ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
107s
max time network
11s
platform
windows7_x64
resource
win7v20210408
submitted
22-04-2021 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ryuk.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

lVrVy.exe

pid process

1792 lVrVy.exe
Deletes itself 1 IoCs

Processes:

lVrVy.exe

pid process

1792 lVrVy.exe
Loads dropped DLL 1 IoCs

Processes:

ryuk.exe

pid process

1016 ryuk.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1792	lVrVy.exe

pid	process
1792	lVrVy.exe

pid	process
1016	ryuk.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\lVrVy.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RSSITEML.ICO	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\jni_md.h	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker_1.1.200.v20131119-0908.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198447.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\vstoee100.tlb	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00454_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_alignleft.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Knox	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00648_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0199036.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+7	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\vlc.mo	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01243_.GIF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN01173_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-util-enumerations.xml_hidden	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MyriadPro-BoldIt.otf	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-options.jar	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\DataType\Start End Dates.accft	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_rtl.xml	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\VideoLAN Website.url	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\HEADER.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0196400.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\UTILITY.ACCDA	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\CircleSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\CALENDAR.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-oql.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OfficeMUI.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0185842.WMF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_rightarrow.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Indian\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+8	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02424_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC_F_COL.HXK	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR.HXS	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Omsk	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE05710_.WMF	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
69836	vssadmin.exe
69764	vssadmin.exe
69256	vssadmin.exe
69840	vssadmin.exe
69708	vssadmin.exe
69124	vssadmin.exe
69360	vssadmin.exe
69468	vssadmin.exe
70012	vssadmin.exe
49372	vssadmin.exe
69652	vssadmin.exe
69548	vssadmin.exe
1468	vssadmin.exe
70236	vssadmin.exe
1576	vssadmin.exe
70388	vssadmin.exe
69404	vssadmin.exe
70336	vssadmin.exe
69920	vssadmin.exe
69592	vssadmin.exe
69316	vssadmin.exe
69416	vssadmin.exe
70000	vssadmin.exe
69928	vssadmin.exe
69292	vssadmin.exe
69456	vssadmin.exe
70120	vssadmin.exe
69208	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

lVrVy.exe

pid process

1792 lVrVy.exe

pid	process
1792	lVrVy.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

lVrVy.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1792	lVrVy.exe
Token: SeBackupPrivilege	69684	vssvc.exe
Token: SeRestorePrivilege	69684	vssvc.exe
Token: SeAuditPrivilege	69684	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1088 taskhost.exe
1160 Dwm.exe

pid	process
1088	taskhost.exe
1160	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ryuk.exelVrVy.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1016 wrote to memory of 1792	1016	ryuk.exe	lVrVy.exe
PID 1016 wrote to memory of 1792	1016	ryuk.exe	lVrVy.exe
PID 1016 wrote to memory of 1792	1016	ryuk.exe	lVrVy.exe
PID 1016 wrote to memory of 1792	1016	ryuk.exe	lVrVy.exe
PID 1792 wrote to memory of 1236	1792	lVrVy.exe	cmd.exe
PID 1792 wrote to memory of 1236	1792	lVrVy.exe	cmd.exe
PID 1792 wrote to memory of 1236	1792	lVrVy.exe	cmd.exe
PID 1792 wrote to memory of 1088	1792	lVrVy.exe	taskhost.exe
PID 1236 wrote to memory of 432	1236	cmd.exe	reg.exe
PID 1236 wrote to memory of 432	1236	cmd.exe	reg.exe
PID 1236 wrote to memory of 432	1236	cmd.exe	reg.exe
PID 1792 wrote to memory of 1160	1792	lVrVy.exe	Dwm.exe
PID 1088 wrote to memory of 69620	1088	taskhost.exe	cmd.exe
PID 1088 wrote to memory of 69620	1088	taskhost.exe	cmd.exe
PID 1088 wrote to memory of 69620	1088	taskhost.exe	cmd.exe
PID 69620 wrote to memory of 69652	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69652	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69652	69620	cmd.exe	vssadmin.exe
PID 1160 wrote to memory of 69064	1160	Dwm.exe	cmd.exe
PID 1160 wrote to memory of 69064	1160	Dwm.exe	cmd.exe
PID 1160 wrote to memory of 69064	1160	Dwm.exe	cmd.exe
PID 69064 wrote to memory of 69124	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69124	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69124	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69208	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69208	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69208	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69256	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69256	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69256	69064	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69292	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69292	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69292	69620	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69316	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69316	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69316	69064	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69360	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69360	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69360	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69404	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69404	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69404	69620	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69416	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69416	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69416	69064	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69456	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69456	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69456	69620	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69468	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69468	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69468	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69592	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69592	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 69592	69064	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69548	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69548	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69548	69620	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 1468	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 1468	69064	cmd.exe	vssadmin.exe
PID 69064 wrote to memory of 1468	69064	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69708	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69708	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69708	69620	cmd.exe	vssadmin.exe
PID 69620 wrote to memory of 69836	69620	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69064

