Analysis
-
max time kernel
92s -
max time network
40s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
26-07-2021 12:59
Static task
static1
Behavioral task
behavioral1
Sample
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
Resource
win10v20210410
General
-
Target
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
-
Size
159KB
-
MD5
cb0c1248d3899358a375888bb4e8f3fe
-
SHA1
b72e75e9e901a44b655a5cf89cf0eadcaff46037
-
SHA256
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56
-
SHA512
298668596ab422c93ebedf41bc5751941c2646df5bfaf7f374beb207bf38fa6d223186984d71ef25b2c21e068870c9c5cf11626b99350f8799fb0ebaca4a4cee
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
StevKramer@protonmail.com
StevKramer@tutanota.com
1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskhost.exeDwm.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\SelectClose.tiff taskhost.exe File opened for modification C:\Users\Admin\Pictures\OpenGet.tiff taskhost.exe File opened for modification C:\Users\Admin\Pictures\SelectClose.tiff Dwm.exe File opened for modification C:\Users\Admin\Pictures\OpenGet.tiff Dwm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" reg.exe -
Enumerates connected drives 3 TTPs 36 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exeDwm.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Lagos Dwm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusAway.ico taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\UrbanFax.Dotx taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Magadan Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF Dwm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297269.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105360.WMF Dwm.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml Dwm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Common Files\System\en-US\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC Dwm.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\RyukReadMe.txt Dwm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 28 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 70080 vssadmin.exe 70164 vssadmin.exe 70188 vssadmin.exe 204 vssadmin.exe 70440 vssadmin.exe 70280 vssadmin.exe 236 vssadmin.exe 70252 vssadmin.exe 70412 vssadmin.exe 70440 vssadmin.exe 70312 vssadmin.exe 70076 vssadmin.exe 70140 vssadmin.exe 70216 vssadmin.exe 70344 vssadmin.exe 70408 vssadmin.exe 70236 vssadmin.exe 70396 vssadmin.exe 69796 vssadmin.exe 70172 vssadmin.exe 70248 vssadmin.exe 70376 vssadmin.exe 70048 vssadmin.exe 70312 vssadmin.exe 70348 vssadmin.exe 70108 vssadmin.exe 70280 vssadmin.exe 70044 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exepid process 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exevssvc.exedescription pid process Token: SeDebugPrivilege 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe Token: SeBackupPrivilege 69824 vssvc.exe Token: SeRestorePrivilege 69824 vssvc.exe Token: SeAuditPrivilege 69824 vssvc.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
taskhost.exeDwm.exepid process 1128 taskhost.exe 1188 Dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.execmd.exetaskhost.execmd.exeDwm.execmd.exedescription pid process target process PID 1652 wrote to memory of 824 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe cmd.exe PID 1652 wrote to memory of 824 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe cmd.exe PID 1652 wrote to memory of 824 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe cmd.exe PID 1652 wrote to memory of 1128 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe taskhost.exe PID 824 wrote to memory of 1568 824 cmd.exe reg.exe PID 824 wrote to memory of 1568 824 cmd.exe reg.exe PID 824 wrote to memory