ryuk | 51ec1631a41116543155d62343c319cc18fbc96ff69d13486628059c8996082d

Analysis

max time kernel
104s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
Size

314KB
MD5

89e60fff097ebf9b27bc8aa9b1564da0
SHA1

9a1755bcfb3496290333f33b1b0b738016b868bf
SHA256

2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79
SHA512

a471d4ad11bb4fdb2adcf988a133a53a7b3b536681f421e1c13047bbfeeacfef3a232689de215a8bf81e55515c5cf92081e0b41893c56712bf328aae67de8055
SSDEEP

6144:G4VK8AmqOZPPdJkWOexxREJ2PptogBXNLqZrKZPz4WJA:Gr8A1OOy6J2PLdXNLWrO4WJA

Score

10^/10

ryuk credential_access discovery ransomware stealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'LrTkZZiNrw'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Renames multiple (1274) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Executes dropped EXE 3 IoCs

pid	Process
1920	HqTVgBZGwrep.exe
2824	reIWMpjOZlan.exe
2716	wLStGZCewlan.exe

Loads dropped DLL 13 IoCs

pid	Process
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
36464	MsiExec.exe
36464	MsiExec.exe
36464	MsiExec.exe
36464	MsiExec.exe
36464	MsiExec.exe
36464	MsiExec.exe
36464	MsiExec.exe
37540	msiexec.exe
37540	msiexec.exe
40688	MsiExec.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
22128	icacls.exe
22144	icacls.exe
22136	icacls.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground.wmv	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Makassar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.zh_CN_5.5.0.165303.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Paris	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Galapagos	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Easter	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\ja-JP\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_selectionsubpicture.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\SportsMainBackground_PAL.wmv	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\15x15dot.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Glace_Bay	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UTC	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.properties	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\ShapeCollector.exe.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\fr-FR\MSTTSLoc.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\rtscom.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Damascus	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\calendars.properties	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Goose_Bay	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychartplugin_5.5.0.165303.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\tipresx.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port-au-Prince	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic.ja_5.5.0.165303.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Month_Calendar.emf	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_de.properties	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_zh_4.4.0.v20140623020002.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.nl_ja_4.4.0.v20140623020002.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.nl_ja_4.4.0.v20140623020002.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\en-US\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msadcfr.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\he-IL\tipresx.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Rankin_Inlet	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Moscow	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationUp_SelectionSubpicture.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\button-highlight.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Macquarie	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationRight_SelectionSubpicture.png	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_fr.properties	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\RyukReadMe.html	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.repository.nl_ja_4.4.0.v20140623020002.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\System\ado\msado25.tlb	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\US_export_policy.jar	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f783d2f.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\f783d2f.mst	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4656.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4BC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4DAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E19.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4193.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43A7.tmp	msiexec.exe
File created	C:\Windows\Installer\f783d32.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4C72.tmp	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HqTVgBZGwrep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reIWMpjOZlan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLStGZCewlan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\open	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\edit	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx\IconHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\ShellEx	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
37540	msiexec.exe
37540	msiexec.exe
37540	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeSecurityPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe
Token: SeRestorePrivilege	37540	msiexec.exe
Token: SeTakeOwnershipPrivilege	37540	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1920	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	31
PID 2240 wrote to memory of 1920	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	31
PID 2240 wrote to memory of 1920	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	31
PID 2240 wrote to memory of 1920	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	31
PID 2240 wrote to memory of 2824	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	32
PID 2240 wrote to memory of 2824	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	32
PID 2240 wrote to memory of 2824	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	32
PID 2240 wrote to memory of 2824	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	32
PID 2240 wrote to memory of 2716	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	33
PID 2240 wrote to memory of 2716	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	33
PID 2240 wrote to memory of 2716	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	33
PID 2240 wrote to memory of 2716	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	33
PID 2240 wrote to memory of 22128	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	34
PID 2240 wrote to memory of 22128	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	34
PID 2240 wrote to memory of 22128	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	34
PID 2240 wrote to memory of 22128	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	34
PID 2240 wrote to memory of 22136	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	35
PID 2240 wrote to memory of 22136	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	35
PID 2240 wrote to memory of 22136	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	35
PID 2240 wrote to memory of 22136	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	35
PID 2240 wrote to memory of 22144	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	36
PID 2240 wrote to memory of 22144	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	36
PID 2240 wrote to memory of 22144	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	36
PID 2240 wrote to memory of 22144	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	36
PID 2240 wrote to memory of 29152	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	40
PID 2240 wrote to memory of 29152	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	40
PID 2240 wrote to memory of 29152	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	40
PID 2240 wrote to memory of 29152	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	40
PID 2240 wrote to memory of 29160	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	41
PID 2240 wrote to memory of 29160	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	41
PID 2240 wrote to memory of 29160	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	41
PID 2240 wrote to memory of 29160	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	41
PID 2240 wrote to memory of 29252	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	44
PID 2240 wrote to memory of 29252	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	44
PID 2240 wrote to memory of 29252	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	44
PID 2240 wrote to memory of 29252	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	44
PID 29152 wrote to memory of 29260	29152	net.exe	45
PID 29152 wrote to memory of 29260	29152	net.exe	45
PID 29152 wrote to memory of 29260	29152	net.exe	45
PID 29152 wrote to memory of 29260	29152	net.exe	45
PID 29160 wrote to memory of 29268	29160	net.exe	46
PID 29160 wrote to memory of 29268	29160	net.exe	46
PID 29160 wrote to memory of 29268	29160	net.exe	46
PID 29160 wrote to memory of 29268	29160	net.exe	46
PID 2240 wrote to memory of 29292	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	48
PID 2240 wrote to memory of 29292	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	48
PID 2240 wrote to memory of 29292	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	48
PID 2240 wrote to memory of 29292	2240	2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe	48
PID 29252 wrote to memory of 29316	29252	net.exe	50
PID 29252 wrote to memory of 29316	29252	net.exe	50
PID 29252 wrote to memory of 29316	29252	net.exe	50
PID 29252 wrote to memory of 29316	29252	net.exe	50
PID 29292 wrote to memory of 29332	29292	net.exe	51
PID 29292 wrote to memory of 29332	29292	net.exe	51
PID 29292 wrote to memory of 29332	29292	net.exe	51
PID 29292 wrote to memory of 29332	29292	net.exe	51
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 36464	37540	msiexec.exe	54
PID 37540 wrote to memory of 40688	37540	msiexec.exe	55