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69124

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:69208

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:69256

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69316

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69416

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69468

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69592

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1468

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69840

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70000

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70236

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70012

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69764

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1576

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69620

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69652

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:69292

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:69360

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69404

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69456

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69548

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69708

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69836

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70120

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70336

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69928

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:49372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70388

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69920

C:\Users\Admin\AppData\Local\Temp\ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016

C:\users\Public\lVrVy.exe
"C:\users\Public\lVrVy.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\lVrVy.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\lVrVy.exe" /f
4⤵
- Adds Run key to start application
PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69684

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:69104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
58a50c892029e9ab275cd41d0053b4e6

SHA1
64237ea722c0adc2bab37d7b1fb319c7c7d1bedb

SHA256
a915b80c8ba90b32822f2c0d9469f7e4f322ce7d083d71058f4ca0636484ad53

SHA512
fb85cea618162aba14d18df81b7046b7d19a90c957f1face891fbc9c9a424c01c5dc599aa3466745c331c86b15e26771b0913da192657cbbcc5fc66a5f23f452

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
82d2923373a2a557ba54326956fc7292

SHA1
ba9cb6e46d9ef4123ce65f38e2ab59db8505597a

SHA256
09e42fec6762cb00f9b54dce9f74ac8982aa8c6710b8aca82413aea6c4c57821

SHA512
7ef85d27a1c9c0bdb194152df651e2751731fded0ac45eb3a7a61c569d4e641242ceef6720ee76439c497c9ceec6213c039197302faa62997b480c961b0d9cb7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
d628f62ac6a15e74a9539eef78304e32

SHA1
36343ea5b3d2340af785895e2330178c35655c63

SHA256
78b8afad6809c8c5f07041336212bb82f36e8f64772d7c764924a5a622c2f6cd

SHA512
0255585fee0b62e534525a39daf63aa274c4c334ac8730ec30711d53ab7fd0383e636b6d8da817fbababd61b28d1ae3c12107e87eb837fde5fb491ed6ece84b6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
2da487b0c390c898e29e266f0c62acb7

SHA1
083d42647ea733fa93fec0375c5d3cb5e7de5a81

SHA256
d9c01bd2744b965e83c2dc97ae86effd5102292dfca35f2703b5c1994b2fcd22

SHA512
fc4d3ec93598f47ea2ebbda53d99ae1ede676151248667cf155a2f912d8ef820a8aaa8c5fcc25a72ae86b3e4ce386a7de8036cb7a877dd8d4dd5a0922b346ccf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
65d8cbc790a86617b921937536d764f9

SHA1
b434ca8b2f02281d69454780c82098304323e55b

SHA256
9b0608e5d0de1e75e1f7969ec06690458be90b0c546ea3d25a88789a042e3677

SHA512
1257ea2255502f684f62c0720596877efaee34231a91b071c84aa0a94815fedebc27395d07b16fd6cc11b5992686d659079d3c292c4b9bbb1b80aa713a7f0980