of 1568 824 cmd.exe reg.exe PID 1652 wrote to memory of 1188 1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe Dwm.exe PID 1128 wrote to memory of 69760 1128 taskhost.exe cmd.exe PID 1128 wrote to memory of 69760 1128 taskhost.exe cmd.exe PID 1128 wrote to memory of 69760 1128 taskhost.exe cmd.exe PID 69760 wrote to memory of 69796 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 69796 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 69796 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70044 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70044 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70044 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70076 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70076 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70076 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70108 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70108 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70108 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70140 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70140 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70140 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70172 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70172 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70172 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70216 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70216 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70216 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70248 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70248 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70248 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70280 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70280 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70280 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70312 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70312 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70312 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70344 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70344 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70344 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70376 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70376 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70376 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70408 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70408 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70408 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70440 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70440 69760 cmd.exe vssadmin.exe PID 69760 wrote to memory of 70440 69760 cmd.exe vssadmin.exe PID 1188 wrote to memory of 70008 1188 Dwm.exe cmd.exe PID 1188 wrote to memory of 70008 1188 Dwm.exe cmd.exe PID 1188 wrote to memory of 70008 1188 Dwm.exe cmd.exe PID 70008 wrote to memory of 204 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 204 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 204 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 236 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 236 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 236 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 70048 70008 cmd.exe vssadmin.exe PID 70008 wrote to memory of 70048 70008 cmd.exe vssadmin.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe"C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cabMD5
8e2d6129134414243b5575f209252278
SHA1b943505fb63cfa1022ffc1ca8b0a650369ad50e8
SHA2563f9815c83654c42b29174770004d2bce0235eb900d6855962b2234bc5e1a75b9
