ryuk | 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56

Analysis

max time kernel
92s
max time network
40s
platform
windows7_x64
resource
win7v20210410
submitted
26-07-2021 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
Size

159KB
MD5

cb0c1248d3899358a375888bb4e8f3fe
SHA1

b72e75e9e901a44b655a5cf89cf0eadcaff46037
SHA256

1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56
SHA512

298668596ab422c93ebedf41bc5751941c2646df5bfaf7f374beb207bf38fa6d223186984d71ef25b2c21e068870c9c5cf11626b99350f8799fb0ebaca4a4cee

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at StevKramer@protonmail.com or StevKramer@tutanota.com BTC wallet: 1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp Ryuk

Emails

StevKramer@protonmail.com

StevKramer@tutanota.com

Wallets

1CN2iQbBikFK9jM34Nb3WLx5DCenQLnbXp

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SelectClose.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\OpenGet.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SelectClose.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\OpenGet.tiff	Dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281638.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Lagos	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.INF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287417.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9B.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-queries_zh_CN.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\StatusAway.ico	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyReport.dotx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01805_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.DPV	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\UrbanFax.Dotx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\REFINED.ELM	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Ndjamena	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Yakutat	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Magadan	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightYellow\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\distribute_form.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\MSTAG.TLB	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePage.gif	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Blog.dotx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0297269.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\BUTTON.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR44F.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00414_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49B.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_ja_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-openide-options.xml_hidden	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02153_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105360.WMF	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.event_1.3.100.v20140115-1647.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0241019.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Page_PAL.wmv	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\en-US\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02280_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FS3BOX.POC	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSIDEBR.DPV	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107350.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Funafuti	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0281008.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02022_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00241_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.zh_CN_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\RyukReadMe.txt	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
70080	vssadmin.exe
70164	vssadmin.exe
70188	vssadmin.exe
204	vssadmin.exe
70440	vssadmin.exe
70280	vssadmin.exe
236	vssadmin.exe
70252	vssadmin.exe
70412	vssadmin.exe
70440	vssadmin.exe
70312	vssadmin.exe
70076	vssadmin.exe
70140	vssadmin.exe
70216	vssadmin.exe
70344	vssadmin.exe
70408	vssadmin.exe
70236	vssadmin.exe
70396	vssadmin.exe
69796	vssadmin.exe
70172	vssadmin.exe
70248	vssadmin.exe
70376	vssadmin.exe
70048	vssadmin.exe
70312	vssadmin.exe
70348	vssadmin.exe
70108	vssadmin.exe
70280	vssadmin.exe
70044	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe

pid process

1652 1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe

pid	process
1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
Token: SeBackupPrivilege	69824	vssvc.exe
Token: SeRestorePrivilege	69824	vssvc.exe
Token: SeAuditPrivilege	69824	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1128 taskhost.exe
1188 Dwm.exe

pid	process
1128	taskhost.exe
1188	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 824	1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe	cmd.exe
PID 1652 wrote to memory of 824	1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe	cmd.exe
PID 1652 wrote to memory of 824	1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe	cmd.exe
PID 1652 wrote to memory of 1128	1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe	taskhost.exe
PID 824 wrote to memory of 1568	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1568	824	cmd.exe	reg.exe
PID 824 wrote to memory of 1568	824	cmd.exe	reg.exe
PID 1652 wrote to memory of 1188	1652	1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe	Dwm.exe
PID 1128 wrote to memory of 69760	1128	taskhost.exe	cmd.exe
PID 1128 wrote to memory of 69760	1128	taskhost.exe	cmd.exe
PID 1128 wrote to memory of 69760	1128	taskhost.exe	cmd.exe
PID 69760 wrote to memory of 69796	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 69796	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 69796	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70044	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70044	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70044	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70076	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70076	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70076	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70108	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70108	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70108	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70140	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70140	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70140	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70172	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70172	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70172	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70216	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70216	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70216	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70248	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70248	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70248	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70280	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70280	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70280	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70312	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70312	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70312	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70344	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70344	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70344	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70376	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70376	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70376	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70408	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70408	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70408	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70440	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70440	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70440	69760	cmd.exe	vssadmin.exe
PID 1188 wrote to memory of 70008	1188	Dwm.exe	cmd.exe
PID 1188 wrote to memory of 70008	1188	Dwm.exe	cmd.exe
PID 1188 wrote to memory of 70008	1188	Dwm.exe	cmd.exe
PID 70008 wrote to memory of 204	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 204	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 204	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 236	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 236	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 236	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 70048	70008	cmd.exe	vssadmin.exe
PID 70008 wrote to memory of 70048	70008	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:70008