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
dc54c0c41518b8ec53d3039090a4c236

SHA1
8a1cfad5119fd3ccd0afa49912d153a5cf3ba06a

SHA256
1cccab9eab3c2324fbe3f19048caf984c4e5caba01947329424faafe7f66ee5e

SHA512
9803f5cd67f87c947f279ca6ac6a1ab832b6d95bfad2d3799ec90f04f07dfe6e6236cc40fe7c391036390ca69e598fd96360913982bdb9dc0ba3674d35a7cab5

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
c89862c6a536fc47a9660604c15c6ab3

SHA1
1adcde822b9721e1437a6b7736238501841bb2bc

SHA256
ef1cc66299a73134dbcd6c342cb5699feea4c63c4122ee670096467f5d4018d5

SHA512
fd92b777cbbb28ffe63c0a7a65d98fb8e80e89077e4c67f4e59f2bba227ce9b6dc07119f1259c11eab3003db32fdc00b4a946afdc270e07ce79106e16212dbf0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
422413d717276d628e31d36bce95cbad

SHA1
384be8685511149fc864bec8d66574e96a65ac93

SHA256
401bd0301f2ea52807e9c49449a08b7a828578fe6ebd6b7428467bdcc13825ff

SHA512
2e21cd7177f6a59e979c6039e3fa54c9afc80d62975d39347edcd807adc9b567562854f178dd9934bd20ca368d06c6f83f023cac5a1c5d8a106f8172c8c1c7f6

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
e2a815847c58c85a0f23c8dac5ef2cf2

SHA1
947b18c23a150fa3730fd350ecacaaf799b3167a

SHA256
e2ec19319825d5f050e02ed4f5cd4976d46ce024f9f98c979044faaf655523c1

SHA512
48e393c09f5c1d8b1f8ae3230a32ae1bcef9f7552ba9c441bb76af09db2dff13150682548b3674ac972fa8397674906cf077f59c0f74361fd9ad1e0dd1e7f7c8

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
7bcdf3163d9b6bc66d91c9542641fcfa

SHA1
c063675839159d7e548486486c8d05456528f23f

SHA256
e4c459e4955f98a1ed2b0e71c0e6ed396457dc53e23d60da4b5a54ccc21210df

SHA512
362b83aacb348be9f86dc6b3c2dfd4048e713e7ff27f8e083aa080e34723efedb0980afa29a31d7d6a7acd55e63f03663490e26c49f176268677970745f478ee

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
96a147a10e70313fd79ad60251213cfc

SHA1
0b165a36ca10acc0102752f6dd949a6b6cbe3b18

SHA256
c9c3e9d814fe5f2f554b010733bcdaf0d93755ddaeb48bbe99ec25000456496d

SHA512
214f5a5b50954ddb8af79080ba3df75485b4646078927562d5c137b2d86f4ccebca144784905254c19f075bf95797ce6f4ce576322e4264daa90a5e63928a1e1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
07a9a406d328c0976745f0da72fb7ae8

SHA1
ec77d114e98b720f0eba88acc55b393cda7ea996

SHA256
977094bfb95fd0a272bd01ad604aef445b2e27a53f02ac57e1c0e66eb65699f8

SHA512
cca9f77364e539155ee65d7a925b674fd3f1412fa29d9a620e3ffcd32674be2a825dc8aeaa6ce62655cf39b9ccabbbf704909f9d62c42136d696799bd6722084

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
9fff11d8d221cbebf99f5e000ec59692

SHA1
a3637311e80adc7ec14b9b4accc4c53e9c1cf243

SHA256
9be2f5be234dcc37846fc218adb16745b625bb0d397c397f90071ebcecab9ccd

SHA512
d14fb14a4ed318ba4d8475b0edb55e54f657fe997e70d33d741e527339b5f83a26c2a1b4f4b3fbaf1e0e186e3d7178f4f368902687c0f93da350d3cac1cf1e43