C:\Users\Admin\AppData\Local\Temp\2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe
"C:\Users\Admin\AppData\Local\Temp\2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Local\Temp\HqTVgBZGwrep.exe
  "C:\Users\Admin\AppData\Local\Temp\HqTVgBZGwrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\reIWMpjOZlan.exe
  "C:\Users\Admin\AppData\Local\Temp\reIWMpjOZlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\Users\Admin\AppData\Local\Temp\wLStGZCewlan.exe
  "C:\Users\Admin\AppData\Local\Temp\wLStGZCewlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22128
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22136
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:22144
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:29152
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:29260
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:29160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:29268
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:29252
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:29316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:29292
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    - System Location Discovery: System Language Discovery
    PID:29332

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:37540
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 571C960EBA51F3C05CFC151B43A38900
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:36464
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 15248E4E64272E3081A851565E18DF70
  2⤵
  - Loads dropped DLL
  PID:40688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Credentials from Password Stores

T1555

Windows Credential Manager

T1555.004

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
f384bf6e1d5128381001d8b513247bac

SHA1
7f08efd49a662b27116d5ea17f8570dfcc9c2fab

SHA256
373e3e2510e92a929884cae9f9d72cc313b1def2cab3df1ee1d9f2bfefa0ec6b

SHA512
1bf4675b99a136464ebdc7e06a8e6125790a774db38fc11bf671db516a72d9cb54395adf88ca0139a4e77664a739b79de16aaa941309dc54d9264b33a81ae506

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
08fc40f5b374c7a8ff716716b761931b

