ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
112s
max time network
139s
platform
windows7_x64
resource
win7v20210408
submitted
31-08-2021 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

bWDkC.exe

pid process

2044 bWDkC.exe

pid	process
2044	bWDkC.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff	Dwm.exe

Deletes itself 1 IoCs

Processes:

bWDkC.exe

pid process

2044 bWDkC.exe
Loads dropped DLL 1 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

pid process

1348 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2044	bWDkC.exe

pid	process
1348	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\bWDkC.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18219_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_zh_TW.properties	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\White_Chocolate.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Indianapolis	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+9	taskhost.exe
File opened for modification	C:\Program Files (x86)\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\THEMES.INF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME29.CSS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\NAVBAR11.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14582_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152432.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03466_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Apex.eftx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00417_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\HEADER.GIF	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099195.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198712.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\YST9YDT	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.TTS	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105974.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR23F.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099200.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21344_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_pressed.gif	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Port_Moresby	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\THMBNAIL.PNG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONGuide.onepkg	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR8F.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER.XLAM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGTOC.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanPhotoAlbum.potx	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaSansDemiBold.ttf	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belize	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core.nl_ja_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21338_.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\COMPUTER.ICO	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.IE.XML	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02404_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt04.hsp	Dwm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDREQS.ICO	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGREPFRM.XML	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\stream_window.html	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
70196	vssadmin.exe
70388	vssadmin.exe
69976	vssadmin.exe
70260	vssadmin.exe
70356	vssadmin.exe
70036	vssadmin.exe
70324	vssadmin.exe
70032	vssadmin.exe
70168	vssadmin.exe
70260	vssadmin.exe
70228	vssadmin.exe
70100	vssadmin.exe
69936	vssadmin.exe
70292	vssadmin.exe
69800	vssadmin.exe
70292	vssadmin.exe
208	vssadmin.exe
69824	vssadmin.exe
70060	vssadmin.exe
70196	vssadmin.exe
70132	vssadmin.exe
70164	vssadmin.exe
70356	vssadmin.exe
70104	vssadmin.exe
70324	vssadmin.exe
70004	vssadmin.exe
70068	vssadmin.exe
70228	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bWDkC.exe

pid process

2044 bWDkC.exe

pid	process
2044	bWDkC.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

bWDkC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2044	bWDkC.exe
Token: SeBackupPrivilege	69828	vssvc.exe
Token: SeRestorePrivilege	69828	vssvc.exe
Token: SeAuditPrivilege	69828	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1136 taskhost.exe
1192 Dwm.exe

pid	process
1136	taskhost.exe
1192	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exebWDkC.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1348 wrote to memory of 2044	1348	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	bWDkC.exe
PID 1348 wrote to memory of 2044	1348	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	bWDkC.exe
PID 1348 wrote to memory of 2044	1348	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	bWDkC.exe
PID 1348 wrote to memory of 2044	1348	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	bWDkC.exe
PID 2044 wrote to memory of 1052	2044	bWDkC.exe	cmd.exe
PID 2044 wrote to memory of 1052	2044	bWDkC.exe	cmd.exe
PID 2044 wrote to memory of 1052	2044	bWDkC.exe	cmd.exe
PID 2044 wrote to memory of 1136	2044	bWDkC.exe	taskhost.exe
PID 1052 wrote to memory of 864	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 864	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 864	1052	cmd.exe	reg.exe
PID 2044 wrote to memory of 1192	2044	bWDkC.exe	Dwm.exe
PID 1136 wrote to memory of 69760	1136	taskhost.exe	cmd.exe
PID 1136 wrote to memory of 69760	1136	taskhost.exe	cmd.exe
PID 1136 wrote to memory of 69760	1136	taskhost.exe	cmd.exe
PID 69760 wrote to memory of 69800	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 69800	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 69800	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70004	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70004	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70004	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70036	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70036	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70036	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70068	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70068	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70068	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70100	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70100	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70100	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70132	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70132	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70132	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70164	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70164	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70164	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70196	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70196	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70196	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70228	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70228	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70228	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70260	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70260	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70260	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70292	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70292	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70292	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70324	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70324	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70324	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70356	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70356	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70356	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70388	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70388	69760	cmd.exe	vssadmin.exe
PID 69760 wrote to memory of 70388	69760	cmd.exe	vssadmin.exe
PID 1192 wrote to memory of 69900	1192	Dwm.exe	cmd.exe
PID 1192 wrote to memory of 69900	1192	Dwm.exe	cmd.exe
PID 1192 wrote to memory of 69900	1192	Dwm.exe	cmd.exe
PID 69900 wrote to memory of 69936	69900	cmd.exe	vssadmin.exe
PID 69900 wrote to memory of 69936	69900	cmd.exe	vssadmin.exe
PID 69900 wrote to memory of 69936	69900	cmd.exe	vssadmin.exe
PID 69900 wrote to memory of 69976	69900	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69900