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
66748cb3fd8e25786e483361d9ecbaf8

SHA1
5a718a809d724910601ebbbae3e29d11eaed2c4d

SHA256
5e6a604f6e435954cb408c0479b724f3ccde8e33f32cd2455195cbf927f43c99

SHA512
7b1a8fb28e835afb70bde13bda0d19e6ed58787033b1919165b8b1809de4b4060947a978ae9c58615c8b6576b216ee0b5173a371822e4e1a386a73273d413593

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
b6403894b1573eab38faf6d6dc3497e0

SHA1
eb04d8db96faa0677d1dfaaa6959ea6a373c3a0d

SHA256
7e0adeed9d9eb0170ce424a600590ee19a5f6e2e6fa817e7474cd64bfc84612f

SHA512
82774c64bbc4e324ef89947fe65164bd0c242381b4d532a5bad429beb1f513035ec87b299830e55c47011ab31d46ffe929dacd371db1e44d4145b9e46516f056

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
91681c5854be972ce3c205bc136f4cd2

SHA1
a3bc1f9872bee4e6ceb19abc6b329f556e29ff5f

SHA256
b902ef16b4007d687225a906d3214a6bed04c9fab1c25db078cbbafc4b03b546

SHA512
023c31923c65fb5f891f9b4c722a2d941e901688fd2115f8b82d68945baf677e0877adf0a9c856208a580ab19358596972d88672d0aa6e8c67b0f77de65ce44a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
c3de2c447b614f5b719af9507786bf5d

SHA1
b38b17a641d4e651ef848615ca05f25357c5310b

SHA256
3c5259af75c0a70ae47ee4419647b74c5985c56a5ef133ecd4b4952d257f2508

SHA512
e626a9e8737a42040e56e46d80ccc7db72e79b78c7f74f94b18b3765d91383db9a85ad561563fba40e17f1b78abb2c805b517cd60823ec8e5eb44434219977f0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
ad72eef833a13f03ad236f212d81c3e9

SHA1
8b66bc977f755f04a9fc61ab15c986f95742cbd0

SHA256
eea11b2846948fb76f971aa5c3b0f59d4bb72fc6aa02cd71f6105e30df61bf94

SHA512
43e5e8df1dd5212e86c0a6ddf9b3faac6c589a12f7ce752f5510058e5a7075283a8b07abbfe70b53369807ad135b30d673a971f8239f5fd32fbc95b7599941aa

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
6e725aa2db5a6279cea48271f169fa49

SHA1
8de3b9c3634c26046eac9af81569127e5cbd90d5

SHA256
5098473301931cec855bb40cc42b55bacf9f2ef40c5ea32906a1161b775352d9

SHA512
bb4b585f447b412d22f64baf7bfdb905f9de33c9e6c50bc9e65c09131eb99afab3cd9b59af8e8f88728ab92be0162bbe9706ab1add997bdeaec3c7f20506c42b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
1764b03900368181d9760e49f21666e9

SHA1
558bfa4ba4c4f07625bc8baf31a1f4dad0b046db

SHA256
6ccf3f021a14df9ca0e645abab82766d3a042162eb205be01d069add34db7d13

SHA512
41a5e2d8ae0c71d288feba7a0c0dbf21b46dfe2da3448a9501b1d916719d44dc28b87cfe190ef5d40f066ff0d09fedd9bddea65e63058f00a344403ad5d9df9f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
f02b9c3236b2c529c692a6077264a5a7

SHA1
a748f17926c4c5bba11ddb95b38c8e63249acc7b

SHA256
c086cee0135cd97bfdb36f7cd85a5e35967daa1c7ca85c87fa3cf0293c0b170f

SHA512
cab49ff9a5d9dbf4429305af63149705fb6b6a38bd36f96d0d996d953bbdcd58e50ef9350ba1151640f800dee3870e1c44076cf2519a60896b297e803aa23839

