ryuk | f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0

Analysis

max time kernel
126s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
Size

376KB
MD5

7d3f19b760cb1958a2c4d9ca7492c406
SHA1

c3fa91438850c88c81c0712204a273e382d8fa7b
SHA256

f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0
SHA512

64d14a7a3866c76d45bea7bee19d40f63241c777d8d259a8a79279cac51396fe9469f28fc68eaa8ab688af13a47c4c5af0d62005d93a4649f81e411b8f2eae91
SSDEEP

6144:jwHqh+1uu3RVmPY55eExdAev5wuSiRqAO1iNgLTBs4LhVJqRcelLQMo8:P+1uu3RVmPYaad5wuSiRqLNeRcZMo8

Score

10^/10

ryuk credential_access dave discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Renames multiple (1232) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1956-4-0x0000000000230000-0x0000000000252000-memory.dmp	dave

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004
Executes dropped EXE 3 IoCs

Processes:

aNfPyorNSlan.exevXtiZyzralan.exeYjhQVUvjtlan.exe

pid process

3016 aNfPyorNSlan.exe
2644 vXtiZyzralan.exe
1904 YjhQVUvjtlan.exe

pid	process
3016	aNfPyorNSlan.exe
2644	vXtiZyzralan.exe
1904	YjhQVUvjtlan.exe

Loads dropped DLL 3 IoCs

Processes:

7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe

pid	process
1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe

Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2428 icacls.exe
2412 icacls.exe
2068 icacls.exe

pid	process
2428	icacls.exe
2412	icacls.exe
2068	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\osppobjs-spp-plugin-manifest-signed.xrm-ms	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives_1.1.100.v20140523-0116.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Nauru	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novokuznetsk	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\stopNetworkServer.bat	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\ja-JP\msaddsr.dll.mui	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_SelectionSubpicture.png	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+3	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\osknumpadbase.xml	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Tunis	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\baseAltGr_rtl.xml	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.html	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Amman	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.analysis_3.5.0.v20120725-1805.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator.nl_zh_4.4.0.v20140623020002.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.html	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\RyukReadMe.html	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\content-types.properties	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Bucharest	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\rtscom.dll.mui	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder_5.5.0.165303.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_ja_4.4.0.v20140623020002.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hr-HR\tipresx.dll.mui	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Winamac	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert_5.5.0.165303.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\RyukReadMe.html	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\net.properties	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkObj.dll.mui	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_ja_4.4.0.v20140623020002.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.properties	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_SelectionSubpicture.png	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BlackRectangle.bmp	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Cave_Drawings.gif	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IPSEventLogMsg.dll.mui	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\lt-LT\RyukReadMe.html	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Perf_Scenes_Mask1.png	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net1.exenet.exenet1.exenet1.exeicacls.exeicacls.exenet.exenet1.exenet.exenet.exe7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exeicacls.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe

pid process

1956 7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
1956 7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1956 wrote to memory of 3016	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	aNfPyorNSlan.exe
PID 1956 wrote to memory of 3016	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	aNfPyorNSlan.exe
PID 1956 wrote to memory of 3016	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	aNfPyorNSlan.exe
PID 1956 wrote to memory of 3016	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	aNfPyorNSlan.exe
PID 1956 wrote to memory of 2644	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	vXtiZyzralan.exe
PID 1956 wrote to memory of 2644	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	vXtiZyzralan.exe
PID 1956 wrote to memory of 2644	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	vXtiZyzralan.exe
PID 1956 wrote to memory of 2644	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	vXtiZyzralan.exe
PID 1956 wrote to memory of 1904	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	YjhQVUvjtlan.exe
PID 1956 wrote to memory of 1904	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	YjhQVUvjtlan.exe
PID 1956 wrote to memory of 1904	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	YjhQVUvjtlan.exe
PID 1956 wrote to memory of 1904	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	YjhQVUvjtlan.exe
PID 1956 wrote to memory of 2428	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2428	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2428	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2428	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2068	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2068	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2068	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2068	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2412	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2412	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2412	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2412	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	icacls.exe
PID 1956 wrote to memory of 2636	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2636	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2636	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2636	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 2636 wrote to memory of 904	2636	net.exe	net1.exe
PID 2636 wrote to memory of 904	2636	net.exe	net1.exe
PID 2636 wrote to memory of 904	2636	net.exe	net1.exe
PID 2636 wrote to memory of 904	2636	net.exe	net1.exe
PID 1956 wrote to memory of 2348	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2348	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2348	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2348	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 2348 wrote to memory of 3036	2348	net.exe	net1.exe
PID 2348 wrote to memory of 3036	2348	net.exe	net1.exe
PID 2348 wrote to memory of 3036	2348	net.exe	net1.exe
PID 2348 wrote to memory of 3036	2348	net.exe	net1.exe
PID 1956 wrote to memory of 2808	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2808	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2808	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2808	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 2808 wrote to memory of 3052	2808	net.exe	net1.exe
PID 2808 wrote to memory of 3052	2808	net.exe	net1.exe
PID 2808 wrote to memory of 3052	2808	net.exe	net1.exe
PID 2808 wrote to memory of 3052	2808	net.exe	net1.exe
PID 1956 wrote to memory of 2728	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2728	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2728	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 1956 wrote to memory of 2728	1956	7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe	net.exe
PID 2728 wrote to memory of 1036	2728	net.exe	net1.exe
PID 2728 wrote to memory of 1036	2728	net.exe	net1.exe
PID 2728 wrote to memory of 1036	2728	net.exe	net1.exe
PID 2728 wrote to memory of 1036	2728	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d3f19b760cb1958a2c4d9ca7492c406_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\aNfPyorNSlan.exe
"C:\Users\Admin\AppData\Local\Temp\aNfPyorNSlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:3016

C:\Users\Admin\AppData\Local\Temp\vXtiZyzralan.exe
"C:\Users\Admin\AppData\Local\Temp\vXtiZyzralan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2644

C:\Users\Admin\AppData\Local\Temp\YjhQVUvjtlan.exe
"C:\Users\Admin\AppData\Local\Temp\YjhQVUvjtlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2428

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2068

C:\Windows\SysWOW64\icacls.exe
icacls "F:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:2412

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
- System Location Discovery: System Language Discovery
PID:904

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
- System Location Discovery: System Language Discovery
PID:3036

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
- System Location Discovery: System Language Discovery
PID:3052

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
- System Location Discovery: System Language Discovery
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
4c902596954daf84cef8298882a9a74b

SHA1
d804c6e9036f704d9a338fd2eb77e818296f41f0

SHA256
8fe894845259bb18dbbe6aa5546faa84e8618f6e2e033b6c08f59ee51ffc6d4c

SHA512
951cb24c9e665a9c238391b2a36168371eaae5aae52b6e0bd731dc3e0779bf19c522d329b69b00bf5129935013eb9c45a5b10a1de0bd0234936fcb911bd703fd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
7bf0d0200814798579645a6ac1f7254b

SHA1
1964f277a71e752c902eea85670d95e5dc846732

SHA256
3a2821d3a628dbd007738c6a1d2e3e36e698a8b382405d8afd6eb1baa2dd5487

SHA512
92a70b9115bc5735be2d8c808a72f330316da7c85b4ae6c6fd17911c6e796c7514cf873989e4c1547ca3502b072ba7467ebb022f3849fc509340c611298545a1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
15353e058b35ab5ac3528402d34cca29

SHA1
bc5c9523473f2dc1d78e545ff29ded7b765a4a2b

SHA256
0f2ca172f2218de156a0b4ce29b6e53ed251419411341793f85a866e9c5d44fb

SHA512
79c17a7e50e9df4eaf6aa1dc78d8b929c563126e9bfa0b320859a3234578bc3dc063e4d1bc9fe4e8205ba933b82679d028d1be237de8b3919b8d6fca4641ca39