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69936

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:69976

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:208

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:69824

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70032

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70060

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70104

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70168

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70196

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70260

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70292

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70324

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70356

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:69760

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:69800

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:70004

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:70036

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70068

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70100

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70132

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70164

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70196

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70228

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70260

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70292

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70324

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70356

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70388

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348

C:\users\Public\bWDkC.exe
"C:\users\Public\bWDkC.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\bWDkC.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\bWDkC.exe" /f
4⤵
- Adds Run key to start application
PID:864

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:69828

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:33572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
1497316a195a8413ed4c3ae6c9acad0a

SHA1
14142545be482905c2cbb063226b01c6adf423ce

SHA256
a579aeab865eedcae793063648aceaf811a2bfa117d86eaeac6f3f5fb32ba430

SHA512
2178682666a8bba02716f253678e8d626e728185a28d7446134151f8ffe250c0e4a0637a43af6908249c28f1e40dbe3c6fcb476a73106caaa6aca7ff0157bc1b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5
3091e69165f5882362167a112c8959b2

SHA1
58b7fb782db2519301f8a583d933367715a9b156

SHA256
40e2cf2ddf3c5bf2510e98ff50a3c9067e8b42de1d2b1ad3951e85286d6414af

SHA512
4a5083026e1df08c0003b2f888f3052e7bc630641d65577825ab67dacb05f71a627fa26ff927dc29e9550865a1a1e724e67e88f898dbb4cb3e76c2a85aebda76

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5
7e6f1c5d32dcdad43642f6bb6ed8f550

SHA1
be57f3a7750063388f11de038f659400511d1929

SHA256
27f887c23528e0bcd92d4055c91e197fe34bf1a47eaf5ad11b6109756ce5bf20

SHA512
2a56bf51771fe1201b5bb0240d39b87a42230b49016067390f3aa275244ddceddce41fb8760559af1ac0af40c653e3f6f0a4d05813f563bff06d9b6b1a5ae459

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
5d64c54b189e743285bdc660b584ffb1

SHA1
0d70088e8ea6faec37e461f5e8e58de1b8265c56

SHA256
abf6732d4f088d41014ad1fd7ecdcd8e02164ff840d176c2fc8ccac5c972a1a0

SHA512
099ccb45371ca2652346632d896d43a88d3ecff34f43a564d517c60801a042e798fdedb16f6162dd24d2aafc6587245f03ffbb8192ac3d7379604a0fc214e216

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml

MD5
2f4c23fb9ca09596ad477aaf8087d461

SHA1
2fd5e224ddc6ae00707723fdf718aad2a2d255b4

SHA256
c3d58a7ddd6de9c7267af039635308fa36c730f74021f0cdeed5c988c011e23b

SHA512
1ec73b1773873a8aff960384b79c8d982510e90d48f2d853a538fd6cc3623ade319b35071635f677e91eddf77466c4262aef49d200c0a470c114fc451d470d9d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
150c13d5140600346683cf43de05d450

SHA1
45e688aad9b8233c6d98225b7abe007af67a8159

SHA256
1f6b71deedc283d9dd21b0d9872ae9862dfa5eb772e298af6a22fae983cd918f

SHA512
fc3943c408a2856b205f721c8dfafe18d59e4fb8946a993c5f9125a08155e96039497568ccb6b452cf0ed9a7845d1eb418c6fdb1f17b6a4344420346f3de7bdc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
e59795b6733d727bd2f2e2a798d849d0