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
89dea151ecf9b26eb3c2c1e4a64560cc

SHA1
7434eac27fe0a1e73c7c86c850e566b7e598dae1

SHA256
0a66a5236c5e834e2d9280cbfdb118047fc61c5be1315237970dc87034219dd3

SHA512
b559568a9694815f1ec49e4e6d85d271977f76621b64e35092ecd3061015a9062ba3f2e0dcb0970f29b447bf239595f57827b6dec42cc843a4ffd3dc3d39382b

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
e7251d9926aea09fc1bbf844e5fcc2f3

SHA1
e5e5ceab71a1585f73d538d3fea2ea2614baac3a

SHA256
4dc6a26fd33ff432e809b00f9722ba46c4a3a7bbe65bf7e4d3afd9255edeec0b

SHA512
dd375eb2cb4d16f705789a2eecd925e5810765fe0eb3dd2d0c5a1d877e9a7ea97c82e558eef277f48c175e95cd997d1dfddc00030e963bf52d934064d3624d10

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml

MD5
20edddb790aad8e80eea6f38913e4534

SHA1
9df201e17e2875098b5c2ff7fa93434f8cec6041

SHA256
860c2ec9c7622fb65d847223c69e60582485c4fc1bc7a87a85ca1cdadcbf26e5

SHA512
4b1a9011279fd4b4b161db162183f3284ca79b726926f0183762170485677a1a1348979e94dc3f9968780dc50bc75ba0f65c2224aa3df6da512410038900a3e9

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
4907c935c22c90a0616550db116f6fc2

SHA1
e48264439a9f430c4e732fc7fd23cc0707a72425

SHA256
9abeb8cacadc75639389d909fec13ee6abd3caf2c8cee7027fc1bf1d664115c3

SHA512
03f804d302abf9ec37e0800abbbe27d4625d678116815ef3f01bec8c7b069cbc6167697763d202be08dc3bb5749849d321ef00c9448d4ab33ca4147c7dceb6d3

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi

MD5
c29c9b34c6a11238d80e3b6501c5478d

SHA1
3235a68f944928cad1183b2d2d6fa18590ae4da1

SHA256
9c72e2b5f3f48fed49f5d2d6bc2801ee15399f35f08480c74892486fecc4aafc

SHA512
fd4db5eff8645617500f5cfb9c0f88d8a564666ea3f9e498e4ac7d611b520e04ebb2a201dcb3dff974790f8cf6e930fe90851527c47a856e7801f009018e0130

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
86237eeb25e1ff671ad7b942e637405b

SHA1
7a39ba0c2738c8dfc6d0fec01ff8f35af4e87837

SHA256
95c1f42b6815bb850e9fc863791f6371752a0779f7ace8c15db2bed4a3bc2f2e

SHA512
2d2ec2f89139c615a213186c54f7e380f49d401d5b7cce6ceaacb4bf65cd1031baac193c6d589a1dc823ee36185975c25a2a44cb5d65f0811bc88c403322681e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest

MD5
73ab78d5fcb88ef57479414ef4700da1

SHA1
31b83ee1ab185b330c0bcb1e2454b80522faf18b

SHA256
e4f0128555ace5781ad0d9c727ec1502be25ebf3596446638b042e54336814c8

SHA512
fbe55b1a9ec1d0b388ede7195b1280270f19bf59f23ad666477c848763dfe8f95276db99b514a8866b264a6067f0d93890f12bee3b206993099695102329f7e2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi

MD5
b5d4a021afb98319903f20e69a452fa6

SHA1
3233d3849d47d8fc3931df477608653537506d85

SHA256
b0451669ef0c7c5b64aa28e5b3d7ef17809ef3db77ebc8f263773b943191858f

SHA512
9e084087e8f92025c68138d53fd7b2d66c0741a38b2ad28b989a4b44e8044bb0617a9d81c8c673d0971e300762ba541b3c6c41b70c8dcb097b6644c1a30b1a19