SHA512fecc0b1ea692cc9da7107c7e990bce9bc73226fac44db54a331e3ddfce7c1243c6d43e797a307e1380822cce46f2c2d3d91f9a8f601f6e7e1ec5cdd19422ab32
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msiMD5
24a0724aed9b81a5687f7010ed35e2de
SHA1e841f3c41a51870e488ea68c48e9364f5f28cb7b
SHA256d28958a26f83c5335b9915162013c80733734b3262c3cfe21cd115343398047b
SHA5127959ef01f83ae21b79928b97e9edb7d7bb3467ef0e0e9f4247dc6d1e3521d8c4127389c1b73a7a68d6fd6b7c7779544f8b8f60bd4d64acf7fc92ef85bb7627bc
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msiMD5
ace0e109b13097c8d6694759d3b3bcfc
SHA1a8d5c006824cb1df46b1afa0b530671cae29d6da
SHA256392220b323a7378518e543585d1c55c48a275be81eb3be5f86055baf2d4a6476
SHA51279c67580c08f318a41cef3f559cbdfb2f5e1ffabfe4389dbbe6afa478614adc3ca6b1987428b8c1e18e8e5dbf82d29ac26fb62feb32b4b28b8d536bf76bfe661
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cabMD5
36a4945a3ccdc2b0e7daa5d6054aaf4f
SHA111d0ed664f36142e3bf1a12014a0282b047a9f44
SHA25687f8d9680622a96418e8af81a70c4abd40aee20c878fa699c51c6c8147385315
SHA512251c7d4119ca06cf18cb6fcf451b5c9a5b5893a9d4a9300b5cad4b7233c7792f37458f99f7664ed26602297c65ecefb983fc50c3d230091bd0679c3d3ded55af
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xmlMD5
de420cf828fd41f9ba0aea52e183cec9
SHA17e98d63a7e3dd4f4a5e6ac988ea01ee96cba696a
SHA256d8c6c339c9cd082861953acb2914e15e356f2d643ac5fce0ff7848ee287b2fad
SHA512a49fd01105ee3c3f882e8f6c52ca396fb1d86dd4b8ad692eddfd74567bf03a9ac17d2961c18bb913c0f6f6b49e3ff32354c45235d3b5e916ef05e8abecdb8275
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msiMD5
3fd0d365b4643bc4bd90c1158b5df94a
SHA12c2d94c0b63f8d3bb34092662a8d8a44929263e0
SHA256202232f5fd0701d12bd4042fb91a3be1aa4c16692ce9bb6493377b7bf6bcc0d8
SHA5126b5fabdaea9d85cfa96789b94383c3339b179ab092f273975a543c15962b7c90c98453ce9bcb97462434fcbd066303fcc7fcd37443294fc60676123a3e460f60
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
d4a04d1205a282da0a6e0bcb9efce189
SHA1bac04fc3a8728859c6b6f2b55e01b48644258a4c
SHA256a7da1a2edab30d62c8ce3bf905eeeeb233b059f3d5a502ebb1db7e66490c427d
SHA51237e9f3a930953eabcd461bdeb7773e42cdce5c2910f90ac11f66e13ca94f953cff4988b4eb34a68ee25b5a8d5589157d0f0fe75a552981682363c4dfc233bd8c
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xmlMD5
2cdd814b5313bd505b52d9e1988d30cc
SHA1447586c6e99af75869444871d6fa7b258748667b
SHA256159975bcf9d892f5e1ecaac2cfc6e533c827e5d0c45cecec66f53fb290ac1172
SHA51253f12b7073436ee277c9b9c2ec651e573076f5d8332b9ce01a0c84a52314d6c520e044e0de256ab8b087dde4be08812fc6c52ee97605f1ccb438c55b4713733c
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
fdb0c8305bea87df1b5fcf657044581c
SHA18d277cc66f25decebffd5de055381d9c1524f569
SHA256abb78a4a5a4cfae8c07356004a65261a242119f724ec15539325b01fa5ce753f
SHA51290ef8f42bb46a51f88663e27a9eb07b0daec07bfdebc86052d5e329d1625231b4cb6babb0839f2d439fb15e593a9ff69f984f58245d4266638ef04fc8d64732a
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xmlMD5
a8269bf15c3ff41bec55e51e9115b9a0
SHA107b4034520344c5b567c077b867ac8e06d8224d2
SHA256f298c6090318b51447165f26d0d19a9e3a815fd8970e376db325e374e3514c00
SHA51259472216f85f39393a0dc56dda0b7ef1b8a876cc031693ec666cb6eb0a2b395982f0291b7f5bcec970014b8446182f1a1d90011a1a83227444d2df6235bc5506
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
0b1835973a51e86da2713ea3b23c9d9e
SHA1c3a47d457e689dc094cb7c614b33ac11d41cee40
SHA256dc5c873861099de9eceab1c337736936d297049396b43dc8212c7fb6d434bc00
SHA512edb49371b3e6207546ea98d5cf3b62ae6d36d1d4b9255423906814e1ff68cf24b2d4bb967ede05083cf63369c3106bb9e38ef6612cb3cd1dce7cca0eb8c76b73
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msiMD5
434d9c6286fe31588558c1a3a41e0ab7
SHA1c6a39f1400c0bbd3177732a102ac263644a3b2b0
SHA25654fc84856047c558e17aaced24461a01113d598d96a04e47aaa85a0961eefe8e
