d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
2b825ad1a9cacba945f1d70a3b1dcd86

SHA1
3cc367cd0db70247399c61baca78e2f923753abf

SHA256
a8c60c302687634b583d134fe96575f316d08ad2d795a3aff961501d9c2ae226

SHA512
c5e540c05c20390d675759ddef60cff3198848e89b5281e06e40ad35ecdf85952057703450c65a69c9bb0080dfeb090ff4d7b6716cc39c7c6cdbe1dcb697f120

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
2.2MB

MD5
24e4336f01e801de58d241cd8156c492

SHA1
0e1045c8ac831da1575cf8f4eed887b3900d2e73

SHA256
95b4614c9baa5ca454e1b7943078f525ba7ce40da6efe1876252f67389cd504a

SHA512
1a1f74231ef697397d3ad2d67dd2d64f87c3ac9b4f245878ee5fdbb986c92d6e856b96f6e363dd0b714aad4dd8d910a1cf4279071ba382fcd42695f52c4817ac

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
d87e104322212159d8c1e1af34a4cbfb

SHA1
c65644299ff71715180c28e273564f6340485e9f

SHA256
ea86247b6c0f7db3a769d7f4c62ac6a71cadbe34aee9c0ea04c39bc6825e191f

SHA512
c76db5142c76d75c6a155ecc27dad383dbd06416abfb565bf04ef43945a99b640aaa95db4162ebec895d9a4a19fbd63c607e61753c615d0db24f12db5b44e163

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
2cbb138e463817098ee844541e0ac95e

SHA1
108a85385c98281c663729120b8d35df46f3902d

SHA256
25c2ecfeea70041027597efe17f1296b27ef4af35e4f901631423304a888fff5

SHA512
705e8676aacb8848b90e97525854434e1e49889134d795a5e4bd1c79c47d0964789c0d88ca662cdc0917a544c9a199812e71f996a66e3cae70dac76113ecdb21

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
2ae40110347c7df2f88a56f23a6c3e15

SHA1
7f6981496af8805ce4818f61b72cc12fbd24c450

SHA256
9302535342d1f9867f347e3ff095cfafde0f0b27586c91182ca45ec929ca16ca

SHA512
b0c61ac4b4e2c8f97eb24be3181665db2a0bc2c2bbf9441027039674dbf0e146ea040debd0e65a6fce1eb3da7301e301e44cb6d24a02213f5fd9c881ccf19f9c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
f24e7e5d2ad23ceda812c66b6dd53efa

SHA1
888a305a4588d265217348b34730ffc0634c1242

SHA256
1383d12b0ca2c0ffc9746927c63715d28b03bfaf5426edb50beb90f275c8ef5d

SHA512
7465fa65725c81930f132da0283b91dffef3bbe5c12a888d7158d0631a5ff12353e86144c1b9a95bfb3e19566e1fd2ff0c4b566fef86e0f522ed82d97c3d9768

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
1.8MB

MD5
36dfb59d6bf67fb72ee594256c13ce4a

SHA1
7a03f2941d99f0a21d30166d6a887b3f23bcd515

SHA256
584a0dbd7184d1dee437a2ad5dddda7e8dd90b492cf4906fe7c26046cc9163cb

SHA512
8979edfac9d65d8eb65f144904ad41b969b272b8469bce2958b9d7a7727e29037979896ce92bc19e273606d27a11a662165df6676992ecbccb6fe4ea15eb7645

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
5872c1f242c4e55918d4493cf270d949

SHA1
3db9db9c3842ca28772edaa0b8d91a739159e103

SHA256
060c08b3dafe166df94c2068b3a4c2e96ff1a6a89221979dbff8eb3a9bbb48f0

SHA512
cb312c610bca9792c27fd6079004bfba1864ccf5a637eb4d8ca9e7ab35e6ea521f12018efbedcc48ced044dc75b5a03b23ccc9ae6076032b4d570397d7c0e968

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
a7f715b84243ed8954e19195da19c7a0

SHA1
973c13df94ebe6b2e2abddddc72af05a30ad446c

SHA256
ae6b644f64b76505d5c301c108720d0bfa2bbfb692615af8f27ede56940aede9

SHA512
65b2bc1480643a70adfec938a46f8af6d176110e59fa59dd13799466b51d1b7857965481ac88b69216847e6fd40c8d37e8822dd5b6067ac4ae8d59e5cc5cf7e1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
1.6MB