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
7d12f4fd39b780e179c05627f4f9a2a2

SHA1
d3f09c9423ade0355aea230c613aeb1c1fa25691

SHA256
991f237fe221b3a2737a051ce4c2700d6d5b5eb50e65357159793946b0df088d

SHA512
cc33c31870dff1ab0da32d71f930f9ede05de2b4842e6d275c8564f5b98eddc464dbf5372ec73574a081ec075871568ddca6e8aaac64c6a1d577bb39a061c2df

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

Filesize
16KB

MD5
809bace8974f88ebc92ce56392287e47

SHA1
0dde8ab6d336effcedf3324ee36c68d1ab014c2e

SHA256
09ba6ba82cbb9279b5b175766a891ea88d99b6d17c32103620324a64d1fae1e1

SHA512
6622f7b86b89757684545bec434ef487a7208fea4bb349137459a419dc665a41f7e8c813d65dffa2b8ae1c5222f58c17e9a0f20c5f8efad246c2d7ff2c2c45aa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
7aafec324e5e014ad1bbc1479372676d

SHA1
0d9b61992554101f87241addd4810ff618ee34b2

SHA256
b8892731fcb73bb992bb99366486482f9b63955d8c555ff49f957005bd477c77

SHA512
477ca75af0e8ee2803ed75bda1a21994cae95f91c46aa0489fbc71ac7c0fe95312f5153d47d8339ab0509ea33eab335ce58e41d162978e011ad719ad25d86842

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
92c393e430273bef3ef2e008787db2d2

SHA1
c0b761f6b83ced43329c65b63cbb86de9a366c33

SHA256
34f9a29a32ecef033abd9611884292fcb22bedc9288ccea3db8812e47975635e

SHA512
b40c914d4696e0e6d53130b6c4333cd538d5375ba8d03301621b4c78c5f404af10818ae43918fd61e3b9aac9ed6f003a8650a7690cb237ca97981e021ed8b011

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
ed3f4a7dfb076484d6560dc0fa3a8e62

SHA1
55464152f3efab636a1f9405a50d495d9abf79a9

SHA256
0176bec17c42f6f9a5a5f71f794fe70afe04b7acd42a6c3030051e40908d59a4

SHA512
74f6898e75ec8d0a64ccf58f11f05e25300d401052c4b2f6e40226fe705a97c91800e96efeeb96444df4ba0c4f418804f4a327ba6407cc2b5b2e71af69c3d63f

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
b8c272f4804f6ba128502d651a3c71dd

SHA1
229ca070a0450338a06315c4901c1b87a086200b

SHA256
da78a8f0ab7f30f3de1d4da677c41a173685f9e47f35bd3ccb1762c80df9acb9

SHA512
5dff2fca8f658b1e2e2e8de6881cd58e6d4bd386aca0d0eb680bb49a15fc6e80556b1ea37fce0949075ba71429e8a026232fa1ad7c364824421768600f67f6d0

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
71218eb08c7bda154d9d45cb86549678

SHA1
8340bfc9f8bb1e1101cf5adfc472ad06efe449cc

SHA256
0f4430bdadd4185e9b6a16a00b2b87ccd97307d161af15dfabf173a44d6fcb87

SHA512
d6f86c811c53e7d9c473d5183122e5b590e7ef245df49e16aa47a1a33474e7fa7c57d12dcacb4b89c153700a9b605d544ffda11f8b1553c5774b55c2915e20f0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
c643aa5ae9344765f3c18ed090e51dad

SHA1
0758507b528d407147f0590f142bf9c0f9430106

SHA256
b7359f5989031b76a72c623a73a7e82c902908d614cd47634d80e881b01251d3

SHA512
3b8a932deb2b8ae8f88826ae13f974ac7f24bdb81633c4ff4884b8e431b70cada0708139058515429f378351ab0e7f8231f8d3de3157d37b31ddac1d86460a0d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
b918a0ebf790361620d0bf478b51ce58