SHA512c162a28bef80349cbb60d407ec9860a7e310a896e0b0a2bff7e1a23815c2ed9f0532ec20b4b038d4b7cdd081b10c302f732b68cb9d89095b8dc0b69521579272
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
080c98fc66e9648bd54e873c6075b9d6
SHA1499bb471019480b42e3d255238d31a6f90e62e83
SHA256612ae2819ad691b3c77c980647538dc84a14eb48c27a2f67003e5632aaa42f6b
SHA512afe67df548744dfe36029157bbb94c1ccec64c70fb5544c3956d033ffc6a851bfe16d58d8d8f1f2d0ea3a11153d419864f96094cdae954e5fb9b0b35bc6391e7
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cabMD5
390ff630c5c4e01d7e9dd9b6aca433dc
SHA12fc24483776b2e35dd9db265909e1e276c433064
SHA2568d8bc04639588fc3e511f76898959bc27ca3b775b42c7449cdfaca4cf77e84d0
SHA512a05d2dd3d5f49b839979b44bb41cd42047834337b834f34a95041e9c9982607ac3031f571909716114660a1f6059a755ce23556d31b12e2338ac51500bb2dabb
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xmlMD5
a4669a1338ebcd68a70bdb8bdd1a65b7
SHA1388dbc8c83c2a256a003f8d78e735e095da153fc
SHA2562c2993d135506880dfc4af7fc2fe070bb2c975bd034299f25bd8283ab7eba568
SHA512fdf8c3a1d54efddc9ee4efa59dd6d63bde2840a287b747146056b2620f084ea82c12f6fe14defee93d263478bc1c71eb99b6f4bf6022b3d384ce31b80e501317
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msiMD5
ed98e4f47781eee5f01556f9f1cec6eb
SHA15d547db25260fa86833daf54ac53969a23adc39d
SHA256799c4b54a271e48c356cb9df28ddf800bf907e352daaaa4e3514358657261d0f
SHA5124be223b4cc6d2ef36d6e23486626a29d7b2c105ced0f38d194e1294d345e3aaab70d23be67ee2e9e3599211d8b416eca20b2ddc4032e2fc3caf649b6a2f66523
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cabMD5
a2d037f7b409a70e49edfd56660a3493
SHA19ee79205add610b7849eb4b5ec2461d77adb82fa
SHA256c065f20f8b329b14b0ec9a8c6072be7cd97852a522e591c4e9492796a6dd730c
SHA5122c4e5b4c82e6e11376186741b2130374a5835e11584d1172ca6bd91e9d9f484fb81d299c5945671154a45ea2511350fc9a0c3d430ddc193d1a70ebe9faa97985
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xmlMD5
750c0073c92bbd4fc0ff33f9f3ef30d9
SHA163b5285706389265c4397bb71283b6c51cae00c4
SHA25665865ab4879d9969fd84aea779b0ca337b1f9355f29ec09f1c7ed760bfb1009a
SHA512879c44ac3b8e75850d8a3ad206cd5a00db1807af717266c314dca997976bf0133c257b1bd13e6a07fec400a1bf0ce8ac68ef2aa1622e22a9a059f252075761e6
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msiMD5
a81d9ccb03040c2c502a7097646ce5cd
SHA10a6c974a3960d940602b338a0f2bd5c799473d60
SHA2565f7fe1119c350c74886bc08f78438c0f5fe78cf35ede3ac6a7d6349bff119a14
SHA512c8fd1496e173460d193cd3748ded933dd50c9a50b86910e506b25446238a41604ca8907acc469f4c1c5677c414405e6e30d0df8ce6f35a51207a85f7bc93f6f4
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msiMD5
8757c39afce698c0ed38583026eb4b76
SHA18a32cc2007852332da28c1dd621317f77fa0740c
SHA2564fd423bc65717c96d41172ebf9496430e00b3b20fd3f1cffd7cb4828dc661352
SHA5126db8d271cb108719894f823abbd17c721a162aa141698930fee79cc474e2f9e4f2ae9e122425b25d1f4f3f5f43232f44e7ff0ed02d2d98f0b08e34c4a820a4f3
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
8bbcc6d77e835b37cd04dc4521fd0f7a
SHA16db27f1ea822caab019fce1fbe7525532c42cbb3
SHA256ff8a2f1bd9f7243157abbda3cca27c4f5ba7d2bd4e0f76789f64006d1c3034b3
SHA512cee170779e2a52da2104434eb0fb6fd44c2bd905be40dd965d3c2031f1dfedba1fde2c63978c72b757b65a74e1fdcf683b8c788aeef0c1f8e2c31d2aab124500
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msiMD5
1160365bca8035de879dcaaa86566ba4
SHA110f05e9c256cfc7a10dfd16b537ab6baea900e23
SHA2562e7f1a61e92978fee3a4877640f7777c20ef91eadbeea8e023b9132246e294d6
SHA5124f355a30d2403d8f56ae1029327a14e7e076863fc094479c710a1e1b476440081cfd24d6b49b5516092fd8cbe0ecf7ff19fef99d4784c38be94c549d347df339
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
585d9f829c46531e5b43369b7a6d3092
SHA1d026c578bdf9a40da6723c1e4e846b5e6f95a7b7
SHA256ca4f464015e98b4c9c5a56abb208d4f7a4851322ca62a7e5850a68498fd2deec
