ryuk | 5f3dfd6ebbc2e717d82e9633fd023662f088cace55fefe287b4035f34fdc9850

Analysis

max time kernel
283s
max time network
131s
platform
windows7_x64
resource
win7v20210410
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

second-working.exe
Size

170KB
MD5

db7a5753e18d43598975d4f446fa4262
SHA1

065f0809ce702794dcea8eab0f993c0f662a45ef
SHA256

5f3dfd6ebbc2e717d82e9633fd023662f088cace55fefe287b4035f34fdc9850
SHA512

15a183d4bfc2d7c498b574219ecc998398003f49445a1725aefe6cc8430d7aee1ae6738415f60f124f836cf24677b8e80729a3909436770d040fbcac989922ec

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\second-working.exe"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Fiji	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLAPPTR.FAE	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\javaws.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_TexturedBlue.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Oslo	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.security.win32.x86_64_1.0.100.v20130327-1442.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Hermosillo	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Installed_schemas14.xss	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Omsk	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nipigon	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14983_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00601_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Sts.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_center.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BRCHUR98.POC	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Rangoon	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+10	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME55.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0292248.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\THROAT.WAV	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART3.BDR	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02270_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222017.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CERT.XML	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216600.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\OrielLetter.Dotx	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Nicosia	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00737_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01301_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\UserControl.zip	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21336_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\VIEW.JS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212299.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Casey	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-11	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0106208.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21376_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00476_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14869_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\MUSIC_01.MID	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
69564	vssadmin.exe
836	vssadmin.exe
2108	vssadmin.exe
2240	vssadmin.exe
2320	vssadmin.exe
980	vssadmin.exe
2300	vssadmin.exe
1444	vssadmin.exe
2176	vssadmin.exe
2356	vssadmin.exe
2368	vssadmin.exe
2208	vssadmin.exe
824	vssadmin.exe
864	vssadmin.exe
2268	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

second-working.exe

pid process

1072 second-working.exe

pid	process
1072	second-working.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

second-working.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1072	second-working.exe
Token: SeBackupPrivilege	69592	vssvc.exe
Token: SeRestorePrivilege	69592	vssvc.exe
Token: SeAuditPrivilege	69592	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1128 taskhost.exe
1236 Dwm.exe

pid	process
1128	taskhost.exe
1236	Dwm.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

second-working.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1072 wrote to memory of 852	1072	second-working.exe	cmd.exe
PID 1072 wrote to memory of 852	1072	second-working.exe	cmd.exe
PID 1072 wrote to memory of 852	1072	second-working.exe	cmd.exe
PID 1072 wrote to memory of 1128	1072	second-working.exe	taskhost.exe
PID 852 wrote to memory of 1684	852	cmd.exe	reg.exe
PID 852 wrote to memory of 1684	852	cmd.exe	reg.exe
PID 852 wrote to memory of 1684	852	cmd.exe	reg.exe
PID 1072 wrote to memory of 1236	1072	second-working.exe	Dwm.exe
PID 1128 wrote to memory of 69528	1128	taskhost.exe	cmd.exe
PID 1128 wrote to memory of 69528	1128	taskhost.exe	cmd.exe
PID 1128 wrote to memory of 69528	1128	taskhost.exe	cmd.exe
PID 69528 wrote to memory of 69564	69528	cmd.exe	vssadmin.exe
PID 69528 wrote to memory of 69564	69528	cmd.exe	vssadmin.exe
PID 69528 wrote to memory of 69564	69528	cmd.exe	vssadmin.exe
PID 1236 wrote to memory of 69576	1236	Dwm.exe	cmd.exe
PID 1236 wrote to memory of 69576	1236	Dwm.exe	cmd.exe
PID 1236 wrote to memory of 69576	1236	Dwm.exe	cmd.exe
PID 69576 wrote to memory of 836	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 836	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 836	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2208	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2208	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2208	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 980	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 980	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 980	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 824	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 824	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 824	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 864	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 864	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 864	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2300	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2300	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2300	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 1444	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 1444	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 1444	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2108	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2108	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2108	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2176	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2176	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2176	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2240	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2240	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2240	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2268	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2268	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2268	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2320	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2320	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2320	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2356	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2356	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2356	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2368	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2368	69576	cmd.exe	vssadmin.exe
PID 69576 wrote to memory of 2368	69576	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69576