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:204

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:236

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:70048

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70080

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70164

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70188

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70236

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70252

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70280

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70312

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70348

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70396

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70412

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70440

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69760

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69796

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:70044

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:70076

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70108

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70140

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70172

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70248

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70280

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70312

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70344

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70376

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70408

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70440

C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe
"C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\1455091954ecf9ccd6fe60cb8e982d9cfb4b3dc8414443ccfdfc444079829d56.sample.exe" /f
3⤵
- Adds Run key to start application
PID:1568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69824

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:69800

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
8e2d6129134414243b5575f209252278

SHA1
b943505fb63cfa1022ffc1ca8b0a650369ad50e8

SHA256
3f9815c83654c42b29174770004d2bce0235eb900d6855962b2234bc5e1a75b9

SHA512
fecc0b1ea692cc9da7107c7e990bce9bc73226fac44db54a331e3ddfce7c1243c6d43e797a307e1380822cce46f2c2d3d91f9a8f601f6e7e1ec5cdd19422ab32

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
MD5
24a0724aed9b81a5687f7010ed35e2de

SHA1
e841f3c41a51870e488ea68c48e9364f5f28cb7b

SHA256
d28958a26f83c5335b9915162013c80733734b3262c3cfe21cd115343398047b

SHA512
7959ef01f83ae21b79928b97e9edb7d7bb3467ef0e0e9f4247dc6d1e3521d8c4127389c1b73a7a68d6fd6b7c7779544f8b8f60bd4d64acf7fc92ef85bb7627bc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
ace0e109b13097c8d6694759d3b3bcfc

SHA1
a8d5c006824cb1df46b1afa0b530671cae29d6da

SHA256
392220b323a7378518e543585d1c55c48a275be81eb3be5f86055baf2d4a6476

SHA512
79c67580c08f318a41cef3f559cbdfb2f5e1ffabfe4389dbbe6afa478614adc3ca6b1987428b8c1e18e8e5dbf82d29ac26fb62feb32b4b28b8d536bf76bfe661

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
36a4945a3ccdc2b0e7daa5d6054aaf4f

SHA1
11d0ed664f36142e3bf1a12014a0282b047a9f44

SHA256
87f8d9680622a96418e8af81a70c4abd40aee20c878fa699c51c6c8147385315

SHA512
251c7d4119ca06cf18cb6fcf451b5c9a5b5893a9d4a9300b5cad4b7233c7792f37458f99f7664ed26602297c65ecefb983fc50c3d230091bd0679c3d3ded55af

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
MD5
de420cf828fd41f9ba0aea52e183cec9

SHA1
7e98d63a7e3dd4f4a5e6ac988ea01ee96cba696a

SHA256
d8c6c339c9cd082861953acb2914e15e356f2d643ac5fce0ff7848ee287b2fad

SHA512
a49fd01105ee3c3f882e8f6c52ca396fb1d86dd4b8ad692eddfd74567bf03a9ac17d2961c18bb913c0f6f6b49e3ff32354c45235d3b5e916ef05e8abecdb8275

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
MD5
3fd0d365b4643bc4bd90c1158b5df94a

SHA1
2c2d94c0b63f8d3bb34092662a8d8a44929263e0

SHA256
202232f5fd0701d12bd4042fb91a3be1aa4c16692ce9bb6493377b7bf6bcc0d8

SHA512
6b5fabdaea9d85cfa96789b94383c3339b179ab092f273975a543c15962b7c90c98453ce9bcb97462434fcbd066303fcc7fcd37443294fc60676123a3e460f60

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
d4a04d1205a282da0a6e0bcb9efce189

SHA1
bac04fc3a8728859c6b6f2b55e01b48644258a4c

SHA256
a7da1a2edab30d62c8ce3bf905eeeeb233b059f3d5a502ebb1db7e66490c427d

SHA512
37e9f3a930953eabcd461bdeb7773e42cdce5c2910f90ac11f66e13ca94f953cff4988b4eb34a68ee25b5a8d5589157d0f0fe75a552981682363c4dfc233bd8c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
MD5
2cdd814b5313bd505b52d9e1988d30cc