SHA1
a0c0d6f5043a6209ece8d2c3751cc62dc4be7888

SHA256
c86f77d93d0b377ea1f38214bfdb27a87df310887a4b06926cdf0ba9bd1b2dba

SHA512
56e394fc4388f992eef80cdcf19ed811a74bbf7e2a3b6dbf89ed7549c93f7f0a827616e10c7b24cffcf2ceb92bdbfec8d48fbef4d7417b201dd04edeb61658c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
bd84c0e2130d80bbc6d923fb584e91c9

SHA1
a20ee83725cea4c3d0d1a912b31a61d67cac37bc

SHA256
ee29131337f0cf49b44b682843db3a5fe5ae4dc09c2bf7d1673f24b1fcc3ee74

SHA512
c397d5b0f60187c071c67ae47d4b5cb623879b7482452fb7f641d955a151910243d26de3373beeab9b4b0cfe9eb1169602d5cdc3bf89c823c2a6c8fae562d652

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
23.7MB

MD5
b24a4084fdbcb43c1a81eba211ccddfa

SHA1
bcef1cf1cf9813006a160404eb0d462b5f944583

SHA256
38411e5560fb3fcbc4fc64f912b4f0195b2fc872b1df20b997e4cbc1c0806b6c

SHA512
7b36a239e456e16a4c0848b44742ef6834633f93021bb0016294e7b701bee7ff129e9f528d4a72d1a6a6714a09d5d64e6743a707475e28e63141b71b33b073e9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
3fefc50b9d67beb24440845afec09298

SHA1
80fa52c72cc578f6be50189bacf4ef61c91c413c

SHA256
b3cee5549ebaa1353e5f0799359371de8082b6df087847dfb4d9d08c6326e9eb

SHA512
c7f08662e861ad1766f5073713ea9f857d9d8b30950ef1ad6895d40843d48bd469b943764211d5a046cab61b3be96c6aa6dcf3dbf247c92a992d47e5742ba1e5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
51879bf45d478b44087a2215914f0e88

SHA1
c8482093eb2bb6a19f62b3d7c1964c4202c76294

SHA256
abc621d01dba486ccf1946a75cbae8b3caeebfc7b798586d6a5262e251452f12

SHA512
436374cba1bfcc0ae1ded68f9f97272f96e86f4d8cbc990f3e71dbdbea98d0ae0ff881ee7bbdca44daeb63c29662dacd6f7a7ad42b699d37df86fe3ad65cad87

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
bd6bcd056bcb43763ffacb058554bdf7

SHA1
4d006da95abf26472191cdc3e0141c62196f033e

SHA256
8a99b40e4051e895f6af678ebdc711bcf5b429078e5a11608f179ed2531c7ffc

SHA512
5210d3e8448506eb864c8f95ff6f7657d8354249c938fb8b9030d68eadab265faf482dd938744fad7d75765a5f4d3ded96da9a2c1229fef4dd95872ea29130a6

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
6d7f5143f7d8955cc4506ed49c78e0a0

SHA1
f901eaa90146b02a4d5a302be704782ded937ad3

SHA256
fed1d945da46d32385c41adbcdead8dc76b82ce2e18a0257fad0fd530f689d17

SHA512
998dc464cb3209f0dd3be06019dcaac3ee715372eb9cdd8a47a1a1df0994fa528764ae19f9f9db3a73e2415c4322789bfa669b60d9b749a69d220c4d894295c4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
f265e3204808f289244e2e79466089a4

SHA1
5cb4c86df093453e2fa62a6bced6d80f79d5f1c3

SHA256
99180e3b6c4055a99fdeec3dd77d2baad122d5446c3ec65b491a22d15b4cd656

SHA512
fb02fc483e779d5c625a2a53e30538d5c5a39174d5182efe6c6536280d3f92c30c95935aed6eb8cc0e2ca5f9fcc627e25257aee0d035a2a1e07b0427f4a052c5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
fbe5035ef79410ebb0b99b6d0918958c

SHA1
d86e5928d3f3660a00ebc565d322f9d07a414392

SHA256
14d20110f94ac25f6f6ec2177a5d86614d592dfff536b356b3d8199f11b4f64e

SHA512
09b7007fd1f532acdbf53edb31663ca114f30ec52ac98b8a3c99edb51669c5c2119ef53b934b8f8519f6f183f4c09523e51d018bba198c9e239d4427a7056a4c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
ac7428d697910d852548f62e9ff178e7