SHA1
40ad5860744aa386ebf51b8369ee97761857fbb8

SHA256
344af0f3ce5ec4a73f8f468eaf65753d021f5b11def3ca98fa84a620bf736cea

SHA512
ee1a5ba4b8d816b6f8bce9692f4e3c753faf188fac4160fef55febc6b7ff87ec49824e8f3613438989f561266925e648f69a63d3da59cebbf664a6fc14d47e56

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
6984d4193c8b3bf57ec15c1d8203b9a9

SHA1
5a7cafca7a76c50fc5504d7da210d23b4dcdc3bd

SHA256
1045d5add5a6121a784f39f2df84391a2ce73e6f93e02c98030a34db68e7d5f8

SHA512
e0d76a4bf8febc1044ca95b5e1a61ca416ce367126557b2c0d9bc8599dd431d4898737704b53c0abd7d13312808129bd7e210c11056772d0a47de51aad6976be

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
155b8823e874b12540494ce61f3c09d7

SHA1
5e6c3a2c1c3628ff751d4d34a964a0b36ff1c512

SHA256
021aba4e5219bb6991550fedf4c18c77635250518f4f4d8be04c81a4f99dc7db

SHA512
b23c2b213d94288b9ec2cbc55fd6a056d11aacfac53f7df2b1bbdec1e75d3a0188c0d2cef80ef5f9b0c71fea6f37d3810df191a6155b8fdda4e58b19ac70568c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

Filesize
1.7MB

MD5
b98d708c6dd2e0845e441455669aaf27

SHA1
d2a88000308b2393f4a359967e32f5f8d98fbf39

SHA256
5111cb1dba2e25837a5a4900bd4c1755a22d82b115f194bba655fde2d6dc3dc0

SHA512
75e6d02d6ae0ebd8298ee09db100009a0b4b99fc1d01d065db38b222f18723bc3991918e6d1457d1701eed80d5b80b859647a944fdc03ccb55707901f1239294

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
32f86dd08e25c630593b6decacea9d8c

SHA1
7bd183a09ad157769f9a411ab085a661b280f761

SHA256
aceeeaa7eef61cd5409391cd406aa5092f5d0199bb8c66733df2cce1f2ea3d02

SHA512
eb1ce3e9812cb20e67f6cb0fc96830738ef8e7753bc13a70dda68ccaf141ba32288d26b2e250e95604eb21f5b23b7ffc7a56d7c76632842741a8fc4ca84b5d26

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
333db346754fb2777ccf13e7d88f687e

SHA1
72ef9f3afb761499ef1be7cfe378eea6d4be8eea

SHA256
bc181a90c85982e70a9b1478ad57a3b21bcc24eed8d57e88047501bab973ecfc

SHA512
81b9145fe90856e7d622753731b0d14993b962135cd8f82b3095d5a094f53a6b9741acdc06f00ca6a89ea8d2104ad0b5d797138f2cbc4399e9ef00a90c154168

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
64c671918d47ca416d9b565a1a9560df

SHA1
63a2f971a33a8cc14716156ec449058a6e8e9459

SHA256
baaff456bb22079ab7b4d50d2800247e5bb98c0213bda9225759735fc726ad27

SHA512
96801715f0cac8eb920be010a19631a1dad2678ca082462a2d6b694e840f94421c659beb1b130c6e7297e289749a7ef4334421b9959dc4c56b36f16e42d52830

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
472057c9d9c598be25d71299f603ef16

SHA1
bc9e00e36bc2d696c7810502b3350391a316c9c1

SHA256
e57f66188092ed6bbecf00032f9208cfe7a24090251952a1900f668b8ec18085

SHA512
0756ec93aaac601233550126d268969ad739a9d89750b90bd0de60486cf99c8666ead284e73245817cfeac18dee49be5b54a40b75eb4b9fc69ba56ec0535fcaa

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
1a01afd65b2c702b1cbea3d8cedbc2c7