SHA5123954cfe959943eda567a8a4cd1163071a2e8dd0c619335ba019277c0c2c83480384239fd0222c3bd163d2fd7495e15b7c56af4da1b988cfd1078479dc3ac1653
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xmlMD5
dd934cd1147ec92a266a1af2239b4680
SHA1cf5869120505745662daf47a90d45e3cc6be88d6
SHA256595ca3941ff2cafb440dd4cb8f3dba45836b76e4804b6a8591cb48e5e16d6f21
SHA51255c25ffb469c72af1cc4a73d218d173748cb92983fc50f8d27dadb408bbaa7dcde98063598d04f7fce710fdea6cd75fb2c302ae6c84ec8701308d8151fcc893f
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
6cf30a7759e72fb7aca68dd54712f6de
SHA1cf6f3650eae178ba2b23df5142ffa25f70a36c6e
SHA256b5f2f6aea94c3f527956948f0bdd596b6752c0ad3203e00a9e146a28e6d619d3
SHA5128a4fe52a92f18d86dbdeb0149a21a02a1d77e43eb8f676bd2db7946a17c1637097fbb1f8d4814bc3485fa3b93a0422ef057a427a169abb3de6ba1db375bfb41c
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msiMD5
cf8546f3bcd0ef8da706c60963345f91
SHA1cdb9203a9e2917ab6d4738eebac5415ed923e52a
SHA256a7494bd8d872ce4bb869a5a67f685868664e4cab79688b71cc881d056b7cb9f0
SHA512241e8b94614344cb2106b14f8ec5be49afebbaab6bcf1782b9206f7054455cc6459ecea5e0d8beb438a211aeeccf13c7db61d7f2ba56b72b4f09dd0d33ceba0d
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
5c1a52b7ed4ae5da4fb35fd98fd2a324
SHA191af9b94065f6a5a9f51e376581355bf9de236ef
SHA256f935391b944e8f9351f0777ae041516b883c81b7728bb4cd8001b60c733d41b1
SHA512cb36c0d32d553f456457edc0d4a12b27e6167c0bda32c551460f871d4af5b590d0e99ebc77afdc9a6a3133d4ccc809a9774d31c25962a18b8d5fb60151440db4
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifestMD5
547fa16d1520283fddafd7eacf17c095
SHA1770b8c0804b29bbef53fad6c16d02bc54cc1bc83
SHA25679ce436f6f2d3b9b9cf4920a57f5a285b11135aee565c9d5faa9c7a465e0bdba
SHA512f3497c5f775a75de875374c7957f4467d21b4e347cd1d1f9fbe12f0ba90382643f01c87a3b4fb4f3436a7e9e8d3d032ef965cad6774d72f2289938d0cac28d69
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msiMD5
67d83ea46b7fd7c03e0607bfcb78a677
SHA16bd40ace4eae399cbf1d1eedf0c928db2839de3e
SHA256a816df770e2a4e607ce12239e4aee2cfb1de36182ed4d8d7d8710e9159bdc8b6
SHA5125b2acbdedeb818c0089530483b2649cb7665873985e9944cf87186af459ccf7fade4e8e238205d706809f15ae7cc283a5e63c7f6669cf28d0491972026520861
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msiMD5
c877f014736b9229e95f75ced7295727
SHA1a2f534a16ce0c5c92dcb6059bed244020eeaaf76
SHA25671cd861c6e37f0d888993975afc4e6007ca6ca49f5d5c3e3b25948fc06808fe3
SHA512632a27ac82adaeaaf537fac023691a8fd215a2bddc08f8edeb04e23f2f5bdb9f0f70c641fbb8368b53b075868c806b33d39199a831a3c0f9eab8a46228cca684
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
9a7862e35d4997496686e70e8af05a26
SHA1adb8b60ea660491ab343fb25f9edc99df263844d
SHA2562c001ee26141b0b537eadd2298f16d1f26b22cb70bbb6f176b6b230ef10a5a21
SHA512069207c37a92abf9a3c9ef1e5886f0db118b8df7a810e596559de7426b17790fffe06658a88a90a2c28f395680d1ed509418410a3184e4c60fb4bd1a5fac9c99
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chmMD5
2bbf8862519ffed866ff66466f5e57a0
SHA1dd17f8499af89a57cb6dae119eab3ad927d26def
SHA25666198217b82816dfdbea345e04f16ec29c7f4dd8417fee101971a6d2c6bb2a94
SHA5128a6ea374dd0a7287de39f117d5e83190128b014d789d70547431220aa2af2bc7143b19098c46544efb271190fe025443a1f3a4d832d76e676a7883eb97ff5b28
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msiMD5
3b7a3de731cc316d959adcc4fd13f792
SHA1165e450f729a760dde1918a2146ea53ff8e40043
SHA25620c0f375b6203097e8bdafb499856deb58dd21127ed2e8b1942deb162e48e41a
SHA5128250b20ecce7613c88c201e032cfd0d0e48227eb374f98b528e7f7cecdca3b48ed3c296af2e7fe9ce26e5117df36b1d4bf5cdd024f6174711a1137ef70f3843f
