ryuk | 8a33e2792e0d41c6b99a1203187f650fa16a7a0c187938457bc526526f13b5c2

Resubmissions

25-08-2021 09:56

210825-v7gpzzrw7s 10

27-04-2021 14:41

210427-hta8ys4aka 10

Analysis

max time kernel
1443s
max time network
1445s
platform
windows7_x64
resource
win7v20210410
submitted
25-08-2021 09:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

therapeutic-rule.exe
Size

170KB
MD5

fc080fae536e8801a2f3400804f2734b
SHA1

0d79a4ebbc04b7abc268b76068335e0dd581abb4
SHA256

8a33e2792e0d41c6b99a1203187f650fa16a7a0c187938457bc526526f13b5c2
SHA512

0fc4740cd0601d2b382625a940e3d68479fca6fefefd5421b7c72a9739d0ee3676c3278866a7eb1aec49dc3102ea712fa40f11fcb33f5e7b4c784d3ae14ccd01

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\PushProtect.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\PushProtect.tiff	Dwm.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\therapeutic-rule.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_K_COL.HXK	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02265_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02116_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00057_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00127_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME24.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MY.XML	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\access-bridge-64.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152884.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105286.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_LightSpirit.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ecf.filetransfer_5.0.0.v20140827-1444.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\MSTHED98.POC	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.CNT	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GROOVE_COL.HXC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237336.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\shatter.png	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME34.CSS	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REPORT.CFG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SUMIPNTG\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\PreviousMenuButtonIconSubpi.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21319_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.JP.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00373_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenclm.dat	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-6	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN089.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_italic.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152608.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\en-US\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE01797_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\LICENSE	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Glace_Bay	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152704.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21299_.GIF	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
69616	vssadmin.exe
70424	vssadmin.exe
70048	vssadmin.exe
69928	vssadmin.exe
70348	vssadmin.exe
70436	vssadmin.exe
69680	vssadmin.exe
70032	vssadmin.exe
70520	vssadmin.exe
70072	vssadmin.exe
69712	vssadmin.exe
70088	vssadmin.exe
70172	vssadmin.exe
13368	vssadmin.exe
34208	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

therapeutic-rule.exe

pid process

1092 therapeutic-rule.exe

pid	process
1092	therapeutic-rule.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

therapeutic-rule.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1092	therapeutic-rule.exe
Token: SeBackupPrivilege	69956	vssvc.exe
Token: SeRestorePrivilege	69956	vssvc.exe
Token: SeAuditPrivilege	69956	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1128 taskhost.exe
1188 Dwm.exe

pid	process
1128	taskhost.exe
1188	Dwm.exe

Suspicious use of WriteProcessMemory 59 IoCs

Processes:

therapeutic-rule.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1092 wrote to memory of 1216	1092	therapeutic-rule.exe	cmd.exe
PID 1092 wrote to memory of 1216	1092	therapeutic-rule.exe	cmd.exe
PID 1092 wrote to memory of 1216	1092	therapeutic-rule.exe	cmd.exe
PID 1092 wrote to memory of 1128	1092	therapeutic-rule.exe	taskhost.exe
PID 1216 wrote to memory of 848	1216	cmd.exe	reg.exe
PID 1216 wrote to memory of 848	1216	cmd.exe	reg.exe
PID 1216 wrote to memory of 848	1216	cmd.exe	reg.exe
PID 1092 wrote to memory of 1188	1092	therapeutic-rule.exe	Dwm.exe
PID 1128 wrote to memory of 69888	1128	taskhost.exe	cmd.exe
PID 1128 wrote to memory of 69888	1128	taskhost.exe	cmd.exe
PID 1128 wrote to memory of 69888	1128	taskhost.exe	cmd.exe
PID 69888 wrote to memory of 69928	69888	cmd.exe	vssadmin.exe
PID 69888 wrote to memory of 69928	69888	cmd.exe	vssadmin.exe
PID 69888 wrote to memory of 69928	69888	cmd.exe	vssadmin.exe
PID 1188 wrote to memory of 69536	1188	Dwm.exe	cmd.exe
PID 1188 wrote to memory of 69536	1188	Dwm.exe	cmd.exe
PID 1188 wrote to memory of 69536	1188	Dwm.exe	cmd.exe
PID 69536 wrote to memory of 69616	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69616	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69616	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69680	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69680	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69680	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69712	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69712	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 69712	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 34208	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 34208	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 34208	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70032	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70032	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70032	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70088	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70088	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70088	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70172	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70172	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70172	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70348	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70348	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70348	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70436	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70436	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70436	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70520	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70520	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70520	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70424	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70424	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70424	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 13368	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 13368	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 13368	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70072	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70072	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70072	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70048	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70048	69536	cmd.exe	vssadmin.exe
PID 69536 wrote to memory of 70048	69536	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69536