SHA1
447586c6e99af75869444871d6fa7b258748667b

SHA256
159975bcf9d892f5e1ecaac2cfc6e533c827e5d0c45cecec66f53fb290ac1172

SHA512
53f12b7073436ee277c9b9c2ec651e573076f5d8332b9ce01a0c84a52314d6c520e044e0de256ab8b087dde4be08812fc6c52ee97605f1ccb438c55b4713733c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
fdb0c8305bea87df1b5fcf657044581c

SHA1
8d277cc66f25decebffd5de055381d9c1524f569

SHA256
abb78a4a5a4cfae8c07356004a65261a242119f724ec15539325b01fa5ce753f

SHA512
90ef8f42bb46a51f88663e27a9eb07b0daec07bfdebc86052d5e329d1625231b4cb6babb0839f2d439fb15e593a9ff69f984f58245d4266638ef04fc8d64732a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
MD5
a8269bf15c3ff41bec55e51e9115b9a0

SHA1
07b4034520344c5b567c077b867ac8e06d8224d2

SHA256
f298c6090318b51447165f26d0d19a9e3a815fd8970e376db325e374e3514c00

SHA512
59472216f85f39393a0dc56dda0b7ef1b8a876cc031693ec666cb6eb0a2b395982f0291b7f5bcec970014b8446182f1a1d90011a1a83227444d2df6235bc5506

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
0b1835973a51e86da2713ea3b23c9d9e

SHA1
c3a47d457e689dc094cb7c614b33ac11d41cee40

SHA256
dc5c873861099de9eceab1c337736936d297049396b43dc8212c7fb6d434bc00

SHA512
edb49371b3e6207546ea98d5cf3b62ae6d36d1d4b9255423906814e1ff68cf24b2d4bb967ede05083cf63369c3106bb9e38ef6612cb3cd1dce7cca0eb8c76b73

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
MD5
434d9c6286fe31588558c1a3a41e0ab7

SHA1
c6a39f1400c0bbd3177732a102ac263644a3b2b0

SHA256
54fc84856047c558e17aaced24461a01113d598d96a04e47aaa85a0961eefe8e

SHA512
c162a28bef80349cbb60d407ec9860a7e310a896e0b0a2bff7e1a23815c2ed9f0532ec20b4b038d4b7cdd081b10c302f732b68cb9d89095b8dc0b69521579272

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
080c98fc66e9648bd54e873c6075b9d6

SHA1
499bb471019480b42e3d255238d31a6f90e62e83

SHA256
612ae2819ad691b3c77c980647538dc84a14eb48c27a2f67003e5632aaa42f6b

SHA512
afe67df548744dfe36029157bbb94c1ccec64c70fb5544c3956d033ffc6a851bfe16d58d8d8f1f2d0ea3a11153d419864f96094cdae954e5fb9b0b35bc6391e7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
MD5
390ff630c5c4e01d7e9dd9b6aca433dc

SHA1
2fc24483776b2e35dd9db265909e1e276c433064

SHA256
8d8bc04639588fc3e511f76898959bc27ca3b775b42c7449cdfaca4cf77e84d0

SHA512
a05d2dd3d5f49b839979b44bb41cd42047834337b834f34a95041e9c9982607ac3031f571909716114660a1f6059a755ce23556d31b12e2338ac51500bb2dabb

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
MD5
a4669a1338ebcd68a70bdb8bdd1a65b7

SHA1
388dbc8c83c2a256a003f8d78e735e095da153fc

SHA256
2c2993d135506880dfc4af7fc2fe070bb2c975bd034299f25bd8283ab7eba568

SHA512
fdf8c3a1d54efddc9ee4efa59dd6d63bde2840a287b747146056b2620f084ea82c12f6fe14defee93d263478bc1c71eb99b6f4bf6022b3d384ce31b80e501317

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
MD5
ed98e4f47781eee5f01556f9f1cec6eb

SHA1
5d547db25260fa86833daf54ac53969a23adc39d

SHA256
799c4b54a271e48c356cb9df28ddf800bf907e352daaaa4e3514358657261d0f

SHA512
4be223b4cc6d2ef36d6e23486626a29d7b2c105ced0f38d194e1294d345e3aaab70d23be67ee2e9e3599211d8b416eca20b2ddc4032e2fc3caf649b6a2f66523

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
MD5
a2d037f7b409a70e49edfd56660a3493

SHA1
9ee79205add610b7849eb4b5ec2461d77adb82fa

SHA256
c065f20f8b329b14b0ec9a8c6072be7cd97852a522e591c4e9492796a6dd730c

SHA512
2c4e5b4c82e6e11376186741b2130374a5835e11584d1172ca6bd91e9d9f484fb81d299c5945671154a45ea2511350fc9a0c3d430ddc193d1a70ebe9faa97985