SHA1
e0a2ce55a4726999ec5c79f730e7581d068013a6

SHA256
ef3730a8ee8c99665a5db752d8bbe5ca2a8fb8ad72c4bd7f9d632447855ffe93

SHA512
ce0d6038220ca9520cc9ade9662061b7c2cd062678679c9b65d2b813b3df62402ceda41ab65bfd6c89aee61f17bc177237fdbbd84a39c7721867edba40348576

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5
a9f73919145afbe7e5b78455852d23d2

SHA1
3f146ec1120cf0adbeb63252975d60f6f7741c4a

SHA256
9f4a6cff49c979dbe479bfc81df6eb8df4b6a022965b61c681b68d8e6d31f7d4

SHA512
16991b964b56e5b5ef529bba920a7f1443140aaf2d438d492f77eb08c21e5c2d9821367d476ad11601f6506096de5cc4da65ca90379a4834de1f96663b92e5d0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms

MD5
bfb3241e6c19d70c3566a66db54cef60

SHA1
4ba4657a996480c4a0e3aadcf4fba8a1788f4a8e

SHA256
47a2c1676af2480dd3774cbcd4d7fe5426a8b7d95679430ce76ddb3cdd2b5c4b

SHA512
c99702bd15b3a158585acff01b5dc541c3d7a6ea008b128becfea8a315005aed7e3d63e94454260c2a3800577540d849f207097c08380a1de2680e41cf6790cf

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5
2d5c14d9bb73f825a9a498d99eda8161

SHA1
1629b452c0469fd30fd4b225dcb2db717515d7d2

SHA256
06aab1b9f2de2fee2d3ce79f34a19f90e4072f7ad9c336164cfdb96757fb0f9b

SHA512
0af260b0ce6242354918bcc3a0d95b63d904835f4ce0a756606f91158d34eb3dbc5479b7ee07e16f523c6b6b72cd975e3ea536fbdc1d8475c198df3eea3b1e92

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5
54a982f9e32665e2c1758599657e4c52

SHA1
0ed9d4d5eac39694ee0196b80917a5b61ead5f1f

SHA256
1f94d22c1560646f364e157075fba98001728eac6e376e4e32c1ab304f7e7adf

SHA512
97bc0840baef078aa770aecddf3b316d7de16c36477aaaf00f5159a40f28088ed8efdb7972288e0186a733497022f2e70d394b5c4d24b3b8a2247e2e536b9d76

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml

MD5
00bb03a277254147974bf6ee974e5a4f

SHA1
840e28682663b8aeacfb21d6c617b97d51bc9a91

SHA256
9cb4f410f481ffa62c55723d267fcd98318f4e5c5819f69f94e978b17d6085aa

SHA512
b9bc2b5805befb5fb8bad69b76cdd3aacbf62917922a7f37ad9574b6aba473c8c6678e979dc91ec4dee182be2776296b7fd48a5116c7d418d3caafd1648a61dc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
6e6400312d3a1a7cbb9c4ec38a4f951b

SHA1
06522cfbdb453870176cffb06a92d184d090c648

SHA256
c8e5418517dd46c307b8eeded3512e7dd19bc0209f91dcd3cd6eafe2be0ab269

SHA512
e632f7590dc67f18efa0e796183acbdf5354c987343f93b5aa0358b767b1d7fac37885e3a7b548894bbae1feabaee591bfef6c84739d95baf1b9937a71c9ed2d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi

MD5
7181e5cf66e036800941009db79be8f4

SHA1
2632f504802692b06d142f2057e7ec3f377914a6

SHA256
b43c1e9596b4f0f9e2aa6bfa18ce9b84499b0b60816aaf70d2a5cce8f56c0dbc

SHA512
af77c5d2c8ca03101ee7ce5736df41c259edc1796eb1d456677549c2f426a556bd9310dbbf21d6f516a8a6604698bc95a8cf4ea57fe85e099a74eff0a7734b52

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5
15b64531c571c677c8d1a26c8c648717

SHA1
e2c55292a076847e992c6564886c14f6886d0d93

SHA256
cdc82089a8bd4e1399b8c4c3541e6bf3f57afec7866990426b27c9c5637c8b6f

SHA512
71746f3d42ddb8e95dfb53f5eb63edeeaa87ae87ebe62521237ea44ddba401de6703260dc3052cc7ddd2ede0db1824a682695066a831506446d65149a5b2e8db

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
753112262ac48037f02e32fbe67f0c11

SHA1
037a32dfccfb13bffe3c7ce474eecebfaaf6409f

SHA256
69744a0baa05b06f532b60533989bdfaa9b1a2fa2f07b85c8fca4de92b1554e2

SHA512
79b799acd6a65fbdb63161f0598ab5a9715d2e81621d523b772880125102a13bd960a1482376b13a6c74cf2c2ac1729ec0a43ec0f46b022d7219f575c69c756c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
3e782f7506806093c9205e82302a734b

SHA1
664dc80bcda792cb30eca8e2d830e878d0ffa253

SHA256
737c7ee9bf8195adbccf497fd3829387511107537569b8b58eb45921aefd7d5c

SHA512
693027a041f45c81b35bcd526761b462a2d06f21bec1b3f94e5d10920f3b36a5269984f455abc0fe537737c197c4d2224c89610e02336877a10199dbe7e00475

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5
26b47b86b28ed0808364b60658a55c40

SHA1
b05d47dc2f7d06956f3e885499eff6fd5d78f8a7

SHA256
e2ddc588f0fdf1cdb30fd327cb51b6debb02a9f30f8157e92ae96ae6b78d4e1b

SHA512
ed3561add7912e5944418f485623b67441966e3833c97d6bc2213b9299328e6956ea2a81a148765be2d944729b0bbd895469f6a66794cb1466203852eff008b1

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi

MD5
ca0a2ed094cc3eaf4917ebfb966f1bb5

SHA1
51ac30da628127cb3aca259e5d9f50c1d2ca9de6

SHA256
ff19283db6da8b867605b87d2516298879ddf9504a2d55861b1a36e7cfddec45

SHA512
78d01cd25e1486d8dc5633d2c6ab84932321b5cc31ffb22fe420225bc19f5776f817fdd6a3f6ca15e6c9f152d4b40cc1d98c6d1056fd3dc600f01131ff550582

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5
88ab661ba4990e8b749dadd876e76542

SHA1
442c4c98976a3b89af3030512c595c3fa68490b4

SHA256
4b4f8119814ad9dde82798c712677b08e36cdabfd29b5a6f81c96c97e0562d5e

SHA512
0f8adbeb572a6837cc6bfad115e4affb71bae9de22f4100c7a62c520510f0755650256b4adcd88e754e4a03ef82a2407aaae7628753ebb809934c304ac03dd3a

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
70d44f344ff399f4c2fccf5c590ebb8b

SHA1
5e6b1b1273e29d1ed58fab20b4912f70e2c5c7e1

SHA256
27859207d0fbac2e9afb971d5c63ad70fbf66bc1f9b07a7e20484ac3a1907d3a

SHA512
54dc9bd96a0de713cbde1960f63b28d9ce37ecc32ffd5753f981a7f79ba9ebd9c2d470ea3427ea2e9535330a4b8d52745a845aea8ac740a786be52ee6f0afa4d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

MD5
4ac296924cbacf1cb78d0e4d5c8bb577

SHA1
e3d02297fc22ff558838e23a731b918df5fdb46f

SHA256
f5f9ad608d75b8d1d985517e99062946d043ec1e864034d87a4212cc0d90402e

SHA512
7e3f22e40154863e0e72797895b5f6813a17862658d500a59c255d02fb45e193f56c8cb39dce732207c079f2e1ae19dd4735fade662b4320441c624f7f68c937

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5
a01ab7be11e5bba00c000ebab7e155fe

SHA1
d9b9a25f36e529d61b5518c713787be256284ba9

SHA256
bc0e319defbb4f64543210d8baed08dfbdb7340c48eea50b4fa7b296ff5a2ccf

SHA512
7e9af4529886bb02c2dd80cc0a1145c9e6e5e7e575845a2c6a60e4c6f10d359b3bdd1e6d7110915f0c701cc969160e5cb689b6945fb0bbbdb28e81646860ed95

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

MD5
8053a37c6c66f776a4b42e6f3f077b07

SHA1
a8bf7b49adb607a0c6669015829882dbd077000b

SHA256
b6fe30aaea51a4442597296da0fb984b0187ddd013331ca7594bd542a73f3b8b

SHA512
516696b750800274cf603e6767ef379f3b502a3b2e9a5459a24e9adc6eac796ade04b2639995530d64ac05a5aebff0a42e805281a62562c0118fc77c28b683f3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
c9c9c07ab239384d72ce2adccc7b5320

SHA1
898e361517933ff7f5e8fc9e18316d8c4c2de13b

SHA256
7af1e2cefbe66f19f1013fc3424d22cc0a5ac65e9f9af6389ab1490a6dcfabfe

SHA512
f918407591ab044ca5eef3f9aba5b0bdd92e25f3c2ec60a7584fc92d35e2b128ca55da343d90b4dc7833ad865395446183a52131d363e2e4d62645892628c74f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml

MD5
e454aa455f4fcc48cfb55c023d6b8303

SHA1
d051a6ccf52d9ae1fc62bc3edd083239119d236a

SHA256
2fb4ec99c61cd293d702378b5bfb1001ebe891918867b4b2e2b8caf738551f7b

SHA512
f95171692b6eab2c620572f2f18d0c37a2bd2607c4c5f750d50894b1be99b4dc33ea42750a9d4db8080fa214287080b741152cd73ade817f37f955729ce7e447

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
30b80b43254a6d433324c617a472b1a2

SHA1
7cb769079b902c708afacf666ec5b1d114a30e82

SHA256
b869fcad46742f299584237598de6d99796e5e414bf6a5c3c65e759807784b6c

SHA512
4d7856be6827c8192ae3e65490339d9244651548c1ceb0948272c37ac052d1d4f8337c27edfd4a46a67d872c533e6b2f86c0ff7afb2d865416baf7baff63c893

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi

MD5
eddd7851927feb58c28393e48af33448

SHA1
4a6a7e307d48a0c734b3bec0bbd80c0ce85f07b9

SHA256
59ce11948cb0e609428aea88b14766303b5525ea2e975bb3523523d2cb78eb3c

SHA512
0dedef0f30837574d75c6bcab14b1e3941519db22e94db1bae7df9e02a0e1d8274c2fccfb6603bc6c2fc11143c129c59044caa45261ca80b0edf53e8c8094311

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5
a80b6dc30a5dfde80667b0f3658b133e

SHA1
9430b7cd44033512beb6c9ad5fa9cf2e8ca77d09

SHA256
d97f4acd08d087b603fbbdd0ba8ce36d17b361b335f73b20a898024183b9aad1

SHA512
77e26458cf771338d6ba1f051caa66b89aed1e7e97d29d2da32339c462097141f5fd73ae8a8d83fa457acad040eda29949ea82c1b35b6b3d409463483da7f690

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab

MD5
3e0405d323aee5b468e4aa5f9fbccdd9

SHA1
af71b531872f548baca806b86a67c289afe96136

SHA256
fe6f7d084e4b49b1456a45bf44aa7bbae62e63767ecaf949dde479ec84b51643

SHA512
2ebfc2086fe451d9ccc9e4cf38c985baf38af014b03bd4586db2dbc40e92070865a3f8688bc9f0eb288f313e9f1d56f66316bdd912e7cb800ff8f9904cb35571

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5
83d737e1d1db921c8becddc8098f5044

SHA1
86b60cc68af83230a7f8becf7b852c1654537ab3

SHA256
79f36debc5052ebdb76b6a529e831e54651be4cae16b2420290ae8e9ecd0b4d6

SHA512
39d7c029bdf3bc3e2f495fde25aea4bc2c698cf3d733a6654e4e16e84f9f7fe1d34bb6f89b7b32425875d6e41580003327fbcf7c2fff877be852ac138d7e8bf7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

MD5
e2af8f548dcbd8d4b74c7189d346abfb

SHA1
c61059fa7bd13f45da1a87bed6bf127d79a12f54

SHA256
047a6240b107daa2feba548cc1970a74d113eee0f474b5cae3d56d605cd708db

SHA512
7fb0add0e0b4006550f5a26e4528799d58055c8088935968d4b58ae7d0b93890c75ef7e72336f6386a1aaaaaf6060f90ee48f9326b364c8077a15a21bed72909

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi

MD5
81e75aaf4757cb6d6b2d3798febc6139

SHA1
44aeb3f21adba8476df0937632eb1748052f325b

SHA256
1468469bd55ebf2edf390d0c49d402d058578582ff340e8c8fbcad4f6cb6967c

SHA512
0b4dcc1ca73f701efde74ec445ed6f09dae0280a81889be671cae5103b6da38590d899159c37019923061b19f74279d37a6ddee193662b6ad128f1890d8724b8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\Admin\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\7-Zip\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00

MD5
0424c747d18b1ad6fb7995ddca4035bb

SHA1
67ac65e3ad3304f9b7e61d7544a23859b51cf63b

SHA256
f22ed071a1c0414534d64f6d0829a5bd7dbb8167548bc896c10d8ee7d5c1b8ca

SHA512
f04c388542a56f57ea68883fa6be49ad60a3fd2601d4d86cc28b3c5224a746459f8d25386ff38b4364da76039c03c53b58c488ec0c5abc4ecebebdfbdd8c204b

Download Submit
C:\RyukReadMe.txt

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\bWDkC.exe

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Program Files\BackupConvert.wmv

MD5
3f4dbcab828861ca3fadb5db2d837d3e

SHA1
8cbad4e616f59ec5336f4fb2d81d4e77fef28b0c

SHA256
5a2e9f689511b79af7b70338525379f8e9e09d8987dc0f1ea41cf496ef6cab87

SHA512
4d7aabaadd2589d61fe341c29dc331719c2000087e63595aa511ea9d47b8cded0378d5dff1f5a573f3e6cfc2f9faf6ff872787d6fa5dcde10bc35ae28f0b2641

Download Submit
\Users\Public\bWDkC.exe

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/208-150-0x0000000000000000-mapping.dmp

Download
memory/864-66-0x0000000000000000-mapping.dmp

Download
memory/1052-65-0x0000000000000000-mapping.dmp

Download
memory/1136-67-0x000000013F4A0000-0x000000013F82E000-memory.dmp

Filesize
3.6MB

Download
memory/1348-60-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/2044-64-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download
memory/2044-62-0x0000000000000000-mapping.dmp

Download
memory/69760-69-0x0000000000000000-mapping.dmp

Download
memory/69800-71-0x0000000000000000-mapping.dmp

Download
memory/69824-151-0x0000000000000000-mapping.dmp

Download
memory/69900-147-0x0000000000000000-mapping.dmp

Download
memory/69936-148-0x0000000000000000-mapping.dmp

Download
memory/69976-149-0x0000000000000000-mapping.dmp

Download
memory/70004-72-0x0000000000000000-mapping.dmp

Download
memory/70032-152-0x0000000000000000-mapping.dmp

Download
memory/70036-73-0x0000000000000000-mapping.dmp

Download
memory/70060-153-0x0000000000000000-mapping.dmp

Download
memory/70068-74-0x0000000000000000-mapping.dmp

Download
memory/70100-75-0x0000000000000000-mapping.dmp

Download
memory/70104-154-0x0000000000000000-mapping.dmp

Download
memory/70132-76-0x0000000000000000-mapping.dmp

Download
memory/70164-77-0x0000000000000000-mapping.dmp

Download
memory/70168-155-0x0000000000000000-mapping.dmp

Download
memory/70196-78-0x0000000000000000-mapping.dmp

Download
memory/70196-156-0x0000000000000000-mapping.dmp

Download
memory/70228-157-0x0000000000000000-mapping.dmp

Download
memory/70228-79-0x0000000000000000-mapping.dmp

Download
memory/70260-80-0x0000000000000000-mapping.dmp

Download
memory/70260-158-0x0000000000000000-mapping.dmp

Download
memory/70292-81-0x0000000000000000-mapping.dmp

Download
memory/70292-159-0x0000000000000000-mapping.dmp

Download
memory/70324-82-0x0000000000000000-mapping.dmp

Download
memory/70324-160-0x0000000000000000-mapping.dmp

Download
memory/70356-83-0x0000000000000000-mapping.dmp

Download
memory/70356-161-0x0000000000000000-mapping.dmp

Download
memory/70388-84-0x0000000000000000-mapping.dmp

Download