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69616

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:69680

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:69712

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:34208

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70032

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70088

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70172

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70348

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70436

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70520

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70424

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:13368

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70072

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70048

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69888

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69928

C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe
"C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\therapeutic-rule.exe" /f
3⤵
- Adds Run key to start application
PID:848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69956

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:69636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
d638b49efebb4452ba33085adb0f2af4

SHA1
9a6be607f403c2b760ffbaed254d488167c6e7a4

SHA256
3da77807d753b83bba4960d6cb5ddd6d60ef5e2a31c794cc3f9b465766eb154a

SHA512
80885deecf80e63df1adc45540b760ee770b42daa1ef7d96349f2a5c3629480b5c794d9bf765faa0abe82d43d4e92a5ea2a81823aa36d355bd187c8425f5b8ff

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
9a036cb85f2a512e228972dd6824f1ed

SHA1
25dabc369792c8438010462755b0e5618471e847

SHA256
bab942840e2db4a5c6d949b838ca721c69fc790a9b89816d34df80e899815465

SHA512
f0fd38f7acd743e023d65ffa39aaa0391fbac49b9682ec082b3e0b201fd8861c1021b10241a25be88da96f60d2eb3ca199803fbedc01855ff0839fdf6b932376

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
5acd40454e30223808a0de64e7cbb618

SHA1
e3f9d42083b7ebcabc52cc92fe570d03df9614eb

SHA256
4d267c5f4eecacf5a4afc60a8992ce89f9787e59bb39893b041562193ede0770

SHA512
40c0c8c0f952dc53376831aeff0fa15428541901ea59b08ea1be3cae980e75aadb77b17b3252b9c06ad5ee5a2c300d620fbb20d3cd2565edacbfbffd66273b67

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
b9376836204c80155e4e308dca2bc6f0

SHA1
01297096ff458c10110bbbfad87d06d6f757dbb3

SHA256
8bbe3f83f316b275382ef430cd8c05826f440dd13de96be52ee6a824832c5f86

SHA512
1be01d9d6b4ae9c6ddfcb470cfa215a133039d8e245bab9f2fb9a68c7304682da367f1deefac826f60260e3c4046e91040f2feac77a2ed7f677df337d98b8872

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
f20779a45ef23b1b5de96508848f1663

SHA1
df4924c9ddb7a59a4ff19a0d3baf7f8f79c25153

SHA256
88030c034a067ca8d8af54d857ab9c6c9afbefd06d40cf66ae3b3f2db484250a

SHA512
685f5af84a32969c61e6521363b84f839b2bac96bf92421db7c3bc614c457f743fdc7a563934a66ae63e6cca988ce89cd4f531d7d7b0a685be9d34274c181acd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
ec13dd4999beda479dfa95dfea92caf5

SHA1
7319771f073dfad4151075a0517f56c2bea8df1c

SHA256
eb60a0e976b3e90e2588d9b572abdd1072efb3d761c1eb9e64dcd6ff32949a34

SHA512
6f82e3a3f5b0236925e41bb56da3ff3ca2c467a9842029d5081c21009e3786697987b7a4b01c91d83c08b35fdd047497052c896a027f29c8ac150f58bfd835d0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
c0cc88a4b3fd152f80ecef00d1f893de

SHA1
ad9573f79575eebbd7885ddbae0c14c283902d77

SHA256
8a57562431cbf1bf609abac0c2397d2a3808353b863009241ef978f0b248ebf2

SHA512
237a0915ec8fd3d6aee5909e700955b45fc6b54510c7108539982f6c042f9dcca905ffeceae1224112e677f2df4970154d52b300648a70feef8e45a9cd5e9c43

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
fd107588b21f71e94ac1147a97f1cd1d