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\MSOCache\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\PerfLogs\Admin\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\PerfLogs\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\Program Files\7-Zip\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\Program Files\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593dMD5
dfb8d48cd7ccb0c628d868e424956712
SHA16e1bdfd1376ccf97e99faf6f9650c16ebe078350
SHA2563c461494e3c20d6ef677382808b13bb7886c098efed2e633467482fc5ab15729
SHA512c6f33dd6dce07c4c8df576ed138c9f402009bd7ca029f15daa503e235eebb03d0ae8918ee891bcafac3f562de41bd012aacc056260b8e2d837e1aa836a383b1e
-
C:\RyukReadMe.txtMD5
a75fff46cf88e55445812aedd1c3ed61
SHA1dea553c6067a567f4d07cd7ca0153ecbf7836a69
SHA2562954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf
SHA5123c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4
-
C:\users\Public\PUBLICMD5
1137a89e82190887087eb7d6a2f232e0
SHA13abed7805d8c9092203e56f13caf74627ecf2f1c
SHA256334c60dac259ffa6d4738a461a11907076e4712a7be8f5a818f63da21677b7b4
SHA5120d04e3ea727839463b117c35c73b9ec26a860c3d4bc754c2c8a769d5e62b7c73209ce0127b219d98dcf386bc29211020da56bda9ac52f53da1eaf638f599da8c
-
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVEMD5
5334b2a7a40b933ef1a4fda94c6cf9e5
SHA1643d0cecb76b7052e757f639d32b82a478c4bd16
SHA256860a6f905965ccc8f7dcea2569c262507175f94ce995aa0f6e155c71fcb00ce2
SHA512698b8ad81b232fcdff2bbc40a7752b4663f80cd3e58bb62230067a5f8ba5087d55723ac6380f257d4682fd2026dae4e8a4d94eb2c06850af99601fea9e8e2695
-
C:\users\Public\window.batMD5
d2aba3e1af80edd77e206cd43cfd3129
SHA13116da65d097708fad63a3b73d1c39bffa94cb01
SHA2568940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA5120059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec
-
\??\c:\Program Files\BackupUnprotect.xmlMD5
0dda089b1d88fbad02f6fac9915c4dde
SHA143bb4795a7bcf95b7de769f8a03e2c9394de9955
SHA256e3e33196606d01255244747d33272fb3d01e1f6a5cfc9d258915cb1515e10e3a
SHA512594dcc3040403f2567c1f58455ed7250f57380c8f1f30af903d227ac996eb628db1bb3bbf09655dba63762cfee10381ddccbe5a44e75c6732347ecdc796bbfaa
-
memory/204-145-0x0000000000000000-mapping.dmp
-
memory/236-146-0x0000000000000000-mapping.dmp
-
memory/824-60-0x0000000000000000-mapping.dmp
-
memory/1128-62-0x000000013FB00000-0x000000013FE8B000-memory.dmpFilesize
3.5MB
-
memory/1568-61-0x0000000000000000-mapping.dmp
-
memory/1652-59-0x000007FEFB881000-0x000007FEFB883000-memory.dmpFilesize
8KB
-
memory/69760-64-0x0000000000000000-mapping.dmp
-
memory/69796-66-0x0000000000000000-mapping.dmp
-
memory/70008-144-0x0000000000000000-mapping.dmp
-
memory/70044-67-0x0000000000000000-mapping.dmp
-
memory/70048-147-0x0000000000000000-mapping.dmp
-
memory/70076-68-0x0000000000000000-mapping.dmp
-
memory/70080-148-0x0000000000000000-mapping.dmp
-
memory/70108-69-0x0000000000000000-mapping.dmp
-
memory/70140-70-0x0000000000000000-mapping.dmp
-
memory/70164-149-0x0000000000000000-mapping.dmp
-
memory/70172-71-0x0000000000000000-mapping.dmp
-
memory/70188-150-0x0000000000000000-mapping.dmp
-
memory/70216-75-0x0000000000000000-mapping.dmp
-
memory/70236-151-0x0000000000000000-mapping.dmp
-
memory/70248-76-0x0000000000000000-mapping.dmp
-
memory/70252-152-0x0000000000000000-mapping.dmp
-
memory/70280-153-0x0000000000000000-mapping.dmp
-
memory/70280-77-0x0000000000000000-mapping.dmp
-
memory/70312-78-0x0000000000000000-mapping.dmp
-
memory/70312-154-0x0000000000000000-mapping.dmp
-
memory/70344-79-0x0000000000000000-mapping.dmp
-
memory/70348-155-0x0000000000000000-mapping.dmp
-
memory/70376-80-0x0000000000000000-mapping.dmp
-
memory/70396-156-0x0000000000000000-mapping.dmp
-
memory/70408-81-0x0000000000000000-mapping.dmp
-
memory/70412-157-0x0000000000000000-mapping.dmp
-
memory/70440-82-0x0000000000000000-mapping.dmp
-
memory/70440-158-0x0000000000000000-mapping.dmp