SHA1
c2dddacf9c49626c707735501a1724d06e0d5019

SHA256
ea703a6bbbf116deaa223e98571f872ea2bc05e7595b9d2d6e9f18110a9e2aa6

SHA512
ba0ca7c28ad3ceaa7d8a7fc9063b9094c692436c7d3a6c8605346cd81e8324d6fd276f98cc931cc983d12fa6189b1a3db0d2c0724af774b1099c114e78ef1202

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
af7fef5e094cdf438d0bf0b6e6a6af11

SHA1
22dd750408a297a24eaa2de50a9ef7fcc626da45

SHA256
dbdc76201e27dcfdd7f6e8481988d33e305ccb0f2a446d453715d3b33c48d74e

SHA512
00ed1564a0ea7c7a47dc82d5294cfc0a9f76b6cdb15d2ed0db2f106a965a29f5ad3c345b75abf47c2dec2e4795c1398c854e50ec230da5ba51ad01859b4ac00a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
e9ad627c43174f1a2f18d08b6c57add7

SHA1
5619973ac71ecdc47588b8919398845c78cff265

SHA256
7cd1c7deb5e0268af64981450526b845bc2d217fcd7e8c979f02a46eb96b483c

SHA512
7a4cda174c45c99989f249ce113d94301e28ec280a9f53484198d7c2110a43a602843aa51651b58d27d3d6c645b3667626464e4e5404e82fe0d46e7b35537114

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
6b0eeeb23e49cdc4ecaf9a1c0ab700ab

SHA1
692d9713551701ac1ef114d7cbc4dd90f08727af

SHA256
ea8dbeebf964960f5172ac2e3bd8630b64a9a56bd5b15ac7cf1a9b9951b978ae

SHA512
c678bce5936637b0af63c3452d03789c17f23a9e4274d04712149280cb6e2272b01c346ace3d72966156482582f5e254870e550e1cda4de0bc9275a8182727c9

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

Filesize
1.7MB

MD5
97506a6fce66b94cb0923bc714ee6e41

SHA1
69f5aaade0d9975a11a90e926d12ede61249b53c

SHA256
a386c13b937739b762736c04daf72b6c08d1a0ad7ba2f4aa98682f2498b3f7e7

SHA512
3f6da436510662801a0c9b7969b0a206f4f3aae0314fce783f318c10b89e0eb09e0d7283f95b112cf2af79a3fed140e8b5d226858aa93a1ade659d8f42e4806c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
f80cbe8fd6ec459c2879f13f7f7f0df9

SHA1
80879f99913d7061dfa79c22d2b5c068d32df8d4

SHA256
1f7335e914cf68a3d3700b254248a372bf89f4b3b4cb002be31e72a34e8f6886

SHA512
9964ad009c2578473a0db697fa9fdc6f1e834b2fdc9d80ebf6a7737e9561b6229f0b1229b441f6ed0c32be3f7e007752d00d692aab418302b816f4634a30b490

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

Filesize
10.4MB

MD5
1862964f2b10a406b6fb75994b11d448

SHA1
38ae2df7a51d0f298b518d24a6d070a883fee5b2

SHA256
4bde787ae37eaf5ba79eac6494bd782b7c1fbb00f90e42e0cc6423e30e9e6f95

SHA512
c6066bbf73c2021f26e2aa000645396e059afc70ded663ae306c741503a2e6b7a04147dccab2de6a0d97b6ff295ca36b8f739a3d94b82db118221e75f4cf4315

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
fa0bdba2cc61ad7044ef03ffe80f3814

SHA1
7a58fbc7876412f7b31e88281372655c700834b4

SHA256
e14c7482087e8dfebbeac6efafeee025e6db2ba6a451e533feba7d0e42e89697

SHA512
5fe6312dc992a6d0ee73a2126ff64b4f3ef5f2b95a08d90f4632ed33bd7605766af9fd29cc44742708eb5a3a3451c8e3a1fcb1d01f845b2f82c9332c06fda7b1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