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:836

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2208

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:980

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:824

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:864

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2300

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1444

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2108

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2176

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2240

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2268

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2320

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2356

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2368

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69528

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69564

C:\Users\Admin\AppData\Local\Temp\second-working.exe
"C:\Users\Admin\AppData\Local\Temp\second-working.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\second-working.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\second-working.exe" /f
3⤵
- Adds Run key to start application
PID:1684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69592

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
2283b42efd50053c967bf862e7e161c6

SHA1
fb96eadbcce5318ae655b722a203daa735a91754

SHA256
1b8167348b26a2eeb642e437c38c9aa884dde7f6a9d73e7cd40105bedc6146e8

SHA512
01b4966f86c36119f88a72aaed45101b175925b4c887e2be0c63cd76f1aaa9b87f6755f82c4b9fde7b0dabefaef527459261f449612cddd7604b13fbb94fc0d7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
0e02fda81f5be071be4d360878fa6429

SHA1
65839fc7b61ca6d4282af01dba1d1ca3cfd360f9

SHA256
b5271bf329dfc05d3c48d39e1f44532b01610ec3b130be3b94ab30da1e8b1d9f

SHA512
97e5b6439991bb939a914d5cf46a9b2b914aae3ff2f7d434f38ead4afdbf8a7eae5dce13b7e516d68551e5ed11a1c8a1833a79d025e86c08d1f3d8eeaf0b9870

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
7cc1f7f6ba66604a0728657669edc4f3

SHA1
4563651d0ad49e153336e1b3b796c3b25336cc7d

SHA256
d7aedf7ad6af9910dadba2c514a584399f93381263846956b15d4e76d42aef74

SHA512
517fc6475fda5d1b32aa76e5e811aa3c8152fa82879cbd46add75673039ef6cd0bf6c2e7bcdff0f5bc6418e0cd1e3c6a25e1e92098bcdca811023ac0467aefdb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
b67a265d57be243fa70ce984f57ba0b2

SHA1
d6d92e87083f3b985cd01ac5ef1e064eaa921641

SHA256
80fb5bf1929a067ea67ec0eedfa66da228c2012e15213b08e6bb7ff59a9f6b4a

SHA512
694ebe15a55e4121738c8d311881d4c94c36d02cb5ce4977832f13ae7af6c1ecf67086f2ea32978ee61dd1ef488b19fa007c65e2c0fd20b96d88243c8f8459bf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
ec762c9561e0c8d516b9911cf5e20a33

SHA1
0d2613841f790bee6cfdf2542346409f1ab43ba6

SHA256
34f6020ed0ab369c773dd61a9eae4921adc476edb6583403a6e0344739fa69fc

SHA512
69a1c29a67070b8927de1f755d149d5b0a6415629a04ba2042cff8370d3441712732ab155fe428caaf9981f082c9d2e314337346f18e18dec8b5a56a2fc6ec8f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
80f2258877133f33adbf7510bfb6b7d7

SHA1
10b4ece157fba0ee1ea18d02160dfe7b4ac16bfe

SHA256
cc3dfd0f504220934f516e6b76d639637c910d14d1c54634fda3104e0f951ca2

SHA512
a38362d86734622866fa9aad6aacf4b4d7e52f67d117e94337e6d592900cecc9df682694b162b9fd36616d0664d476fa9a2fe1f77cb7232d1f5c85f11a49b881

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
e93914cdb0dd2c7f4c622c3898f4d31e