SHA1
50f685e47062d451a8a1c7673debea0a42070d55

SHA256
dd906c6fbde4a4568b91af9d00bab1e836ddb7f8d0137d3004d7fe9cdd0e3d6e

SHA512
25010a834c46be6b3890554cb615f267f0f1dc91967f0d4ac39ca8f835cabe6ab1c1b423be1c743898e6431d3c3d1d8c6b15f0f4848734fda5ba5748095bce84

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
14fe9132ed7b10dff41bcdcc38cd0e02

SHA1
cecb505b7cb5b4a7efad658fb7b7680f8b00b403

SHA256
9849aabc3c745f0844011806329144ec4a5c487eabd3075fd3778dd3e532c982

SHA512
a0b2edb479dfeee82086c385d3a68ccb826458c617244167eb3bd9d2431b6d7c2c15a1eff23a2528cf87e8dd37c5af623da3254e64fadc52ff46c23b5f938bcb

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
5a0bfec6dd253dfa2642afc622621ef7

SHA1
38564e2b7493874fac06c63d377df22ca8fbd39d

SHA256
877e2b54d0f38c0af5d348aa25dcc21316ca83d8e0395f1796ec206cde88bef4

SHA512
7949ad4e52e4e877055f805eca77616d2fd35c9ecd70f1d6bbb3c852e87e793fe668469b1c9ce9717eb22ceaed8609143109ea8d2998729205d9e32153284ef7

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
d02d4420713aea2626ad10852a6f684a

SHA1
7912baf0f5f0a6ee2c91840eda892a0efc7b43d6

SHA256
38a5347d325352c374fa2e0c499c67de05a90c794d4315dcdc827eb3192bd70f

SHA512
fa264900257793c9078530eff63a563189f1ab2ae904ae7d376ecdb1a086442bdc9a500837807fd69a2510b6cc48541d2eecaf2025e2e06cd059a26ec1e7fbc9

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
4de3abd6bb9202757837419a4bec3ce2

SHA1
d60b980bb7ffb4b515339fa281d5eb1103e98bee

SHA256
ad6637180b31499fe903f9d2b4abe0a6eac6abf43b940af58aee16ebfc826ea2

SHA512
106926cb0b3ea898d2e53398abf08acff1ece7375f046a2a87357128ab760b45ca4d863a160a3e553e50542cbb36c6344cfc0d58ed0c9e69ec4355c9b3bcc0e5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
22bc17c881e69f9d6a41c3c4aedfd123

SHA1
67d16c88dc9ed04f28313de3edbc1d9b220fb999

SHA256
4d30c1f73eb5c8b02ff8ddf588d57cfb7554d1988a2226042778560a774cd222

SHA512
ef45d026af6ff296f1dcd35f8feb10a624bd35174ff8b211fb17f36a35f3c5ad3927fee08d4e1e233136c825114385f28707ed3b54a860db3f67c05a3853f125

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
eb7e59129d65f4b199b3679c36c25e6d

SHA1
8cf63c05d86ec35065a0f3a93a3e070acf1d7f34

SHA256
259b229ea385ce56c98897af657a67b466f40bdebeca1bc8311a9efff658c424

SHA512
9d971532d63164774284992c0cc459f16ba9e50301657f458f9ec4415f8a924bdafdba83d0ee021fe057bb66f5ddc7f391397f4a3b330959317295792091cc6d

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
9314fdbca3d919a5d78e4ac29763a86d

SHA1
d7c10db66a4bb5547c0cf5681ebc7a29d74f9d72

SHA256
382b7257c41c659d525b2bcdf6d76fdb0dbe2f99ce5b51439c43b9a641528031

SHA512
52dcec3513b3a69e40e91d9ec030afca54afe53eb4ce93c08ddee19dc06f5f7699448655f86ada9cbed4117c74afb6130d5892a9cd28fbd94e961d0414bdcf07

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
bbdf017d22ea6677bbd9aa0d0b2ce50a