MD5
92f598d537259126377413c7b69cb8af

SHA1
e018b519d1a62c4a211f1df2081af8aae1f57255

SHA256
1be5a1b1c06a98bad49d292c1b7387dea5699d4a8f2260ca183de8a01bf410d0

SHA512
3ebf6be380bc95e341795146b4117e2e7e826d331e15453f57d939c8c874d83766df2bb4f585074c06ca1e8d432fe88ff53ed110e381b052f503772acdedaa06

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
ddca9e2a55e335631c6b395f1a24c558

SHA1
e4708d1c9558d81cb430ab46a24a4aeb383ca0a6

SHA256
736a6f7d2cc71fc4eac20a3b9d87bd0416cbfc53657d70fa588f16c944988643

SHA512
9fe605becd52c28a7156d98c1e0993c22230901aefde6df474d3e9cab6c4a473fc918d4ac4c1a7d2383a0fd53ad165a8f6d78e5604b0588e9e0ac44173a1e637

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
630cbb5a89c3c57dcb4e4a133e15e3c8

SHA1
599963f6f3d9445dedd7ad4f2f404a39d47fba1a

SHA256
a0d94f83a66832075292e63790a4531586a967a9157a6678891760076eb5e2d1

SHA512
e09ff4322431cf5c091a13b744b31853afc9e85d4525ed523f223768620b6aeab2db6571022ee10225b1e941582a268ac4ad72e2affe1a911cbd419761bd822c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
1.6MB

MD5
3c00d0a5178d76a85e52bf5436322325

SHA1
6573c1e7a5e8372715c889aaa59174e42f0a6859

SHA256
5103667955bb982f635c5fa15249f9326e1a49726f8e0ffdac70dd106eb9bfb2

SHA512
111f0d3d7ea8a8d2d8903a4eefa984d182781ca5ae20f8da72fa5cacce924ea8b5777f52f82470557e6391fecb238a58a885769d066a8394bf6eb45ae14b913f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
08ee973d1de2aace8c0560981efa8826

SHA1
eab0aabe91f1711be1c92ee0d95f389c07685c08

SHA256
6108e2357e197c5de7f939b9909e86de3b38a9fc28ffe3c790e49759b59d7e18

SHA512
e95487cada5a9e28032fc1adc10b29baf79f083bba05900006de0f744935625ec9d9f0bfb11c11e50931bc6e9b44fd939c08ce335cf3e577c72b5c83f3861912

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
513e26a2a2552afc95f39f0059cef5cd

SHA1
1136a2ca7ed159c847de59dd2ef26b1ebb942298

SHA256
7ec6e20afbf91134fadf576e1ed16dd8d24b545a46efa5f5c9d8be57d63c521e

SHA512
6c663443c3c90efa065cfb030a732fed79c801445ba7d70829cf1020f819547150dce9050563af1e826b8f662c073b4abc22bca03c67d4a8aa793f4345696a68

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
1.5MB

MD5
0e5ad0c6704f1a9d230b83d13ec41d3b

SHA1
95f68152d11d25199cee92ab5162bdadb2f267a3

SHA256
36580ea75d9aea3c4f0808048cea6a4d0f8fad423fa9a48a858cb3fb76b714af

SHA512
badf41dca68e068e8f6f738831c039ca76216a61f16daa9c2acd4a7358341b4f14ff745ae4a7655f2054cd7014a871e3f8b78ac127eb07a5a28c3a2303a9c073

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
e430fa4de4aad3d82a6bc1bbef520e89

SHA1
10aec066bbb94c40bba21383ce5ecf4c03d65b92

SHA256
4a1bb600f9bf545a24bf5a1aa14603593ca859e9f5b800b91d2a4e5b13abaae5

SHA512
94b4ff4523dad8d02c34021130de0b88681a009dc3f20b1963cca57834f5db014ca263a3c5217d0384fc15a3405287ce44271139dbe3a59c4ebf8e6a93527c94

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
536a698d3151444a3b763cf1407f86c9

SHA1
213bedb84da448ef1848a61096bd71709002e40f

SHA256
b7c8deacbadc8a842a50ec4714a513fb87c3e60d68c7b9745a314c5d1e7f3a6c

SHA512
e8b3cb9874066f5a1b7068beefaf11267e6dcf84c9ba1da435db84ff2706b9bcd1e5a191ef9f64f9e6bd79a0bb52e04d08a7b80177a56b3fcb2ccbb77e3b0545

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
b055f65138015a94b73f49b75bdf984d

SHA1
ee9ecd0d4f126542d875a864291343117e6c6be1

SHA256
569abbc62fd095dc1c381e95d61a7d3d88d81d1bbad2d630ec998504cd4c7297

SHA512
feb33ddd5084bb3308747f8668da822b3debb8b4acf3f7cb9f5a5f3194f9bc8386dd5258364925c1764e0d11abc240f9978d04a6bc4bc2f2c4af35aff9d8f6e3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
2703ad46011adc23f3621999d43f1ac7