Filesize
1KB

MD5
4de79f28442911e39df9a2552b1bd9a0

SHA1
50a3e785c3c034c091e26cf1a55a192152b5a405

SHA256
c824946e817a21113b268c588bc4b632a2316f9bd99f4455a14e76f20ca26236

SHA512
302eee23ed21f2a1459c6023550d75cf1581c12ebf85a1464e6901200d15f962d70586209f5e8619d6e6632aa433d9cad42fd37ff4278a54ded786bc54818920

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
2350937c52dfbd9157a6cc83a27a29cd

SHA1
c45f8de294a38e77e351c634f3ba542bb7dfc96b

SHA256
101219411ffc76e53fd1eb6d54f6cf05ea33acf5d5ccb2861622d0c28e2ee25b

SHA512
646b106ed7f3a307ed0bfecc8b3850283284a29f9492f7afdbed333d2149914bb8d26323659fcb7a66b13a4e41a47654e07e86224d28a0d45443d0d9fa9f3467

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
ca462b2eee8e54df58c001d518c93a29

SHA1
fa66acc7a1b96e6a04b7f758c68e3de9a23ebb17

SHA256
d18d823deccebcbfe8d283f020aeeb2aa877c2fc4f9c60c6a03b073475739645

SHA512
c3238308c6e2e72ee40af30e79026fb07beab94b9ff81e8821d216f82ec90d1049e4f8379e55145cf79b1676e121ee304f83cbd2822b29e03d2fd8ad31a9cb6d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
7a050cbfedfa393261a3e74a11fe597b

SHA1
9c675832ebd7c81019515341c55fec50b43ce26c

SHA256
d0ea4e126d7f3ba9994d3409e983626a0b56ba740ca40154de22273ec1e0629e

SHA512
990119a3995f9dbeda8da22fbe76e419811dfa66007a47f238de87fa4c75238252bd16b278822e8fb68354b96860b53f3d762a9846da02cc9bc6f8671618688b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

Filesize
19.5MB

MD5
b3268e5c335e067e6ca9768670577fc9

SHA1
7afee407e77e0892d78d1f73fca1357ac4e3e02a

SHA256
4662a62807e8d76f6a23ffe1ddf2350e7e0f9e03d7fdda48444271650b9aeb49

SHA512
157695cb6d6d7d91997b700592c056e361f54e4781393cd217027aa465eb05fe6ba51f484f3c0f7b2d3683ae8e2da46e25a6b556563b75c61d5e8de0161069cc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
fbc6cf896f0ef6795d2bb1c65c4b024b

SHA1
6cbbc29f4643bf8911aede7fa7fe6eae8a9fe62d

SHA256
e54c38883a9a4150639831f93c9ca184dfff830b313033f7c38ac08704742cbc

SHA512
3ecb5fe1e0b65e9059422a7500b176c6b2f4b70d4793a43dc227b0b462982f0d47139f39557825b35b1c2a46d1033950139faf16d6a255d7d30a2266254b806b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
f58c2b403649399cd8af8ff643c67f3b

SHA1
dec3ff298ac7129cdd98967659b44afa91bfda16

SHA256
cc67942c2ec128e96e77771574d92b2bedccad1216c8ab820b883829760bc2a1

SHA512
3d155dd41336a34b55cdae0a526a23b152bd878bda1a3b3a4b8949facea390ab68eeb9041ad0a9590b3374e3026b15ecc90caa2b91e106ff39f70816904a1b75

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
5a4e446d71ab983d5a19ec6e7731f2a7

SHA1
2da31fcd6442c79b63e3b8142575e73bd7a9644b

SHA256
40ba5929777ca0082f2f485e19aecb945c85fc8565986e77bc09bfa44b346e25

SHA512
a99389dd5880d7ec9afb334c70d7d624a50f0430c92cb1025dee21094587b534723ae2c69463a956033b693346932bf9a3aaaaa588f2485c1884127bab161a9d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
ff99298db4e990c279741edb2519ebc2