SHA1
9b91ae334adeb24e25f52070bafe47c8b74421f3

SHA256
30fd059e7f3849b6b613538b9b7f64e03c04fb86afe5d1eb7eec512dcdb9e1ba

SHA512
00cbee3ef437f340c8dbc36c3c2bc35d1dd40312e8097ad3a73d84e23697ee87d46393591c9566dfbc9502b7ff4ddecd9f816b566404a26c98ee037476a9bb25

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
3120b6140278f0025f810db050ebf260

SHA1
d04eb67567bca9ac4ab9776909d31925e1c00c4c

SHA256
0eb09ed05be429545aff3dc1910f7d06f17daf419f9b77c877459d5603fd71f9

SHA512
e4e637a4973c465c15450fdb0057f31cd8bfe05b1d2f8e6853fa4cb4269e8931e92616b5cf57d58737efdff193b3cf4c35a54d4295d8d1f56df715682fffc196

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
1f45d472591fb06cd3c8c495bc955358

SHA1
179198f0fc7201b3bea47f83e0bee3d736ff3c45

SHA256
abe6500c91afd4713f5eccc8241c337e26c54d606649f7c00b25fff285aad0ff

SHA512
ec9aa6cf252ee0acfb4ac83d90fd88d0963390bbc4bcc35ecd6fc9aaffec6e346b68d33ce7cd28b1f16ad8aae9c12b0e9433745cf7f5bc2eac34662e87f0413e

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
cbf54cd4af7cad1d301c8cd6294bd8ee

SHA1
ca01d2d2a5d458c92c668c6222513585a299b147

SHA256
44810c0a88dc8ec7d3a649c2513cde6603384fa7cd3fa73df0573797d8c0ffc5

SHA512
b534c1b5a2a13e27326149bab57ba3d39895e3fe803046dd38556d67126301c46faac36aeaaf58d020deae8a535e291c1f2778e0320c9cb036f69d45e26da122

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
9540e3adf2f60ab4de712954bd612440

SHA1
a216b0423fbb8e8a29ff808dab94d791b3098db6

SHA256
2b8c1db73d5fc5d75d1d31cb874b6fc5e0ef416a4276d6dd64c96b73ae911d77

SHA512
1ef4ca8be1b2ceaaf64ea75457f267d6a9b829f36c103a1b14735e626a70df9dd351bb79a1958dee2903c17aff416267dba097fe7e71697e2a1cc8777ffd3e61

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
41.8MB

MD5
c0007d4683707a9b49de2a69ac423416

SHA1
e90499c6988d0a1466de17d30afac2a6adcf272b

SHA256
1262d7a6580a7af41e8856004a0f6a48e3423c713202e26473724f4216b73adc

SHA512
3ffe8d5d24303fcabe2605bb20583e8c9910056fd13aad5848fc2308f17d5308895a240ebdcf55b7e51c35ec85f7e52c8fa8d65c0f398670fbbff0ba42b4ba10

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
db4d084daedcc7b00b67c66243c7c13f

SHA1
937bbf17b78610f2450d3009915e6d1d93779f0e

SHA256
98615b0bf0c2236d1a7d62195da4aa9ae53cfa3edea198a218c916b0437598aa

SHA512
6f8fa4c79bbd73cddd390ef40d837e02ce5f9e427db0ace1e5bc521b05f2c51cda60c657f2eddcf14bb67bbc4896ce378f41be045aab70678514d7e14f202946

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
5e20e177ee94ce356b5a6be07d2ad4c4

SHA1
b931815cb9c6ac3e9b886613308c129c3eb623f1

SHA256
01cc5d364bbfe1496b196cec5baf30f3761db901ff1aa11ab2566bbf0b7ca183

SHA512
efe614f7ecd7079db4b7ba8a6746417236cd43af478ddea5f9729c25ab281c02f6d529d66607dc38f0374f8d9c88861bd5fd13862458996ef15ffc57035aeb21

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
e03babe2950cba100dad4dc6ab75e5dc

SHA1
774511f1793c443da05c651f83e98c3780687031

SHA256
cfaac32bd234f509d3b0ba29e8023a6536ddbdb521bfffba6a9e8b1c7f2b2681

SHA512
06ffcfa83201bfb6160fc028b98de6d75170da1b625db2da7b275edb2ad9dfcec695764fe49ed0e67fb58b7046bbdf2205ef421a88fcadf1d9ab2a9d3830d494