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi

MD5
bde83c93dc70654213b897bea54bea76

SHA1
9660f79b8f30dd9cfa9294adf912f1a89484114c

SHA256
2e04206e0ef98bec16c9607ae1cb1ccf1797469213ff7a4b5866afdd0ea81c15

SHA512
da0f2d61acc1a4adbd52ab4158e2595c9d8b9928d80e6761ffd40de6380c6c4b2855eb3a8080151560df1924d6f3df327ac177157da0806395f503562e86bdd3

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
fb588f8207396ba99427263d0208fa7d

SHA1
963f44bf17168c5a35fe21c22197cf605825f81d

SHA256
ea2e3adce33ac76af7ce3761326355f87ed8f202dc75e693bcd9c03d3c122d81

SHA512
26cb433eb2ab6add97c3e24a3bc56f602df2202599f8a38096454971d144c7e2a446dfaed86710e48dbd0627dea19bec9276d70b389288e9c36cb28dfd7a64c2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

MD5
e8613db207fb9d0474c66f68cca70a77

SHA1
146fc774fac977651d5d0c34e99a3ba91f40833f

SHA256
66b4c72a452f0691eceb12c9499501f232b75a724e875fdf852e6f44518ccf09

SHA512
552c3a9b481fde31650314fad72f1e09f5d2b46c27b01f8e2cee6614e9fa59b4f8f6ee372e9daaa4f3535b4da3215b8e2336d11cc47f93947732f05c05dbbfd5

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab

MD5
2ffb9064e640c5f9ef06ceb48416de38

SHA1
5ddcfec1345fe769054c20cc86ffe182c568c493

SHA256
7c7652dc528ced8dd83db8373842b01010b906c710457655a98607d787f4707a

SHA512
66af4bf80390b59aa7df681e34dd1a685cafa37a9fd8ee0ca95de059e3d6157a7d0dfc477ecd7af69b41b36f5c411afdf1e11b48df8012c2399bbb1f91255d44

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi

MD5
87b0b99aa812e096a06bdc78d1b52091

SHA1
247195d755fc1e554c38c6b8c3dd1d2ed7536c13

SHA256
960bf69ca56e5e2ec393f70cb3f41c2c3b4be5e1e5ab185d1ae439aa95b3bce1

SHA512
8c60851f517f04de43f6508254bd55cc80f5af5395ccf8df2121ebd2a8229f774de7b438195d80b2171dc75aadc6aa74c5e3fed44d1ad7f3882a1a5339172454

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi

MD5
2dbb2e68dd496b496554348d30a94646

SHA1
f594797c6b6fe578c7ce6263a95506482007e717

SHA256
64ca7aef83879d38a9b1f049a6a6ee74c96fbecb407d7a01f8e376270a918be1

SHA512
010872c16838035e6ca6dfaf8f4483ebbf777362a94481cfcf7e6a158d4d2b2f302237a61c9cbd7a77170a6cee023d260f35ecfcfbd28a0312647257c297e252

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab

MD5
11a63d54a0357e1c8e98fda3e8e2ea6d

SHA1
e5a849f870d81d02f01d24889f91a742eafae4d6

SHA256
f5fdf9059b53b33e4bea5d275aa62c82453d5a81a3fcf6ad0506eaae33575d11

SHA512
1ea0c0eca05e954e629cc50d9f34d2a2730876071390b69450e7605c6c192d46145d0cc28cb9bb09e676e5b918ce742c2aaf9191428f837bce392e95369c7f6e

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi

MD5
eaef7702e57db854a787246ab2ba7885

SHA1
75d782e236cddbc81a89a8eb91d50fd21b9ea79c

SHA256
088d36fc8cc344b693191610dfbf7d44a8e501b746c1b3bbbc540d861b342a99

SHA512
72bebe2461ecc575046eadb849fe4815c9bb1f98f37d8223caf62f351eb124b26512b174c001c8ae4c6a46d6b634468e5ff6bb48b2e3f9e401b5250f49c292da

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi

MD5
d9ffda469e04ca49c52a4c2f04cbfa42

SHA1
d93b006332e7e4de73cf79819f43f0af98ea30ca

SHA256
a2241fbad497719807b1f1ef450854809b1ef97ed41e93b7739408e21243c72b

SHA512
82d11580ba21966afbc09fc7228a9d98c7e872be5d6ff06e958849d38ef16c46aac06c45b0ba161da709b1fffaa52d128ccc597801ece9726a009c8498afa3d0

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00

MD5
ed64b5ecbf7285c8de6f5ac93a30017d

SHA1
c072c7e7042ebf9a9b5d952134e38102054beaca

SHA256
143dd802406d61f3747dde579fc9a34c7cab2051e114615b890714893056a130

SHA512
35cdb0ae86e2254d39493825ba37d6967da411b4da18ca4fe138b29fa63f9bc6a8c4eebe02e89701886fda384cd64d2c9708d150bae6c22729ae305f78802b66

Download Submit
C:\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\lVrVy.exe

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\Users\Public\lVrVy.exe

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/432-65-0x0000000000000000-mapping.dmp

Download
memory/1016-59-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1088-66-0x000000013FFA0000-0x000000014032E000-memory.dmp

Filesize
3.6MB

Download
memory/1236-64-0x0000000000000000-mapping.dmp

Download
memory/1468-145-0x0000000000000000-mapping.dmp

Download
memory/1576-157-0x0000000000000000-mapping.dmp

Download
memory/1792-63-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

Filesize
8KB

Download
memory/1792-61-0x0000000000000000-mapping.dmp

Download
memory/49372-156-0x0000000000000000-mapping.dmp

Download
memory/69064-132-0x0000000000000000-mapping.dmp

Download
memory/69124-133-0x0000000000000000-mapping.dmp

Download
memory/69208-134-0x0000000000000000-mapping.dmp

Download
memory/69256-135-0x0000000000000000-mapping.dmp

Download
memory/69292-136-0x0000000000000000-mapping.dmp

Download
memory/69316-137-0x0000000000000000-mapping.dmp

Download
memory/69360-138-0x0000000000000000-mapping.dmp

Download
memory/69404-139-0x0000000000000000-mapping.dmp

Download
memory/69416-140-0x0000000000000000-mapping.dmp

Download
memory/69456-141-0x0000000000000000-mapping.dmp

Download
memory/69468-142-0x0000000000000000-mapping.dmp

Download
memory/69548-144-0x0000000000000000-mapping.dmp

Download
memory/69592-143-0x0000000000000000-mapping.dmp

Download
memory/69620-68-0x0000000000000000-mapping.dmp

Download
memory/69652-70-0x0000000000000000-mapping.dmp

Download
memory/69708-146-0x0000000000000000-mapping.dmp

Download
memory/69764-155-0x0000000000000000-mapping.dmp

Download
memory/69836-147-0x0000000000000000-mapping.dmp

Download
memory/69840-148-0x0000000000000000-mapping.dmp

Download
memory/69920-159-0x0000000000000000-mapping.dmp

Download
memory/69928-153-0x0000000000000000-mapping.dmp

Download
memory/70000-149-0x0000000000000000-mapping.dmp

Download
memory/70012-154-0x0000000000000000-mapping.dmp

Download
memory/70120-150-0x0000000000000000-mapping.dmp

Download
memory/70236-151-0x0000000000000000-mapping.dmp

Download
memory/70336-152-0x0000000000000000-mapping.dmp

Download
memory/70388-158-0x0000000000000000-mapping.dmp

Download