SHA1
036751a806b6acd473711b8eab15b931a7d109b0

SHA256
e112d1628c2ca5ec0c0730f0bd50e86adbde303ac81a5207c7a0bf4b306d139c

SHA512
7c1380a6497c8a17292b18c6367fbdd60b7b1779cdd9e805348aff2a0b7f63da09aa5273930a64a35f7505bb1133b3ec66daf747c9458d7a98a57ffa7ffe23b1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
aaec9485ed1d57cb06a470d886cda234

SHA1
76f59fe2573e37212ff1162603c7ac1878e331a1

SHA256
c0e756dec2d41666e46ff0aa8b7c567dc8970a6264c7fd612b7b2c5013988f5e

SHA512
1327a75f5009d66865b8be03d71371dd1da53862a90f4f34062319d631612d0e6fe8cb449a219f1e2aa7cb3eff0dda3c9c6c3c46b5535eb1bfe7e05852f76e7f

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
be8b9d83f16e685333f303ec3845ef2c

SHA1
fe4c80dfb07838f2bb5f1a24cf065378a4dac59f

SHA256
17cae3a176d4b01990387694c0d4868a26905442e37999490886a120230203c4

SHA512
7dc08b6afd184e14bc60097d1af057cf51572cef3315f9bc56a28cd1e52b58f95eb0764378efe62bd854b1497f7d1a431467d62890109988d085b7ebc461d146

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

Filesize
1KB

MD5
923691f42982bec65213d3a44aa551e1

SHA1
55e3b130b7797953cead9978d2e68d98afcc3b34

SHA256
9cf60eafda15f423b7b88320802ff47b4dfba660210e53abd6f88dbb925e4961

SHA512
3eafc8bf13a821670ffd59c4cd1ab8d0a3cd5ba7add118aa9848db30d8cfb6fb099d7d1e4491ade397272fea401f2e872907e76f685a61350d124e4f43ad27a0

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
d44eba00082f04c0c1205448057bb263

SHA1
1182d5cf6c275f8a53ed5400fb100fc40e331c1b

SHA256
b1a82fc489ed62fc82784def756c1208f5da57dfadc39a0f467e3f42cf192797

SHA512
3955ae04f45e5d100ed13463c51bb42fbf4ac56ed48c8c02f1e01e2866de2412b57ca6f0ff717f2f98f42ad7f248ad632bbf5b5bbbb2b45d69465f0a5071bdc3

Download Submit
\Users\Admin\AppData\Local\Temp\aNfPyorNSlan.exe

Filesize
376KB

MD5
7d3f19b760cb1958a2c4d9ca7492c406

SHA1
c3fa91438850c88c81c0712204a273e382d8fa7b

SHA256
f8bc1638ec3b04412f708233e8586e1d91f18f6715d68cba1a491d4a7f457da0

SHA512
64d14a7a3866c76d45bea7bee19d40f63241c777d8d259a8a79279cac51396fe9469f28fc68eaa8ab688af13a47c4c5af0d62005d93a4649f81e411b8f2eae91

Download Submit
memory/1904-49-0x0000000000600000-0x0000000000624000-memory.dmp

Filesize
144KB

Download
memory/1956-95-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-110-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-108-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-102-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-100-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-96-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-90-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-94-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-93-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-79-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-80-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-81-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-82-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-83-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-84-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-0-0x0000000000260000-0x0000000000284000-memory.dmp

Filesize
144KB

Download
memory/1956-109-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-105-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-111-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-76-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-99-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-77-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-78-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-61-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-60-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-4-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/1956-87-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-88-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-5-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1956-89-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/2644-31-0x0000000000230000-0x0000000000254000-memory.dmp

Filesize
144KB

Download
memory/2644-58-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/3016-16-0x0000000000270000-0x0000000000294000-memory.dmp

Filesize
144KB

Download
memory/3016-40-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download