SHA1
36f51a496611e29f067ab8afef024500e2d130e7

SHA256
7a9b8e01c03385c975e95512a16c6afad46f71e16f5053d137fc6933334e8b01

SHA512
5320291df3d8a3cdf0a89e77deec11994317b4b8e95b9531f98c2fd46181e312f6ad56b3900f38ac84f844c1c58094d8234961c63fe1957c279d6b49ce0eefce

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
b796633efcb5360a95e909b48b38b25b

SHA1
dc2d17cf5c9baee977b182dd06bd0e569b4f325c

SHA256
f0d049cc0aa47eac2c7a7bf111ff5c0467354fa4a2e066bdc95d90f12d355df7

SHA512
037e2f1b50bb7a8fc800a3460ea9a8823ffcb3db9d738cebb3c61fb1822bb97e5ad61b6307ead9428ea242c7c686fc516512b427f79d66bbb15a42cbe9b600a0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
3590970c2998a180b05df89b2235bcdd

SHA1
bcbe446a9a32a9a84f88a721dcd374d295e0459c

SHA256
2ec3dd57769f155f0fe73d36c30002ba7d641cebb637bd276e9792dfaf124441

SHA512
393cd3f559b40e0f07968aefd96512d25dd688f69a61386682022750f96418b9d5862388441fec832cc46219b0e8cbba914f6dd0587f856ed1d9dfc7c467e892

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
7ec464e17c4adcf3d6c0c941a4978cd1

SHA1
b59c6ed43c4540d8cdb865c74116d03f0f042264

SHA256
be39bf2a2d34a614aeb8b40c6a0a4bb3ff7d075cd99573b6c58983f4c3e3f131

SHA512
f6e7dc3122ab9019386aaf260b1156646bed2e1b791f9fdc382fc82e9245a951fd7056ded9f6cc98a12bae787e3da9086753ab248cb9d50c59db05eeb6f1908c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
5feb22fdacef0cda0fcfa37cd69be42c

SHA1
fbe0eaa3a9d9b33e8c9f1920b9b830e4fe277708

SHA256
9d314ffd1a97deb9f022ea1e1f21539edf95e94a53f0878c028c57c7558c6778

SHA512
0900a07df168717a10be8154b3c7a21623ec7ca5d04a7277c713e0d4f561e167a7968a757616b2b7e2b40c81fef7ece607f61a92b2f9c9501caacd74c9465ed8

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
95a22a7376562abc2368dfb60cd0a1b9

SHA1
641acaea5de05e22001c27fd2ea240af85a12fd2

SHA256
fd70d570df5828455429dbb7c15b71ee078e4b8770c44ed2b639a66f5c881d00

SHA512
eb72e7928305fbac9059e0cd998662904ca6e192cc104d08c7785bb26bc0c39b8f32ea9a0148756d1e3de7ea2232194828d7df801883134536821790ddb2cda9

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
31c572bf62970799e08ccbf72c05f1b2

SHA1
e6ee90bd5932350189c2335151979991a84b5439

SHA256
481d61c892b8a27807777f1781efd18238f74c22fd35042a5e36f01d27bbc94e

SHA512
443d8c835918db827b9bcc7a6015440678bbdca5e76cbeb009a6841a87f371f47763f910f593d6b22f1f125a2cee2fba0d607236ec7302f2a034fac593f90e53

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
3e08d60ed64e1e3175759df9b9dcbd4a

SHA1
58244a998ad49325bbe3e9f9ddd273bfa0f82473

SHA256
1831d0bb976adc94f4b68b2d982966aa6e5e016ea898cf9fce9292769f119d73

SHA512
f476be81b481a5624a910f558f0a22ed76fd2521c3f5015c9e59771862260d8efa52c055a3aa5535fb17f074ade6f0d0c374062c455cce340f288a17715fb5cc

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
da472bcb1d91e33b23e09841fc878142