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
MD5
750c0073c92bbd4fc0ff33f9f3ef30d9

SHA1
63b5285706389265c4397bb71283b6c51cae00c4

SHA256
65865ab4879d9969fd84aea779b0ca337b1f9355f29ec09f1c7ed760bfb1009a

SHA512
879c44ac3b8e75850d8a3ad206cd5a00db1807af717266c314dca997976bf0133c257b1bd13e6a07fec400a1bf0ce8ac68ef2aa1622e22a9a059f252075761e6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
MD5
a81d9ccb03040c2c502a7097646ce5cd

SHA1
0a6c974a3960d940602b338a0f2bd5c799473d60

SHA256
5f7fe1119c350c74886bc08f78438c0f5fe78cf35ede3ac6a7d6349bff119a14

SHA512
c8fd1496e173460d193cd3748ded933dd50c9a50b86910e506b25446238a41604ca8907acc469f4c1c5677c414405e6e30d0df8ce6f35a51207a85f7bc93f6f4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
MD5
8757c39afce698c0ed38583026eb4b76

SHA1
8a32cc2007852332da28c1dd621317f77fa0740c

SHA256
4fd423bc65717c96d41172ebf9496430e00b3b20fd3f1cffd7cb4828dc661352

SHA512
6db8d271cb108719894f823abbd17c721a162aa141698930fee79cc474e2f9e4f2ae9e122425b25d1f4f3f5f43232f44e7ff0ed02d2d98f0b08e34c4a820a4f3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
8bbcc6d77e835b37cd04dc4521fd0f7a

SHA1
6db27f1ea822caab019fce1fbe7525532c42cbb3

SHA256
ff8a2f1bd9f7243157abbda3cca27c4f5ba7d2bd4e0f76789f64006d1c3034b3

SHA512
cee170779e2a52da2104434eb0fb6fd44c2bd905be40dd965d3c2031f1dfedba1fde2c63978c72b757b65a74e1fdcf683b8c788aeef0c1f8e2c31d2aab124500

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
MD5
1160365bca8035de879dcaaa86566ba4

SHA1
10f05e9c256cfc7a10dfd16b537ab6baea900e23

SHA256
2e7f1a61e92978fee3a4877640f7777c20ef91eadbeea8e023b9132246e294d6

SHA512
4f355a30d2403d8f56ae1029327a14e7e076863fc094479c710a1e1b476440081cfd24d6b49b5516092fd8cbe0ecf7ff19fef99d4784c38be94c549d347df339

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
585d9f829c46531e5b43369b7a6d3092

SHA1
d026c578bdf9a40da6723c1e4e846b5e6f95a7b7

SHA256
ca4f464015e98b4c9c5a56abb208d4f7a4851322ca62a7e5850a68498fd2deec

SHA512
3954cfe959943eda567a8a4cd1163071a2e8dd0c619335ba019277c0c2c83480384239fd0222c3bd163d2fd7495e15b7c56af4da1b988cfd1078479dc3ac1653

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
MD5
dd934cd1147ec92a266a1af2239b4680

SHA1
cf5869120505745662daf47a90d45e3cc6be88d6

SHA256
595ca3941ff2cafb440dd4cb8f3dba45836b76e4804b6a8591cb48e5e16d6f21

SHA512
55c25ffb469c72af1cc4a73d218d173748cb92983fc50f8d27dadb408bbaa7dcde98063598d04f7fce710fdea6cd75fb2c302ae6c84ec8701308d8151fcc893f

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
6cf30a7759e72fb7aca68dd54712f6de

SHA1
cf6f3650eae178ba2b23df5142ffa25f70a36c6e

SHA256
b5f2f6aea94c3f527956948f0bdd596b6752c0ad3203e00a9e146a28e6d619d3

SHA512
8a4fe52a92f18d86dbdeb0149a21a02a1d77e43eb8f676bd2db7946a17c1637097fbb1f8d4814bc3485fa3b93a0422ef057a427a169abb3de6ba1db375bfb41c

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi
MD5
cf8546f3bcd0ef8da706c60963345f91