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
8eec3f3a48d7980b7ab8c64d6bea7ec9

SHA1
3a6e141d3aceb300efed655b790294c111d8a56b

SHA256
68d7586b594b1174f43c5549ba23cbdd4ec1b9f4101ccfca8278e0711d2f4fde

SHA512
9413620d1e48112301d583d7cea64f2d80107914d7898ffa951c0953a687e72b1a1f759ecc567c8c62c27cd6da78810cc7f748ee9683adedec24109e148e2429

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
fad9d8aa4ca49166eda61523d35f688f

SHA1
3195ed0212d70f0114958a3773b925d8b86c78ed

SHA256
c8e05c542dfd28a65ac5310c581e42869ea101029822ae6457f25dbbf4378b48

SHA512
4dba63cafdffdd2ab74b54e3f9de33b861c4b06329f136c02128e841c77076e1c25c657b713de858c22d1ab4b0dc95f926d17118de044b1fe4e87d97ab31769d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
e48a99d9e5cc444ce847cfc2f708e1b6

SHA1
03d8aa7c11e6ffcd4844cbab3a125c243dc8cb75

SHA256
9b513ddcd772a61366b92dec28e683d00d336263e4e30c7b7131e46253d97803

SHA512
e565dbf67265783fa9f320f0be924140e8318862278954954f9661a30ea382bc213541b7c3ce0a96f92a21609f9c86c0ec1ec8c984d002d1c892b21f9677c33f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
06ed2e50380ce99e584d637e05f8504f

SHA1
5ac135eef87d808e0801a17529c0bf2cd9d8e693

SHA256
17037e8ec54428b0a284eb70ced553339a7347b1258801e04cdd3f42a0ab75f7

SHA512
96b664553cc5ab2f158fa815f7775b85f164c6a30ee00ff381a5419919ae225e4e71881f8e72f1468b2452bb87ba2ee260915a9e06b206a1dab9de040f32ebe6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
10fcaff4b1a851ba8207069dbc195b2c

SHA1
334d13ab795a21429cbc52f41e0f938b1cf7e2e8

SHA256
3bf7c5214de6620161d8c2c492bcca974cae889eec78fedca54bb1571face238

SHA512
cd4b74f0efbd9e7a93d76810362e245c83f15292a5eb034236d7c49d8bf4c46f82115bed722dac4981f554693f648da88c3c05054290a0fcfb0de1bc81ca552b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
19.5MB

MD5
ef88d8d5f5d0e73a5862b24706d5987f

SHA1
161799408dbe671a1a94af949a3c1c53b755fe3a

SHA256
aca964c0db4b1150d8d2696d1a3fc47b8348de2f234de858d0ef9c040e19f9f9

SHA512
e4784e88b2d9bb77d80d09545ba73f429e40e104b1ed6f13e8e7dbba936a28fa08779b7e38d0462ef9b6ac666cffc54ece0dd7af2b1ffd724bd82c00f21b17ac

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
f0c7628ff07511b9e229f73dff249f74

SHA1
76303f4d388711efdf0c7bc972840292df4797e4

SHA256
21cbcd69160dd80f563d2fd1ebb9d6e3b91dd6ecb6954b6359d3b0520c6408ae

SHA512
cc998e1c0cb28a8d2e3cce1b30cd00bc99f67c3fbbfe8174b07053fea7a5d668f486d12d030d7257dfa8a9cc8f33ed1611f5cdc3e0d46098e98354f40b67264d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
14895ce5416305dae25a90e1417e1054

SHA1
dfbf7ac8aea85f854ff09c6bf6a28e32193c2865

SHA256
e5f309485467ca98cf4d9c3b9c609af99c3e1c601d5e9eef7dbbd05e6e041fb5

SHA512
5ec5a63b298a8d8105104062633a16419deede3e597f86a916406d778df2e69d1fc18208e10ffd2941774894993ed08bdca09c44a823b796561af6c32c63db85