SHA1
0dd07716cac1ecdcb01b52f0b3f9e25507851c07

SHA256
5e578d1ac70065bbee49155970873f2970cd255b2520e3174a3a54e87a336cbd

SHA512
617743ab7d907333120b14997fa67eec8cddecdc015fc51c6216a7eb45a1ec7a2d78d24d281645b964b4a99b82ebfa8b94caf58b70002fb6a98e21c6003b3dc4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
d0ebd252c5ac1b002fe947bfea2b6d70

SHA1
8f71cc9e3106a7427e0d18b47654d07607fd120f

SHA256
eabe381e651db7af2922cc8eb7a8e63af434a680f3df8dc04bc42912778bc647

SHA512
6d5ca36d1626aea6597e7f55822d40aa761b685ccf097f527f08218b7bf0e0db7179c5209dd1f84561b2014a3f319fa047ff6c7170692df162bbc38fa080614d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
9bf54a6ce04c1f2c81841ea964db9eb7

SHA1
ca08902ec62b1c10c6cdc4d57477f1f08bd6c91e

SHA256
18cfaaea58855a3f6547e39d14e83f6294e569ac70dc27677d243b606c771166

SHA512
5196806d9dfad7a2c809b637879740ac4a98c1c8e117a188960a1832ecd50a712537c8fd725baac6dd8a3ffc04b2f645595314b93bc8d41f6d3d45ede42118fc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
32d3dcad084800b37aad6c67f04c9dae

SHA1
de07b6a87d9d6a58ab91a472ef1986b3a81892a1

SHA256
22779b9a3600f48520c96da86fecddf021fb6daf6c7d7839e26439fbc710db1a

SHA512
c6a59a56a17709001993e38293266751eea7485ea396d50d9210cd30182a4f20212516691bee124d8f1917f102ddcaf6bf029b667d5bd5155d27b8ad8f1bf4ce

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
6e791a67a69e81d7ba1484207aa256b3

SHA1
8ec252e85039f9f050e0af2be2c1ca37bf10a8a8

SHA256
4b7b389b2623367428ac6f4d054be6041730e8e1d1e660eaeaba87b11133cc06

SHA512
6c29f98fa281647dd8e4c5e6a04b938ba4aaea8bd904438040a40f97a96baebef9ff783fdc34b360de9a25cd30bb4a06b784e2aeb22980334fdc5b3e0ef01fef

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
cd1cb69ed2c0d1b25a13247a114bd1e7

SHA1
ef845195db1d15d0ffe2d067cbebd16eda746955

SHA256
e41c8b0e44be2d48797d8d79bbf84dbcc7a73c40a344bce5d143431b06578ea1

SHA512
fba1d40496aa66da538295d99ae6ae215eeee939b7ddfd0917b9d04c7824f88f6a18a47e74a33e04d9649a4eb4527205761601b56b4b4c8a70b461ad7fe61963

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
a56dc591672937dff21b0669505114dc

SHA1
3b497d3ab544188606e31b9af28d6db86e438aff

SHA256
764eb9a4878ae73316a0775b52511a89bbf0c6951d2f31085008fb971947984c

SHA512
5636bd39798743106334cb69f76ba6a3c879238aee2682e8258bd6d73d4bfd74f4ce12ee4a7fc78a0c5b41356c71e0f45809b0594400dae41a284f0dd8ef5273

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
1532f22f6c5a0a1b97313d5b02459d6f

SHA1
89f5fb833f7bc57a752efafe8df90b3182b9b1bc

SHA256
9011dfae8124454049760b4799bc5497e56675612715a594e7c0fa01512a216e

SHA512
7a80fb7483d49059fcbaefca90f153cf0abd57105e9472ceb33c5e7dfd8e69aa4e6d2e20551f91b2a007224fb180c40f45e92e4acca6de6b55d39a71865a609a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
3f382056ad93170dd449872d4f02e854

SHA1
5eb45336a9ca897eef4c86de893a692eb8ff9ca6

SHA256
ce73400a76db27971e93bcc9ed23d7180e55c205162b293714224470314c8015

SHA512
27db2ceb2e12838d5857d307d1fab3ab488480095ab07cb117abda567bcae6dad6b3efe66e9fbec7eda08ee9aac162bce37227a1624726a7bf90eea23023c8d7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
421b9cb59f47ef15e85d15c9dc753ff5

SHA1
1b7728c3a512a17ce3dbf739450aaac8d9559ee2

SHA256
7d5561352b9b5b19c75ad5a8510df02656b4f45358157049d0651b0843d0f3b0

SHA512
6a738043a372c3f718b6e80598140f6ccb706bf833448a79c27df8eb035047521fd9a4de96158b88f2e7713b1e5a5c22631a29718eb44815d46c00a608f71365