SHA1
77e48e0b376fbc93300d57bd2d843e85c674f00f

SHA256
bce6ac9a97ae7ef5c2edfcd4c7fb717cc86b05d14b6c0b3d55695fc79e870ef2

SHA512
3749d754035053a758916a6d0f77bb8636c4c22dfc47b36a16ff0f37c6be71702e4ef45ac8bbb4b17dd10845454a861efeb11a44c67b0c0b58ab49ff86de6a9d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
54a08feb7d49ae610bb4f1ee3a1509e1

SHA1
92718f3d44ebf3ea5aa91ab439fa1c57c5bd9cd0

SHA256
199a0dc5fe8d0dc8d57a64c02f7cfc91cf31453f09ef1fdf9b0c0b84b9e7eeb2

SHA512
dec6654c032fd43c07c1f7868a0679f72dbb2ac32ec6bcd0b5736168cd94c6e4723625eb59163a395d1a507011d7cbad35904dca756e9d62f8c44b0760f3eaf1

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
1.4MB

MD5
0fcfa408468872cab90b06413bf6f05d

SHA1
dfd7dbdc3dd510e3d9ba73ab99a3eef355b1631c

SHA256
c163f8f6f96b784d0db66f0dd6c26d61e12f8eacf636e488035f172d1275fad5

SHA512
594984f25dbe605f48e296472bfe5fa794b67b7f63f4b7dc0226725c038bf3c85601ae09936e04a72a33fd66d8e30def7dde9662c331c0396e517685cd39108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mjZqtnNovlan.exe

Filesize
384KB

MD5
37b9f8e8a0d1ab6fffdd33050b2d9701

SHA1
6c5ac6b8c4050f78dcbe7674e5cede3d4f967a06

SHA256
636d12c5f023f01560ced48463720165c33554356d7de3f8ed404fa78262c578

SHA512
d79d88b29d3b80e4119699aeb53d20cd325add74914139f685c625b6ced63fe2f5624273314809c5d9df1c413407a172c96f50bbb8e823fe08648c73812b9c28

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
ca0620ff82771929c251c61d8bcef679

SHA1
4f662e23762e83b7f2ba2e829ad66d65a1f9dba4

SHA256
11cf0555dd4125bf521711e4baf8fd0664decabf2a0be31722214ca84421a11c

SHA512
4c5a5bec9ced1ef3a19fcd7916848a73ce8b5ea91789a91699fc2396ee727523b31416ccb3338a0f9764a1accd385b97fe1ac009d29b0ac278b5ea3f7b80d35d

Download Submit
\Users\Admin\AppData\Local\Temp\hsJwCJLYXrep.exe

Filesize
922KB

MD5
67849a6a23fa2e3a3b6e717bf992c5ab

SHA1
5dd1c28989b7420d3b0bdc2770691bfef8550f06

SHA256
6e2ac459c37d1193fe411683221d62747648f5628f53b9c0dd1c0d9aff619994

SHA512
ec52232f1fc077f9557b6e08e2e541204e066fb63b784e2aff1a1e9775dd633ba8a7240c1109d392a987415927e23b5b06d8408da307993216f174600377af25

Download Submit
\Users\Admin\AppData\Local\Temp\mjZqtnNovlan.exe

Filesize
448KB

MD5
9bcfc55bc36216cfd55edb1864bc3abd

SHA1
d71c5b1d168ec7e9fca0649200296c8cd0e03600

SHA256
ac34411f793a5882a66fc17c83de8980227cc2c7ccefd354dc2886d729a20f65

SHA512
5f83d0c5ba64f126cf608ccfbd7eaf0492bf3f916223b40876eece295cb3ec7cc29ce63561dce1adbd27fd4cc89bc49d61c9783fdf7c27ea151f842f13862299

Download Submit
memory/2536-1438-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-2842-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-7483-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-5078-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-2189-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-791-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-545-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-311-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-11-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-28-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-1-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-3-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-40-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2536-0-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-2307-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-7547-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-41-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-46-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-25-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-5776-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-24-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2696-3299-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-1379-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-504-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-8863-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-13-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-43-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-283-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-15-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-6777-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-26-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-12-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-4766-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/2768-37-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/5672-38-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/5672-505-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/5672-39-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/5672-44-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/5672-663-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download
memory/5672-8887-0x0000000035000000-0x0000000035194000-memory.dmp

Filesize
1.6MB

Download