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
c92c2656dda36f4e460e10225d8798d0

SHA1
9893ab2ac4d4e69b7e1200cf86d0056a83ae34bf

SHA256
4400a8c9e3f68fc5386a23384a3ffd72ee210be857b48b480d82e9dcafd18d68

SHA512
915bd554ad56db6f86404f1445fd4556fa28f684cc6da2f6813d7cdfad1b0f7d220ae3f742aaeaefdb551ae2a25b6fecc510614035cd57f995f8d51a5e2d87a0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
cbad0bd5e1e9e204cc29ad178c6992ce

SHA1
a30e7e8c6a4d91f77857a8935c2c16828f4cc2d0

SHA256
cb7999644e025a3256ee1c354133711aae376afec5dcfcb146272f17bedd3a41

SHA512
87ac6b46a65ff4333790e6606bb538abbd9afb8f75d8a44965d2a674d5f5d89cc608b158d44c103cdefcb6ff59d8f224fc68700a427c9bb66566faea25e30c2b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
dd8c4422f5fed7457c2101776f50db97

SHA1
252cd22335a3714a275628dd46d098e1fc9b7961

SHA256
419e253bd10f94e53cb2b2b893480ca94e55fe3eb2cffedf168455a4cebc6dc4

SHA512
5ae0c38871c9accb3a97126805a2c1e22cc3a7bf0a654873b08866e5710c72ca19f84072b7b54bbb7d5c33bdc726de012b23faa04f131691c5546f5f6929f934

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
15.0MB

MD5
7e98722341e9e5527b72d8b1604b7ec8

SHA1
06c4e6fea83ffecddffee15bd0eb59b76206e027

SHA256
bd3e4cd43f83809be8406eaac2446a121980a63fa0254153edbba0b4d9027189

SHA512
1433a14bb296c2d2842fb587d5a49a9643a631e5f37fdac31a20aba43201be8bf355225bfe1e2c8a53e616c9ab653db98257193b79cb381d91f029fc4877e935

Download Submit
C:\Windows\Installer\MSI4C72.tmp

Filesize
363KB

MD5
4a843a97ae51c310b573a02ffd2a0e8e

SHA1
063fa914ccb07249123c0d5f4595935487635b20

SHA256
727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

SHA512
905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
145ef8dd33404cc5405a60adbb877701

SHA1
1284e8e6574e649e927945dffc31803466fe6de6

SHA256
4a75c44c9950022d29f790922eee698dd5dee83c4013ac835ee99f3fb336462b

SHA512
786e2f2ebc68e1678751d1a667320b9e3df2e8f42bbff7bae16213960b0db8011cfecc97a2a9e85be86e3edbf85c2c3dbceb915d899be3d4ef85c0c91068d37c

Download Submit
\Users\Admin\AppData\Local\Temp\HqTVgBZGwrep.exe

Filesize
314KB

MD5
89e60fff097ebf9b27bc8aa9b1564da0

SHA1
9a1755bcfb3496290333f33b1b0b738016b868bf

SHA256
2ffa792d22c729a6c092b7a7cc8b7fb2de567c2d370fb6a2e6f4e7ffca74fe79

SHA512
a471d4ad11bb4fdb2adcf988a133a53a7b3b536681f421e1c13047bbfeeacfef3a232689de215a8bf81e55515c5cf92081e0b41893c56712bf328aae67de8055

Download Submit
memory/1920-3137-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-31-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-14-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-15-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-10595-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-9535-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-7618-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-5147-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-292-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-772-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/1920-41-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-636-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-242-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-40-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-1-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-16-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-10384-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-0-0x0000000035007000-0x0000000035009000-memory.dmp

Filesize
8KB

Download
memory/2240-2-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-9354-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-4-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-2850-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-26-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-4992-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2240-3-0x0000000035007000-0x0000000035009000-memory.dmp

Filesize
8KB

Download
memory/2240-7434-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2716-835-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2716-42-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2824-39-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2824-8908-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2824-25-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2824-9782-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2824-44-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download
memory/2824-11516-0x0000000035000000-0x0000000035148000-memory.dmp

Filesize
1.3MB

Download