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
a17fcacdb62bef33d9b5e2c2065ff47d

SHA1
79e7fabc0530d9b0951d9323ffd1096245370786

SHA256
31acbf62998d59e2944ecc42c00f58552a5b70fa9fb97716759205849b68531e

SHA512
1ed89c7662b7c3046ff289f7f25cd7fdc1742232beb9053230524a56ad0d0c0da50021335b12d581e25e2ca2ad18863ee0f43fb68de78f11cab07a2ffe9e9038

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5
f4a5c0761e18947df159c4081dc6ac95

SHA1
68b3675b6a240f99f37d7056deea4c249e563e73

SHA256
7896638bea24db561aa6d3d3b13aa40a334e1e0ff92810da15c2801be42db55a

SHA512
5a389c772c5f60502c73315d19382b5c02347a09bb16d3b93d4222a1b23629db9aa050c207f188dd1058ba61f041017e4ec3f8ce11c56b2361027d55933cea47

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
cba1a492b3e0e95f06e07092fa9865eb

SHA1
1a95fa0934dbb75ef351c7bef7a73fcbeab52c46

SHA256
1c14d046d8b24a23b65edf408bbece36fca16ba8b6eba6801f08c9cddf54855a

SHA512
2a2b5b885f1f574a0e2b14168730b543c8ad46d5cf6c7e9c3918fb250ac449e10695fe7e1c910d08024d8c7c63ee703d1bc05fc86ee2506d68895518dfafc68c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5
0bf93b063e7b175f21672075ac4b22bd

SHA1
08603e59d3806993d3f65772f9efe684de9f02bc

SHA256
2d3d70b69e14eea0c32d13108d6b40b9d8ab80416d5c35a9df28069db8d2e4e2

SHA512
2f33ef98afc95741477ea4af10ab459487df2b1ed0e97274d0fdff85055b432caf9b6474c5d83a54f1fb3915298ece8ce046f99152692b9dcbc241955c248f1a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

MD5
1400a07926904023514294071a11b1bd

SHA1
42bcd258c60487133b26f700477797d10265bb13

SHA256
a4072ccf822579348ebae2f33b8967d8f5f8dd79ccf81958090d90b8adc32834

SHA512
8fff7978c964e1572c02f40c293916a4d16196e15712e6e8f2feaa32e7a619717155d1b1778070813e71a5ef93490a6f750ad7599f5f5dad33cd0e56eeede91f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

MD5
abe3712a209b127d8be6f27e3bf5eb31

SHA1
03bef901bca7cbfb8900790cca5e41ab8e19b1e3

SHA256
6fc4ed1d53e923914511c03a30cf9e0aa5ed89f25b99fdcec723b24890e4b9e4

SHA512
bebc7b9424abcf8867cec0541853d1c7b7b230af4972ba8d2212b9c6314a94048bb6b067be6d32e46bdef2a06b6ea4ec32da58d9928636c7fd815f567cc4e462

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

MD5
9ab63a44b25a694a5db46d4b9ba9f330

SHA1
e1f4a3e4b3132ece7d020dde4002ba4cc3f6eef2

SHA256
96b93f895339ff718c9310d98508783d2c322a76dc2f8e00242f4664dbb5519f

SHA512
30927a65afe6feb498dfaab215b839163088154fc5255b793a6c89c45cadd6e5263c732362ccb0ca110c4ccfd1901cb5b164beba7d6fbefbef309b4c9fc7fdc2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

MD5
f3c461dacf078bd2f7dadd61a5924a87

SHA1
a18df060366a77e257c984eaa1df358f0fe011d7

SHA256
37a78b2042d5b99fbb7bc4b306d84ebcd971226112072376afd745cafc472dc9

SHA512
1aaf3992db25eddfc738074258f2f8cd37eb332fd9cd0c404dc39f7d8eaba2dc575e21890465de53034a0b28c0c1fea6fcd774146e6481cfddd2821daf7bae4d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml

MD5
b3b82817a3b1502e0be07d86a1c72186

SHA1
787d5cb95dfd363e8d6c3303a8dee88377c7a227

SHA256
ff8065aae297ea892c0aadc270b1297c9cc7392679024e187860fd49786afce5

SHA512
c46744add0a7993a7652d17e62fdb434a67c0c25704325e893f16b62508515bd02f9cdad349b42544b3a628945acef1f2ec1e03ebc21651903a480164108a31b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml

MD5
dbaf6b836a65cf725ee0d25a23394db2

SHA1
35221bd3f28d109f936f2566e266a6bbe705dee0

SHA256
a530f8f313ccc19e428403f1c163db47f34ee2cf927c9f7df68efc81735796b5

SHA512
96e77e4125287df1f018074b76f78bd5f2814cbe6e240f3ced2b643f8414e6e5fe91e37e48324bd175ce8226231617919fce4d6272a1033d69a1b16bb7ebe169

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

MD5
80eb00ebec572bef4b3bdd6e8603c61e

SHA1
b9d7e9a918a6f0826292146049b526fa7a750f0a

SHA256
f68a44d9febcf66a955879fb63665488e9cade127dca7a3dfde10b1cfbc8a12b

SHA512
08ef6e6715005a78626ed4a81706d5f3329cce882b19254d39daea60918d600d76bc187e5f004a6e6ed7b81d90b8183e2a2c7e1e171b9eb4008742167f652239

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml

MD5
a6632733b9b0fae858cc11e31075589a

SHA1
e6ba65aa309d35783bf0224fbccc68c36e190bd8

SHA256
dd77efd8cbc8f33bc667134bee4a2a36b6d83e050117298e52606123fa652bc6

SHA512
d311f953b7c616fa7ba0a7193a1f29cddd1a984aa08f4efbab14548b11f5d7207486d8844035db709dfac47ae60859e48fc4e0744d41b3e6ec09e4b04c18a2fd

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi

MD5
3662134330cc3f3aeb1cf2d99b4c0adf

SHA1
fbf0c23a2f6ec0fbcc14334a14edd1197bab8186

SHA256
79789017771baf6da8c7318d24afce93b5df7f710a0622ede9382cb86e2aeb2d

SHA512
22b416b026681abb69efd3ae0324ca37ef96eb39792adc434b580860ede0c927c55df436ed253331cb15c6a028533639f69717b82eb6e2beba0a3f58f9c1b378

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab

MD5
c3c079b46960335f214df3652374a49f

SHA1
f3f4303cacca136b26e098f217d926460fba85b3

SHA256
583a63ed457fd75469c2f4c22215cafddbba4ba9c4a99d74303dc319287df700

SHA512
462be6cdb78747ec629efddc8856145908b9ee8368657f5b788d4306c3bd47b9ad739af39f7a431ada9e4f31e73764d2b033bafd078eda91017a426ace04eabc

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab

MD5
4e804dd7533cab6ade9b80c289c86e7d

SHA1
52e3658beb7dcc9a3af41dcae7bd773f5a7ad215

SHA256
1cdd7cee369c78a6467226eb72124a12429e22420fed143d44e8479615c2f526

SHA512
79769fef9603e34e27e12d1d983717c7cfe569bdcc0fd51e643db9f1e44fb2c84c75c82ec58d953e185f0cebb5744e432cff1ab4c34ce0f3fcda141a262f754b

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml

MD5
be0740a890d03083ae5ff5c384188a05

SHA1
9801e30d8170b983a942bb9f6a0f08f6e3a8ff35

SHA256
b0729c125858cffc4650dcabad5d493ad9a734b2d10cfc13d5a72a72b940d837

SHA512
264c858d1953e1082ad44535a21dc64f90c712f3b49990049834330ccc2db76bc0e1d280849c433517b59d42754f099cdb6e829df55bf512fc0bc1c406de23f8

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab

MD5
5f736d874ad304e1aa5df1271c42880e

SHA1
7aff43da2b389781366d37ee69e0c5e3da3e839c

SHA256
01c80385e9b9f4d2045c135de87a620fe1dd8360ff6c2319698d4ffcf8c7ed39

SHA512
4c1255d171b92d2b80ca8af0e9be7604dc52ede891e75063933b60646cb008daf68298099e7b7a0cce18c00acd06a190bedd765151865d31a07fe0aba20625c7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml

MD5
851223d792500d9656c7fff0237f9f0c

SHA1
a660cd8ec85238a6b3266a8cb534c9ceda0feaf5

SHA256
a01d5c42e353f47d091e8252a4c777385752965aae8bce62d74c5844dd65b700

SHA512
d2a1d1f9bf4f75a85bdca5b685384fdb00814c1be4b0c7de08a8450df378c8a38f3879cf15b91529f10b039f7c95face0d58060eb68073a318d4cea6e667546e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml

MD5
494e7c4893c830f73fcb5302a08160a3

SHA1
255bc78e4ba1d0083c2d38cfb971fdd9f9e558f6

SHA256
1d7a5247f74b77f94c6e9b13218cd8b5f8895c21f7c8b9c7ff524407a2959c30

SHA512
d2b1583035768ebbc21d44f9b08d72a6996603ff129b54057df2799512216c3668dd24e5d295f36c46f4f188437710f3f31597457a4cede25d5fd89edd85d651

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST

MD5
6d0d5d92fcabbcc6ce5e1a1a74e7fb24

SHA1
a41d66ffc29ac9725ec7b36cac96d6c83d6a2e01

SHA256
c2536661553f48d157bbaf8ce5eace3606c826d14600e41fe5ab923b4056bbbb

SHA512
c7752f73f8a226fbb657ea14e2c87de871105c289ee859cb6592140e49f84b1f712cf59f7a3102964aaa05035fcdb73cacf3851640611f3423f15c33d54a3672

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml

MD5
34c571da3d0aa3d18d9537ee42dbfed9

SHA1
290d1d0b5f0fdea1a37ab7e63f1ec71865ff3a34

SHA256
8511e5049b0e129398fc07098e91da2b532aa41d414195bebe33cfae915b544b

SHA512
9d85a9ce5f161ec78800e7bd28a2932a9e5646d9af02591ec3a02e6d1f663c41cfe8d8a971b0d9110cdd190e426b4ae023f4be60cd1fe094419b9df3cc7204dd

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm

MD5
7a15bf335b048af19c14bf512be12f8d

SHA1
caf6d9514990d637504756afb6605d0678809566

SHA256
fd9b14872a28a0266fd6501a339b2bef3a4ad915056112fe98e952096ced14f0

SHA512
bc053ebf7e60df1fb4b5bb6be34ba7a74842f817d7cf35ea0188b0536cea6ef6e4441fab4adc6a8d0854ea1f66d13b32f2e72d827890de5a22bebc7537484b44

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_17ebba21-ade9-4848-b865-5b9359ee593d

MD5
bfb5f293ab146d8e3dce06e7e1aa99eb

SHA1
750f590bb3da378d09e4a2802b068a3a21237b3c

SHA256
9b29850f40c8d4fc7096567a980c09e854e1b2a922dc07e9ca24e6fcea98c0a7

SHA512
307840a7d344873aae9bb8984c869fc0faf4f0394c367c78e68d3d09b08e9444e0d99976bf7168c4677f0380d0aee9989a694b52ccfd80d55fd957e562b59f72

Download Submit
C:\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/848-62-0x0000000000000000-mapping.dmp

Download
memory/1092-60-0x000007FEFC4D1000-0x000007FEFC4D3000-memory.dmp

Filesize
8KB

Download
memory/1128-63-0x000000013FE50000-0x00000001401DE000-memory.dmp

Filesize
3.6MB

Download
memory/1216-61-0x0000000000000000-mapping.dmp

Download
memory/13368-144-0x0000000000000000-mapping.dmp

Download
memory/34208-136-0x0000000000000000-mapping.dmp

Download
memory/69536-132-0x0000000000000000-mapping.dmp

Download
memory/69616-133-0x0000000000000000-mapping.dmp

Download
memory/69680-134-0x0000000000000000-mapping.dmp

Download
memory/69712-135-0x0000000000000000-mapping.dmp

Download
memory/69888-65-0x0000000000000000-mapping.dmp

Download
memory/69928-67-0x0000000000000000-mapping.dmp

Download
memory/70032-137-0x0000000000000000-mapping.dmp

Download
memory/70048-146-0x0000000000000000-mapping.dmp

Download
memory/70072-145-0x0000000000000000-mapping.dmp

Download
memory/70088-138-0x0000000000000000-mapping.dmp

Download
memory/70172-139-0x0000000000000000-mapping.dmp

Download
memory/70348-140-0x0000000000000000-mapping.dmp

Download
memory/70424-143-0x0000000000000000-mapping.dmp

Download
memory/70436-141-0x0000000000000000-mapping.dmp

Download
memory/70520-142-0x0000000000000000-mapping.dmp

Download