SHA1
cdb9203a9e2917ab6d4738eebac5415ed923e52a

SHA256
a7494bd8d872ce4bb869a5a67f685868664e4cab79688b71cc881d056b7cb9f0

SHA512
241e8b94614344cb2106b14f8ec5be49afebbaab6bcf1782b9206f7054455cc6459ecea5e0d8beb438a211aeeccf13c7db61d7f2ba56b72b4f09dd0d33ceba0d

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
5c1a52b7ed4ae5da4fb35fd98fd2a324

SHA1
91af9b94065f6a5a9f51e376581355bf9de236ef

SHA256
f935391b944e8f9351f0777ae041516b883c81b7728bb4cd8001b60c733d41b1

SHA512
cb36c0d32d553f456457edc0d4a12b27e6167c0bda32c551460f871d4af5b590d0e99ebc77afdc9a6a3133d4ccc809a9774d31c25962a18b8d5fb60151440db4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
MD5
547fa16d1520283fddafd7eacf17c095

SHA1
770b8c0804b29bbef53fad6c16d02bc54cc1bc83

SHA256
79ce436f6f2d3b9b9cf4920a57f5a285b11135aee565c9d5faa9c7a465e0bdba

SHA512
f3497c5f775a75de875374c7957f4467d21b4e347cd1d1f9fbe12f0ba90382643f01c87a3b4fb4f3436a7e9e8d3d032ef965cad6774d72f2289938d0cac28d69

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
MD5
67d83ea46b7fd7c03e0607bfcb78a677

SHA1
6bd40ace4eae399cbf1d1eedf0c928db2839de3e

SHA256
a816df770e2a4e607ce12239e4aee2cfb1de36182ed4d8d7d8710e9159bdc8b6

SHA512
5b2acbdedeb818c0089530483b2649cb7665873985e9944cf87186af459ccf7fade4e8e238205d706809f15ae7cc283a5e63c7f6669cf28d0491972026520861

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
MD5
c877f014736b9229e95f75ced7295727

SHA1
a2f534a16ce0c5c92dcb6059bed244020eeaaf76

SHA256
71cd861c6e37f0d888993975afc4e6007ca6ca49f5d5c3e3b25948fc06808fe3

SHA512
632a27ac82adaeaaf537fac023691a8fd215a2bddc08f8edeb04e23f2f5bdb9f0f70c641fbb8368b53b075868c806b33d39199a831a3c0f9eab8a46228cca684

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
9a7862e35d4997496686e70e8af05a26

SHA1
adb8b60ea660491ab343fb25f9edc99df263844d

SHA256
2c001ee26141b0b537eadd2298f16d1f26b22cb70bbb6f176b6b230ef10a5a21

SHA512
069207c37a92abf9a3c9ef1e5886f0db118b8df7a810e596559de7426b17790fffe06658a88a90a2c28f395680d1ed509418410a3184e4c60fb4bd1a5fac9c99

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
MD5
2bbf8862519ffed866ff66466f5e57a0

SHA1
dd17f8499af89a57cb6dae119eab3ad927d26def

SHA256
66198217b82816dfdbea345e04f16ec29c7f4dd8417fee101971a6d2c6bb2a94

SHA512
8a6ea374dd0a7287de39f117d5e83190128b014d789d70547431220aa2af2bc7143b19098c46544efb271190fe025443a1f3a4d832d76e676a7883eb97ff5b28

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi
MD5
3b7a3de731cc316d959adcc4fd13f792

SHA1
165e450f729a760dde1918a2146ea53ff8e40043

SHA256
20c0f375b6203097e8bdafb499856deb58dd21127ed2e8b1942deb162e48e41a

SHA512
8250b20ecce7613c88c201e032cfd0d0e48227eb374f98b528e7f7cecdca3b48ed3c296af2e7fe9ce26e5117df36b1d4bf5cdd024f6174711a1137ef70f3843f

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\MSOCache\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\PerfLogs\Admin\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\PerfLogs\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\Program Files\7-Zip\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\Program Files\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d
MD5
dfb8d48cd7ccb0c628d868e424956712

SHA1
6e1bdfd1376ccf97e99faf6f9650c16ebe078350

SHA256
3c461494e3c20d6ef677382808b13bb7886c098efed2e633467482fc5ab15729

SHA512
c6f33dd6dce07c4c8df576ed138c9f402009bd7ca029f15daa503e235eebb03d0ae8918ee891bcafac3f562de41bd012aacc056260b8e2d837e1aa836a383b1e