SHA1
e929204280880601bce29d931c01b991fe60574f

SHA256
67576e2ed71ec16aca81bfd338cd5e4a60e236574e7fdd2407d8f7fea23fa6df

SHA512
91e4c873a9541da3f8ed5414901983fb8d15bf831c36c140f911adbc3ad9fe7df1b23dd4cecb7092e61569e48999f46aa0d34b79855b788bdedcbfea842c9112

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
f2d833aa065eddae41de3bb92b16d281

SHA1
d233b64d909063fdb6786a322c7627fd6ef54baf

SHA256
8e244db8bbc30d3db4ca1099aa2e406faefe5e05d48dd18d0d2c06bacfce3cf2

SHA512
82ef893b45b9e4b0f4c9a14c423814857b0317b5aaf016c1aebe78d00bb3aaae8cc4f2b42881bba823c451ca40ac73bc59478bf7ba78d547515c157e9604c5a0

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
2dd41739e0ba7e10fc793ca2593a9443

SHA1
9b51466685d83a3200dfa8848eaacac1a716cefd

SHA256
af19db98962f642143efc30a4be6bde95978b5fdfbff47fa9b0a47a18708fd31

SHA512
8cf8627456977515baf0a93f1fdcb24a7155accc8a0056ed8445f8d2a68235262d1ab55eb1709ec8c32b6f0475bd365dd5f4135ca06a62ae7481cb9b3b92f7b1

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
cf7fc0a7cd1e261e2a933768db7ab747

SHA1
e0deb92ce0d0b7745d0208b683710695611d7918

SHA256
fae3b03676451202a8b0ecab12f498ceb93f7872147928c75dcb1ddc7d692c0b

SHA512
9ff1979356a2d088797e2a376366be74eed7a46f208f5809fe1ce64957e51295f826d844723726c829373f2102961bf833982e4c8eb9d9cfde0e77517638efd0

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
e2510bb31149d3341c7ac798ec3caed5

SHA1
f0067f8468666207ac4baea3073c344d5807a822

SHA256
567342232f803fcd088de164f86181d8c85d56b33d4e3632b97e3697559721f3

SHA512
9d0124c29a641f47f119504569b2b0dcc325dcca45ae3af47a6609f45f2700560eff2f443f38b58400906348e0e5a8970528862679af1250fc8c43dac9864132

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
f08a2404f4d0f727501b6fcc7c7b243d

SHA1
275bc7d4b72027255ccc28b2985e9d6148010f88

SHA256
aadcebafe8d45177357e755e582c1eac855c6769ab202e632fae8e818a68d758

SHA512
6bcec6d27cadc8dbbc3df35ab657de4336929e286055a53d1cf293aae2fd26aeb031ecc70537617c039e23fca2e7b8a21b4bd70665f02a6a7d2057853e6d9e17

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
70d07b59321d58dded003b73b5bc199a

SHA1
c5cdaf6c379c38b77b6159722019ee3688880c0e

SHA256
b5112736ecb099dbb9bf91e82e9c9433271abd3da6e4a57cc09e2a4ad1109eed

SHA512
b6afb9d89e1116753dbe89c44d5c3244c7c242fdb4790628384ecd66167620b85df1474bb3afdc535863f857315b6f22f4369215aa2397320854585a13b84e84

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
e74fc961986aa74fa71d5db386c94583

SHA1
574fdec632139c61560f2024980cc0e9a307b859

SHA256
e7747a45d842a989707172c51b9bcb1cc30829328e18589765155ae4728458a0

SHA512
9de3043dffbe1d2180dc2b090f43a5ffdb6bceaf52618c84735e5f52175ffda6b2f4c643eadaefb509d4ffcaaf394dd62e78d80267acb2868e4ae5a82ff761c8

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
a0478e5987cb480e989d49c163078896

SHA1
e5077e5181fe2be508b6c863cc52e3c526fefa9e

SHA256
aefee06b92b30a907360a14a97ba50c7459b927c3b1483f741e7826010aba9b7

SHA512
24106752043ea5e4108eccd3887dc20993e136a86899f61908b7032390ce861b5167f2a8bc8020c255f66648713d82dd335f40b5e06c38680d2d66e82f3229be

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
7a0a310bd2c49cef93e07c23a9dba044

SHA1
1936234cb14bd9ddeb72dbd97398aad30999a1b0

SHA256
238b8b6e5a23456729757d2b52863cff97d09993ea7e2e85878604fa66d82063

SHA512
24a47a4b7773a27718c2131d7ad0f4aa02f5c20b62feabf3bb154fd00d46c500dd9859b50ea29807a9a64fd6e9d5c223e2b362e3326483f07de566c1dd406a61

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
05bbe66fb759bb88eed1d76cffda2e72

SHA1
8dd6a51a6e7bc65036fe0d97426a3b17582bd7d0

SHA256
95fa3b5c1187f573815887e41ed249c91b617a3d9eb0013395a6ffc2492f16c2

SHA512
e878bee50324b88237d222cd09f26b3fbf3a41a804b934a96562b337fde1b136264d65f778b48a1f3464e2f1c0351b2103ee1c60fe966c1e6fa41f9ffa83b7eb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
54759e460136e82b8d7624949f3fd96f

SHA1
25158a2b9260fca62f70c6e29829815f2a3c3314

SHA256
26ccd5f6b391c237baa807694d68db48cc2dae4c3a454f563b0d8f8b6814f413

SHA512
41e3d31bdcf9d4a231d05e2d1b7631ff3e533aa95e3d7eb36da1953ea7a3957ccf0643bf82e5c5805e5c1044d65f30f4221a706d796f94757f725774ab61f2a0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5
ce51f0c5d025c79919360f7323532b9a

SHA1
fdd741e4109a3df199c66d3dc12e3b0ebcc68016

SHA256
253cc1c1d54b79e0e877e2772417979fb766bf6021901ff62dcf4f71014254df

SHA512
72ab13ec796dac8713d68595f7515915aff45ce8258bab765f9b1b200266216883376b75d769847b2cd1585af0cd9da9b17b0a23071471a6f99ae154b8b78e0f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5
e29dd963d471e40d5865c59cc350fefb

SHA1
7e7376f7acf8c1e2a304fab81ba91cb8698728e0

SHA256
17f38866c14e58707228e66a72b91694cebac602a80c4ac749453a566dafd298

SHA512
baba446685ee23e949f2cb1474ff5763b69cb3ac53124e6f16c28ba8f7f4a86618144b86c2216421e2d8549a91810ce8e9f0c499ef44f8fc1ef0443bbbd555ca

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5
01293cb3173b010e4b7eb221c3d71d4a

SHA1
dcdb7956d5ce4b8d1c2c7551b384c9ae6b2d12c3

SHA256
66af395e39199afc8084374f853e58bc826e68559779eb31db1b5ab21496c84f

SHA512
56f5a5bfb12c93819a5b5d7a17a7da3f9f9fcfbb4c41b4c1758b7beca6692b1a35cb0207b82813b9b73563baea9a9c84bb571a1a6419fa031f2c9d2941669927

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5
5128bd30d76f5370436fcd507bd94fb8

SHA1
a52c0abdf209e67011ea86aea5cd96bb222e01a6

SHA256
8b11344cffcb6153612a7337dd4d7a22d806dfaa06d220ba13f83e12d954872a

SHA512
10c8c5f4285dc628c33526ed36f36ffd0509b3e7ff5130c93396c8f263bf445e9ce3764997b34afa13e54ec60be1676132beb6700120545a7c7327e43816c951

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
12e198e2de2b42a4b48fa46d4f59c5ab

SHA1
b070cff10280a7212fd73b59c11af70af054ccb5

SHA256
20c2d275b7b075e190b539d2a0c328816b7e838a440819dcd31a29e922ec67bd

SHA512
9245274d8c9c7fc1c0f0e455938b5363c946c30412db194d374dd05866301183fa9426e08a35bdfb0149793511d516debc5a6363292b183ec6d893695c018498

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5
20d331f1415e24a9247b44f08fbe5910

SHA1
66d3b9bd009c6a2e59fb302bbd6e0f222ff5bc83

SHA256
2c821e2bc4d3602b2624ee89f41ba156022342d23460ac25360aa82674d9d5bc

SHA512
722b49b86c3f0489787d602e6f0a3702c8bfdec71af365431bda46fc79788d8c946bb0d69e35d9122906fecd37f8572bf4c1e1cdd25274d96bc40f8783dcc9df

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
979f3e2ab1eafca5424c883718aabd0c

SHA1
d583d2caf0f727c5263941d55a45253831fb7b40

SHA256
4167521167a775b90db93b3e2cbe99c2d69f706d5c161d1664803e866828431a

SHA512
f42ca01f7d3509928688d4ed109705b3f87fd04d933f685e6d170dcb6cd65b19198ebcc2c8e470808105097ead479caa9864915a2ae9da08f72b2be735fb2271

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml

MD5
a23c50167c9c5fd8cdf7e4d91404c9aa

SHA1
33ddc3331694390985337e2acdeae187ba6c62de

SHA256
0447cad0a49db52c7158384d0af286a3be045741520cae5ee919e4fdf461ab54

SHA512
d7ff708d79c36955e2bb548f3c9a141a85400c86d83d58ad288f5eb8aac554a00dadd80b230191f4bffe4a897719e461645459dccbd0339cf3580c459c925878

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
fee7052ffaabc4726311ed281699b330

SHA1
e92a0f77cf4bae93fea278bad537d4c8786116cc

SHA256
b7ecb69aa2a4844f180bbe4363a916cd4e2d0e48818821d2944eab8b31cda14b

SHA512
51bc329b57cda6c8b7937df97f3904d150f6e38d9178b07ff5110dc0b3a07bdf86bb946930f4b7dc788bce739e700eafa10a8623ef960e2180c11fe165a0a590

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi

MD5
897316259d6c59525314dae324a70a38

SHA1
1905c936a7e59c750f5b5bd02e96b6e40558fd2f

SHA256
78a313503dfa13917a276dcffed13944d0d1db1d08ed586cfa10aa53cdcc1e01

SHA512
e39d121319500865de7024404f7d4539eba98e7c4e4067a42cebe036180b8a0e31aa9995e40cfe3224f79ad225a45a0c914c7494469f0a1d003f7f2558224103

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
3ca1c77ed81e96e71e4c94d00b76e588

SHA1
b03ea364cd2cf654990f7a2ab6ca3026d77f7530

SHA256
167ea8e2b72e846375a371e0fa527e892e0c1cb0a7ca6cc37d944ce544e3e3bd

SHA512
47044083657342b1434c9a19f61117d173909e24d82ce6ed14de68318fbb26702658d0637acb1fd119844b12aa5c831de385cc109671253257043edf3f4a90b2

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest

MD5
5b371dfd330e8a81bfebe0b178ab8457

SHA1
758f880288ed7440d4368e40e494d3fb44a7db33

SHA256
63c7aef5974e768bb89af1b29a8c9ff642cc57f2b4c6b35b0770d82fa3fcc2ba

SHA512
c36e6eabb8d33432236755ef0f71e0afdebb9c193ba4f04397ce29edbfe9893c832834bdb166246be6e25dec9d8567fd91b81d757c09465310863b440a6f5bc6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi

MD5
c3667c3651adb9e715bc0848646aba8a

SHA1
62000e4eb65a1b9d5f67101af0429a832b7856d2

SHA256
29e0aa0c959accf09c96106fd0ec46a007bdd42cd922e7f4b80a1f682aeadc77

SHA512
ae651bc2d3fbc87e86f400b3e8a0fdb1ebcbb9c92014b16f3a2c53b599deacabe640780ffa4bf2de11ecec9814930990b71ffa8fda4345a60d881f2a722217b9

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi

MD5
23078b8674202c797cf2d95c3555e094

SHA1
e49ed768983d46ed195e6a6c52a25bad8f8f89d8

SHA256
cabe07102a896fd110c4e22918c4cd6a9942759a5b19dd2b2db142c7abaf059c

SHA512
507c63678e2f80887b4c491dbcb1561cb80aa6f5b58667bb35dff174de0b5b467260706d0a7f4bb3be7c65b2f42b2ce2f2e9bb4368989dabebe2508f6ef7bc0f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
536932432b118a7e17280758e5b846ec

SHA1
66c5f4a6179e654cfb0ea9acee7963296b313132

SHA256
915e0652639fc213e251f363514820878c981c8e7111b84ddcece65dc3894c25

SHA512
aee2f5bb388792824428c50d25023dda58b9778fbb31f450db9640970ea1a970f8dd40eefa926597ac131adf03718b8b07ff66bd0cc3f6946683128813005985

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

MD5
0bf1fabc823b698beabae4921923c3a0

SHA1
ae3572259fad5bbe4ed82d432e7c45fa174b98db

SHA256
9f75efe59ee31b4b8d875b73911f6d432ba97c6dc2526db5eaf7f8a06c8a1b3d

SHA512
78c92e212b15c7cc1670398047f2a65217814b2e7c421cf5ca0cd84d55353ae95e63a8e42e08a68128d51aea71f2629e0e11502bb09b055a3e2fff300d7eea55

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi

MD5
10625e62d378e60dc8923db6c2975f9e

SHA1
261566a5c799ec257612fc4b46b0f4c6949b7176

SHA256
3faf08672409cf60484db8260a49206882f1af9ab9ddcccd8083228c3aab3ab6

SHA512
25a8b74eab346e69f7206f7c2e201f6f9ab78eff180542662982ef6f4cc6eba666866ec51cfe3731434bb6d86cf429ce67544a1a79db14767b1206d695180f36

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d

MD5
d7dacefae538ed3f120b098d8392b516

SHA1
d0d2cebc911a2f5197ee50fc1ea985366fa84ea5

SHA256
54d373da4a6e4cccba1f61caa4b17d568a4f61f2021bbbb0d4a06f3f76780e2c

SHA512
c0c222745901870698e6b958102614345025bef1cf00f4f4a22f3b62f5688a3499f0ccd8c0d7188f485eac152ea6fa03135698ec3f28d4eef9e12d24e1057052

Download Submit
C:\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/824-135-0x0000000000000000-mapping.dmp

Download
memory/836-132-0x0000000000000000-mapping.dmp

Download
memory/852-61-0x0000000000000000-mapping.dmp

Download
memory/864-136-0x0000000000000000-mapping.dmp

Download
memory/980-134-0x0000000000000000-mapping.dmp

Download
memory/1072-60-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/1128-63-0x000000013FDB0000-0x000000014013E000-memory.dmp

Filesize
3.6MB

Download
memory/1444-138-0x0000000000000000-mapping.dmp

Download
memory/1684-62-0x0000000000000000-mapping.dmp

Download
memory/2108-139-0x0000000000000000-mapping.dmp

Download
memory/2176-140-0x0000000000000000-mapping.dmp

Download
memory/2208-133-0x0000000000000000-mapping.dmp

Download
memory/2240-141-0x0000000000000000-mapping.dmp

Download
memory/2268-142-0x0000000000000000-mapping.dmp

Download
memory/2300-137-0x0000000000000000-mapping.dmp

Download
memory/2320-143-0x0000000000000000-mapping.dmp

Download
memory/2356-144-0x0000000000000000-mapping.dmp

Download
memory/2368-145-0x0000000000000000-mapping.dmp

Download
memory/69528-65-0x0000000000000000-mapping.dmp

Download
memory/69564-67-0x0000000000000000-mapping.dmp

Download
memory/69576-131-0x0000000000000000-mapping.dmp

Download