Download Submit
C:\RyukReadMe.txt
MD5
a75fff46cf88e55445812aedd1c3ed61

SHA1
dea553c6067a567f4d07cd7ca0153ecbf7836a69

SHA256
2954238fe7998b325de1a1a5f6c6639a8044d1484134367d1919d89c3e87e7bf

SHA512
3c1e061bacbd9f8e3e865664515c581e37921ca7bd68f14fbce2e9e0ea1a8b49241f6c976a666ddbb99ffdcd87955bd6350d125082f51dd705e500be6b73ede4

Download Submit
C:\users\Public\PUBLIC
MD5
1137a89e82190887087eb7d6a2f232e0

SHA1
3abed7805d8c9092203e56f13caf74627ecf2f1c

SHA256
334c60dac259ffa6d4738a461a11907076e4712a7be8f5a818f63da21677b7b4

SHA512
0d04e3ea727839463b117c35c73b9ec26a860c3d4bc754c2c8a769d5e62b7c73209ce0127b219d98dcf386bc29211020da56bda9ac52f53da1eaf638f599da8c

Download Submit
C:\users\Public\UNIQUE_ID_DO_NOT_REMOVE
MD5
5334b2a7a40b933ef1a4fda94c6cf9e5

SHA1
643d0cecb76b7052e757f639d32b82a478c4bd16

SHA256
860a6f905965ccc8f7dcea2569c262507175f94ce995aa0f6e155c71fcb00ce2

SHA512
698b8ad81b232fcdff2bbc40a7752b4663f80cd3e58bb62230067a5f8ba5087d55723ac6380f257d4682fd2026dae4e8a4d94eb2c06850af99601fea9e8e2695

Download Submit
C:\users\Public\window.bat
MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Program Files\BackupUnprotect.xml
MD5
0dda089b1d88fbad02f6fac9915c4dde

SHA1
43bb4795a7bcf95b7de769f8a03e2c9394de9955

SHA256
e3e33196606d01255244747d33272fb3d01e1f6a5cfc9d258915cb1515e10e3a

SHA512
594dcc3040403f2567c1f58455ed7250f57380c8f1f30af903d227ac996eb628db1bb3bbf09655dba63762cfee10381ddccbe5a44e75c6732347ecdc796bbfaa

Download Submit
memory/204-145-0x0000000000000000-mapping.dmp

Download
memory/236-146-0x0000000000000000-mapping.dmp

Download
memory/824-60-0x0000000000000000-mapping.dmp

Download
memory/1128-62-0x000000013FB00000-0x000000013FE8B000-memory.dmp

Filesize
3.5MB

Download
memory/1568-61-0x0000000000000000-mapping.dmp

Download
memory/1652-59-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/69760-64-0x0000000000000000-mapping.dmp

Download
memory/69796-66-0x0000000000000000-mapping.dmp

Download
memory/70008-144-0x0000000000000000-mapping.dmp

Download
memory/70044-67-0x0000000000000000-mapping.dmp

Download
memory/70048-147-0x0000000000000000-mapping.dmp

Download
memory/70076-68-0x0000000000000000-mapping.dmp

Download
memory/70080-148-0x0000000000000000-mapping.dmp

Download
memory/70108-69-0x0000000000000000-mapping.dmp

Download
memory/70140-70-0x0000000000000000-mapping.dmp

Download
memory/70164-149-0x0000000000000000-mapping.dmp

Download
memory/70172-71-0x0000000000000000-mapping.dmp

Download
memory/70188-150-0x0000000000000000-mapping.dmp

Download
memory/70216-75-0x0000000000000000-mapping.dmp

Download
memory/70236-151-0x0000000000000000-mapping.dmp

Download
memory/70248-76-0x0000000000000000-mapping.dmp

Download
memory/70252-152-0x0000000000000000-mapping.dmp

Download
memory/70280-153-0x0000000000000000-mapping.dmp

Download
memory/70280-77-0x0000000000000000-mapping.dmp

Download
memory/70312-78-0x0000000000000000-mapping.dmp

Download
memory/70312-154-0x0000000000000000-mapping.dmp

Download
memory/70344-79-0x0000000000000000-mapping.dmp

Download
memory/70348-155-0x0000000000000000-mapping.dmp

Download
memory/70376-80-0x0000000000000000-mapping.dmp

Download
memory/70396-156-0x0000000000000000-mapping.dmp

Download
memory/70408-81-0x0000000000000000-mapping.dmp

Download
memory/70412-157-0x0000000000000000-mapping.dmp

Download
memory/70440-82-0x0000000000000000-mapping.dmp

Download
memory/70440-158-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads