ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
131s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
04-07-2022 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RyukMalware.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 1 IoCs

pid	Process
992	SwOPh.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\SubmitLimit.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitLimit.tiff	Dwm.exe

Deletes itself 1 IoCs

pid	Process
992	SwOPh.exe

Loads dropped DLL 1 IoCs

pid	Process
1600	RyukMalware.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\SwOPh.exe"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\Γ)$fCæ[εi─$w²ì÷	cmd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\GRDEN_01.MID	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5B.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Issues.accdt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0285750.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Monaco	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-jvmstat.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Casey	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\WINWORD.DEV_COL.HXT	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03731_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00012_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\TAB_ON.GIF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00445_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.fca	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00204_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090781.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Palmer	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR32F.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.alert.ja_5.5.0.165303.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-modules-profiler-heapwalker.jar	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jvm_ja.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\sentinel	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\THMBNAIL.PNG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00194_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10255_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\APPTS.ICO	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\PLANNERS.ONE	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.IDX	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0238959.WMF	Dwm.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\de-DE\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt_0.12.100.v20140530-1436.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02024_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00231_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Dotted_Lines.emf	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\org-openide-util-lookup.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0103850.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN058.XML	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Services\verisign.bmp	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\vlc.mo	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\GRAY.pf	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\LightSpirit.css	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsptb.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0216724.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\San_Luis	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Data1.cab	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\CG1606.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\flavormap.properties	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01366_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 17 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
71436	vssadmin.exe
70924	vssadmin.exe
34760	vssadmin.exe
70788	vssadmin.exe
70864	vssadmin.exe
70996	vssadmin.exe
71128	vssadmin.exe
71296	vssadmin.exe
71372	vssadmin.exe
71076	vssadmin.exe
70940	vssadmin.exe
71560	vssadmin.exe
71632	vssadmin.exe
71448	vssadmin.exe
204	vssadmin.exe
37928	vssadmin.exe
236	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
992	SwOPh.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	SwOPh.exe
Token: SeBackupPrivilege	70968	vssvc.exe
Token: SeRestorePrivilege	70968	vssvc.exe
Token: SeAuditPrivilege	70968	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1132	taskhost.exe
1220	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 992	1600	RyukMalware.exe	27
PID 1600 wrote to memory of 992	1600	RyukMalware.exe	27
PID 1600 wrote to memory of 992	1600	RyukMalware.exe	27
PID 1600 wrote to memory of 992	1600	RyukMalware.exe	27
PID 992 wrote to memory of 1268	992	SwOPh.exe	28
PID 992 wrote to memory of 1268	992	SwOPh.exe	28
PID 992 wrote to memory of 1268	992	SwOPh.exe	28
PID 992 wrote to memory of 1132	992	SwOPh.exe	10
PID 1268 wrote to memory of 1204	1268	cmd.exe	30
PID 1268 wrote to memory of 1204	1268	cmd.exe	30
PID 1268 wrote to memory of 1204	1268	cmd.exe	30
PID 992 wrote to memory of 1220	992	SwOPh.exe	17
PID 1132 wrote to memory of 70904	1132	taskhost.exe	32
PID 1132 wrote to memory of 70904	1132	taskhost.exe	32
PID 1132 wrote to memory of 70904	1132	taskhost.exe	32
PID 70904 wrote to memory of 70940	70904	cmd.exe	34
PID 70904 wrote to memory of 70940	70904	cmd.exe	34
PID 70904 wrote to memory of 70940	70904	cmd.exe	34
PID 70904 wrote to memory of 34760	70904	cmd.exe	38
PID 70904 wrote to memory of 34760	70904	cmd.exe	38
PID 70904 wrote to memory of 34760	70904	cmd.exe	38
PID 70904 wrote to memory of 37928	70904	cmd.exe	39
PID 70904 wrote to memory of 37928	70904	cmd.exe	39
PID 70904 wrote to memory of 37928	70904	cmd.exe	39
PID 1220 wrote to memory of 70756	1220	Dwm.exe	41
PID 1220 wrote to memory of 70756	1220	Dwm.exe	41
PID 1220 wrote to memory of 70756	1220	Dwm.exe	41
PID 70756 wrote to memory of 70788	70756	cmd.exe	43
PID 70756 wrote to memory of 70788	70756	cmd.exe	43
PID 70756 wrote to memory of 70788	70756	cmd.exe	43
PID 70756 wrote to memory of 70864	70756	cmd.exe	44
PID 70756 wrote to memory of 70864	70756	cmd.exe	44
PID 70756 wrote to memory of 70864	70756	cmd.exe	44
PID 70756 wrote to memory of 70996	70756	cmd.exe	46
PID 70756 wrote to memory of 70996	70756	cmd.exe	46
PID 70756 wrote to memory of 70996	70756	cmd.exe	46
PID 70756 wrote to memory of 71128	70756	cmd.exe	47
PID 70756 wrote to memory of 71128	70756	cmd.exe	47
PID 70756 wrote to memory of 71128	70756	cmd.exe	47
PID 70756 wrote to memory of 71296	70756	cmd.exe	49
PID 70756 wrote to memory of 71296	70756	cmd.exe	49
PID 70756 wrote to memory of 71296	70756	cmd.exe	49
PID 70756 wrote to memory of 71436	70756	cmd.exe	50
PID 70756 wrote to memory of 71436	70756	cmd.exe	50
PID 70756 wrote to memory of 71436	70756	cmd.exe	50
PID 70756 wrote to memory of 71560	70756	cmd.exe	51
PID 70756 wrote to memory of 71560	70756	cmd.exe	51
PID 70756 wrote to memory of 71560	70756	cmd.exe	51
PID 70756 wrote to memory of 70924	70756	cmd.exe	52
PID 70756 wrote to memory of 70924	70756	cmd.exe	52
PID 70756 wrote to memory of 70924	70756	cmd.exe	52
PID 70756 wrote to memory of 71632	70756	cmd.exe	53
PID 70756 wrote to memory of 71632	70756	cmd.exe	53
PID 70756 wrote to memory of 71632	70756	cmd.exe	53
PID 70756 wrote to memory of 71372	70756	cmd.exe	54
PID 70756 wrote to memory of 71372	70756	cmd.exe	54
PID 70756 wrote to memory of 71372	70756	cmd.exe	54
PID 70756 wrote to memory of 71448	70756	cmd.exe	55
PID 70756 wrote to memory of 71448	70756	cmd.exe	55
PID 70756 wrote to memory of 71448	70756	cmd.exe	55
PID 70756 wrote to memory of 71076	70756	cmd.exe	56
PID 70756 wrote to memory of 71076	70756	cmd.exe	56
PID 70756 wrote to memory of 71076	70756	cmd.exe	56
PID 70756 wrote to memory of 204	70756	cmd.exe	57

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:70904
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:70940
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:34760
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:37928

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:70756
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:70788
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:70864
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:70996
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71128
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71296
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71436
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71560
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:70924
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71632
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71372
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71448
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:71076
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:204
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:236

C:\Users\Admin\AppData\Local\Temp\RyukMalware.exe
"C:\Users\Admin\AppData\Local\Temp\RyukMalware.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600
- C:\users\Public\SwOPh.exe
  "C:\users\Public\SwOPh.exe" C:\Users\Admin\AppData\Local\Temp\RyukMalware.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:992
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\SwOPh.exe" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1268
  - - C:\Windows\system32\reg.exe
      REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\SwOPh.exe" /f
      4⤵
      Adds Run key to start application
      PID:1204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:70968

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1292

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
22.8MB

MD5
e191ff056735a6a255004bbbf5f974a3

SHA1
19be8ce22af99d866e77c89379305d3db5a2e311

SHA256
d3b37a5e4e8c4b04a26759ea7bd7dc5f12b65a1cf4c4eabecc0a35a597e75dcb

SHA512
f94e314320fc02a9836829804c13b80357b617151841e54ad31c3bbb76f6187482440558dbecdb57a25c88feb7b7a0f0332ef799b5f55fb9cb78639c0f5a5abb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

Filesize
2.9MB

MD5
441c90ef1566062db8857be4b5c52545

SHA1
76e1e705440c8d93fb174cffec985158c806f7fe

SHA256
daf18b4df2c495589f2905112ae92779c9f7ca35d6d1897cbe2ebf9c05ab9051

SHA512
fee7899d77affab54506983a79c1390446a02051a99c400db642a6952e6bebe3dfc242166ba0b99e58477c28e922d780707d2b1780baf800f4c969be1a32d428

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
23.7MB

MD5
7c287683be3215ce7228e414616b80e8

SHA1
88de9b1dbaee119dbbd8bbfb422000cdee2711b6

SHA256
12d76a1690791c5b9fc575e954412c33da7f43787c0773ffa663ff0bd5fd24cf

SHA512
1511cea62041d6ad0b3c653fc328447960566943eaff738b48ef2c9cb5a712a102daef64b1895b9d2a396822994f92abee331970d4321de3291d5833a52f02c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

Filesize
142.4MB

MD5
e595cdb212b1cebf6da778be2cc11ba5

SHA1
f13b3d979b4184a7d1bb410a76bcebaafa8bd700

SHA256
6f841f09a36df7a4fa1336eeee79edf6a9aec432e178a40f44d7e7b962c20d86

SHA512
17ae23809cc5da13bc3c5291efb3b768d05cef0f94b21d0186ea47d9fa961239e5bc22a3faf971ffb259f8de30b811718f98adedfbba35e88333572a7dd145ee

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

Filesize
31KB

MD5
6b92a6ab66a17a0a0a752e39051b7ae5

SHA1
bad6904c7423ecae47d36cc12db7c95c11e5c486

SHA256
8dc7f177e455c0b89187bc2e0622637ad1a264644e833a096b3b474d7f4ffbb4

SHA512
fa4df9792460973ddccb9a5758fcc610fabd9464910ac1aff7e49aa0a47998464155af608e26f88f68f114909ac67910ccbc37ad885d8c7bfd25ac287d0be394

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

Filesize
1.7MB

MD5
89321734bbb874cddf3687e0dd9775d8

SHA1
1b2c71a2f106ad22d3664d5d58917af93c16946d

SHA256
54f0365dc95fb8bae79ae20cce43d933e69eb4bf351ada5daa6e07940a709f52

SHA512
41c7332d1ae08b0557b781b85350906aa4a92439e36bbba69c453e645de5f95b13861b779344559edcfbd6c37cb785d8c75d077a6c6d0bcc4e4da224267d4a88

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
e7939582985fc44d398e6056872f6a6b

SHA1
a5dade423b394aa5020fc03a4cbfd6f3dc38deaa

SHA256
e2f9a86c620b1c1e6df6d3e6adfd2e05d36b5d69989325c4d33e34a67d9aa12f

SHA512
b8e43005828c2a61a12b6089198e10d3dcf3154c602cc9e32ab14400779dd78283093908c005638afc25a35312a2974f58f310d019a03d065a5bdb11c08bff29

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

Filesize
1KB

MD5
e97ab7e3aa6b0074d32b93257cdc1da7

SHA1
18025164d49fc3a6f011b60716dd69644b56f61d

SHA256
170db512852b57329bf06145a51d990c48cfd7fdcc62ebdbd64330f629b461bf

SHA512
3e211554bce23be4811a9bc0a32d1467d1d6dca389cc84e19f1243fcc50a679bd3b9795cd02d420256ec30b8375f39275be08e9d6e9b316e90a843cc2509902e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
653d3ccf8228c16970bb666ce848a2b8

SHA1
3677f6c49972aaaa2ab4d888f624b5974de05b38

SHA256
9263da87895d56e24c3d1b8177c165372e53c9a91a892504cdf573ffd846f22f

SHA512
e9ee6577aee8f22c76af7daf69d45de715b2ca0c04e3cf49d6bbe05c077705c1f6494f4af06f15fd9fb67a88e967b5772fe72f29ad7ed8b7294dfc49304489ab

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

Filesize
1KB

MD5
d5864c879bb0ccc28ff2bdae678db964

SHA1
ce12e3b4afe3c4f69e53325e7c18e686403aa5ab

SHA256
af7fe493026be517eacc0a34aef5e9e6e650577a9bdb26afcfddc3dc8b37f786

SHA512
28841ca13b148cbc07e86bbffef7bd349025cbfb16a4f2827c0ff85646a96abcd7ec08c60dec6870ae6f11518d478b27f1b42ae6b2cc477e98015255ef2ac28f

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
1KB

MD5
45cb197d2b6ff8880ed5a3e3e5b33158

SHA1
4c47d984e50961577f6abf0bd4305df01e9032f9

SHA256
ae17d7d9681b7f4d70eaa7c6297aa5d51d50105f44adbf16607d5bed17e69b2c

SHA512
f80e1d8e8aeac2277dc55050bfe360ebb9bccfdbd99dbaa8d59da4af843a5a3b8a1727d5fdf4263213e4939bd094740f77ab95cf2e5f07b4a23696d8d13b6de1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

Filesize
2.0MB

MD5
b627bffd2113c2470557aa8c8a5f06fc

SHA1
fe28f0cf476a239c6c51ae652e81df60e68fe2a3

SHA256
2646c15a13030dbd58e361cd8e09020b69a423b5ee019549c9874ec6f7a36493

SHA512
9caa51fa3df499d64a4c0ea1772233e2b0919f26c83871f50bc2f3a8a8907ea1df6659571398984953d38744fe53747268488e42af83d9c0fff703108ae5ea01

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
4KB

MD5
a439e43377cc1b82526bbaa7342cdba0

SHA1
a4a5e54e5fe636d18d5de57f58d694d6bc717215

SHA256
825f1c8c7daa8526ab507d4c740950933f87254e55e123ac0b769d22c035288f

SHA512
afccdeddf98b23ad7bde8a05f6a8b09b0406f51a7c849d52479ad4b621147cb592c2834644b917cb1829406ad5ba0b8dfcb50f9d72a2c561b50a1f4d243b9dbb

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

Filesize
41.8MB

MD5
9fe2fbf00ed9a133b6524ba605f40dcb

SHA1
4680d8d470d9f13b1657a675a86f2976ab402add

SHA256
1f54f72a58224c5ec954b9058855b55cfd84c765c5ad241db7859e27d415772a

SHA512
b3180b8318917e40f377b90355d06bbe19003755032eb25284781f0b2bdd65a139cbd07e17b0fb6341f804a1fbfca7efdf23dac3bda0703264ab3dad58ed3db1

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

Filesize
2KB

MD5
08d54497c0b45b761e3e1fc8931752a7

SHA1
2f7b3967f52c1e86755edd2983eea7598a4778d1

SHA256
14f55d1dd04936998c67146d68038e3b2c030a216c55bcf0f6eca3cd0ca06a44

SHA512
da0b8c92fa2c134f9e09e31f1bab5e80fc9363d2ce532407d3a83f5e00e2724db39da1b38b97f178172f262b6bf0a7ea065891003426d5aad3aade20e1d1dafc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

Filesize
641KB

MD5
558aed0d19ef0080e35bc45751f04f2f

SHA1
108bb34ab75ea1d3d90082951382ae635cea2214

SHA256
37f6449047489e03e8c3cfdb5095a2a87862e7a2744a6bb5fee3920500ad82ef

SHA512
0aecd91ccbd8d295c7b1a1550367a14ab8809db956d4b3e9335469d538ca9902b8608ff350e17531bf092a0d349e1407c5ca450f799ff7934a1265d21bfb0552

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

Filesize
12.6MB

MD5
98661e917d1d942fae5ad4e8cfea6711

SHA1
0469db78bdb6bdd8adcd4b12431286306f79bc8e

SHA256
375f67c5e204a6c8d9308c735eed5f537f097dd342e1688cfd754f085df49876

SHA512
b25f40b5e3e1f71a0de2ad94160e114b9274f4f87fcfdf34a29cb47402e2e3021b88f7faff23585af7b0ba7587a7b1b3f41610277f4ebfb4f6ca6f724819711b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

Filesize
1KB

MD5
35245102fec5bf8b1b774223a6a74a15

SHA1
5eb4513d04a53e6ab0f6149370b593d9e90c61dd

SHA256
95e68c6917bec5745f0cf2a1c3bbb202dfe75a9cc0ecfce9567931d3b385bce5

SHA512
c2898535e3456b475c1dbb1dc4bac04a117ad995d27ca2254b1ea501e93f6968806afedffa27342b8286a3bcd2980da12e4c687c7d7f26b80ddf55f460b47f11

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

Filesize
652KB

MD5
cc387c361ba81029982189d817940a37

SHA1
75b0f567aa6a1dc6c21831bc60f29e02c9017c5d

SHA256
ef24e12670fc9bf2a8914b4975b43e6291ec5e7d74dec1f4d83569faf089bd87

SHA512
a3a61a693c17cbd47fb2d7c426006f88115a82da69c09404d96c9aecf6b9253e90e4c5678695b307344e180ae70ce0bf11c33eb4d618cef9e85e4644bad4e878

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

Filesize
635KB

MD5
fef179c71d416ef132ffab5749bc40ee

SHA1
6155b346b86d636db5dc210da21ac07a4bfb2eed

SHA256
7f1e48bcbe333c194c49611b7ceefc7b8126a301ff1427debde9e305c4e93980

SHA512
114ef880a542d9297ce7ffb47d2c3c46a9f904ded61e0f2ce0bf04c5647135df80b4245d9ba2aa56c6c6b3ec10d360ddf5c8c84adbb5695aa113ad2e7dc3cc24

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
6KB

MD5
29dfbba08056e307af0e653a09aed3b0

SHA1
526344b9ada65f167e5c4d90c30cc92f1d31b4bf

SHA256
7f5d66d2d0809a58d1a0070002b8784cc6bd80e7d2e6c8bcf8121bf25a73b50f

SHA512
8e097bb4d556cf375eaf813b002d9d10fb3a13c236d3b45b42ead1e2967224d7f17ceaf0a46da371ff995447f52330c5c7a8a2c1dc415c4344dd969ca187708c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

Filesize
2.3MB

MD5
1bd6d86406c9306a50b031837a7a8e8f

SHA1
81c27f388ec23ad946c959f56f3ad81f07e1f5c0

SHA256
89323ebbf7a5b713029e158187d64819060bd5beb48bd4929a91c1269f228ad8

SHA512
9139e380d8cf29a5bcafa95a681827d04a6a0d9f4b33901142ec975e9816388d56fd979040f2f0b38c46e063f96160757118d7ac524b2c6b552d9d7168a364ba

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
614df4d6013d4eaf8ff7ccec8be18ca4

SHA1
3ad1d0bc95687cfbac16547e6ea2dc8d52ca8ac8

SHA256
b40b267023adbcd0fb89eb23e67fe20647a29bd26c3bafb41fd325f0c38d0649

SHA512
cba830ae564d58333db5a77b4128379742edc2d24981ee94e88997a82e42353b836886bf9b6efa9b0983c5e06f76d5c05e6c5248ee3c84d0b28df125b4389f9c

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml

Filesize
1KB

MD5
3d268418a4c0ea02a97eecffe12b2db6

SHA1
d39c31c0f572a0d0a402af64428848501b78a472

SHA256
efb06241627c4460c3d6ce655d5a1847377c024644cc19b4128c12674bffa2ce

SHA512
29ee4936043ef713fcf27bb95cceba53f26dbfa931e1e3167e482dba41a52505c73e03e0c63dd5c1a40ac12645fb8c528d7634482631a9d55f83e7b337bf1302

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
2KB

MD5
e47e4a73eb30eb31ee71152f164abc14

SHA1
a36e484985ec0ea45767d66c3127cfb5300bf9d9

SHA256
60ab948a4934cb4c87a4b52b47d9db7a51eea6509d4384da42ab82d06b400d2c

SHA512
1e783c4c0c0ff71a55ac0b0e95f9a23aaed9cf842f9b1b9307333b8e4fd9f0a5c7f25d896eee1543a583735297a2f1e86967f804d86bda4a58fba4db87fdc42d

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi

Filesize
1.7MB

MD5
a516a9dd1e86c39223d4a9331a264537

SHA1
504bc2c818c962b67587e619fcc4964093fb5957

SHA256
c0cdb2facdb4dbc417473ec965f08e919cfb2ed464adc42304dcd418a50e9edf

SHA512
191eff286e9f32026d01c549b68ea48081e6381ee642ef2abff203d1db62ec72601524acfca33eb755346b279128321f4872258b8e459a8b8fbaffc2c3df6452

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
1KB

MD5
bc88c3ced12a1acb32b53114c4f5e768

SHA1
452ed1ba4b5fcd8c09f0b225101d34e771449865

SHA256
47cc0ea414bf7c494175e3f58d588056bbdeee8842f8817b6b7c4d115ac7dfe5

SHA512
db336e4d3b4474f5e02143faafe53a2136c8931854da132c54bfeadd512405bc7781795ce200d5c41512e41ee2a9ebfdaf5f5dc06ffd64802155ef92fc924c7b

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest

Filesize
2KB

MD5
4edbd38cbbfc3ea5f53faa42fb939f01

SHA1
561d27c51757faf2103884b09a8a8f2af3acf6f2

SHA256
3a833f6a87396ca79c0678e5ffda5170ee7b0ac3d11139c6a6bb3c414009258e

SHA512
90b40ab2bce9f806167db1d815c61f9cda813fbe2aabfe7c5a25f87a4087b18c7c3d82d4f4d988e30abd8460bd7e7f113f24370907bba8987cae84d9ce72b56f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi

Filesize
2.7MB

MD5
42e6e8aa7c49e0a1c6906968454b730b

SHA1
13b6aa722c1c34e0b9d31957150b593cefe14265

SHA256
d4b5e60fe0f44a4d917c3820f324bcc7c6c6ad1bb1f761f41bf1f58659fbd5b4

SHA512
501bce640edb1fb347c495a44aff815caabb83fea6c4bbab59d2324cb78d7c7dda5b4429f42bf90163306aa09ccac8304a1923569642aafd10bfe8d36484e750

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi

Filesize
635KB

MD5
e1284bdd57a3eea8e1c9779187233852

SHA1
6b7d288176b27616d45831ff79e5d9df35fefa31

SHA256
1a3838562c3687d1e8e2fc14be296922e4f444c05697464b63fbeb21f36974d5

SHA512
eb1d4f2475fe3d7ef92524dd6ee863bf1dc4b87775d025487c51a2e58471b05f73eb30abdaa081e37ff1aa7503f3050f09c4e4a33d918c5683efad69fce402ca

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml

Filesize
9KB

MD5
472061ea6b7145893f72bd46e203f128

SHA1
c9d1cac5a0799e7ea9ca235af8b40875f3702a28

SHA256
8a6fd0d8544ef624bdef2a0191d1af78cbc9a7150732d392aa0eb9df47d6ff98

SHA512
4dd6c7c305cfabe38594b77b736cf6924524b9f0cced6e5cd064f4f7ec4df76c1d5d704d390e7db56a6dc5340a5cf891f98673488ac80bfe810cde429d89fa41

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

Filesize
26KB

MD5
b15dcd955c489d59a876f2f32c6405d4

SHA1
4c4975c3f6eb663e85ff8b2d0e2ad601daf1b237

SHA256
b5b928176e180cb6c153e765b20dc12237c2ffa02ccfdd479df6b21b02533201

SHA512
2938f9bb4eab9189dc6c43baa9fa1bedc69793f164195341643374f4a68abea71ff172d2d3587365977304f7fb1dfba8fb1219756009124d28aac8253f2b603a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab

Filesize
1.1MB

MD5
4af0b564df81b4068f86d4aa9e33110e

SHA1
9fe47c5de43dc4526ba4eaa53f5b23d4d80d1c7c

SHA256
51f10b33c213bfa69c813f71be4e72530188e4d1dd0b664455482400f0d8e5e3

SHA512
f5cfd5668ff3de5c78efd7776c74e95dd18c3801d048e9b14fae463319347791f430c8217f583e4434ced255ce0fc9eb361e93a52fa50e0ad4bff4deb2235397

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi

Filesize
638KB

MD5
89c10e2cb7c00c906afd7243e3cae8f5

SHA1
b448ab411c332eac1a1d68504b3c5c6253262f6c

SHA256
fae38a2dd8b3f95f68b06e6699bf097d14633df3299701a18a21372ffb9697e8

SHA512
2a2410aa701f53cda50ee74628c6479f4a51999f6d730d84a214f06a80aebba04d2c3217430098acdd928e2404df2ab001d0b02d696ba000643ece659532d00e

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi

Filesize
635KB

MD5
0b6414ae44046a9c6008ebdf054e57e4

SHA1
df1e0b6219896b762e189e3692354206b945e657

SHA256
105b315ab548b925fef1ea283fff042e27233bc296834eb4f70c5ae159a519d4

SHA512
f34be542ec50cb72480b0423968543dedf5a911f01fc1dd3efad25bd8a52684a17c1d3a4c0a0fa232fac494535e055468b82ac97dc5aaf94b8ce11ef2d84983a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccLR.cab

Filesize
26.7MB

MD5
543fef7584ba6eb8db4f1058073a1d73

SHA1
743429fb955a53fb1aff88fbbc6ecc1a8c372eae

SHA256
f72109b7083fc39a3f23e9c543e688e8d437355bf9af03259e9243e6e68f6da2

SHA512
168d747931f460ac3dc87cdbc9bd226411aa0b491a9cb1912e8496213b89a93ff3c788e74616d924894c6736d8323cdcd22c8a75cfd5957e9e8a542e197abaca

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi

Filesize
1.7MB

MD5
689e36172e53dba6e0565eb586b17645

SHA1
38e91adac39f8fba04deb438a436c813fdb6a91f

SHA256
654a6ad01296e99d26dbc89ee46a9bbf94068386b7c04d484f68b984cebd8f53

SHA512
39b8adf9c0e5bd1db1d552213ae3a9ece78a7a74f26f33a66418d3ddf8d5e7a91de881e7048bb0b5895536a86b87c523730a93d447e9659492626be4d389ca62

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi

Filesize
635KB

MD5
b7096d82a0c267a339dc83dd8afbfc41

SHA1
31ff97454f72dedd9fc72bf424aef336a1171943

SHA256
fb337bc78208a1a61a56786ce4f8ec1c70885ff012aa1b563e18faa4fee77743

SHA512
088c2016a33dede574f1329e2309b20375337c8f07f5471f0859c92de08897e7bba5736ed4d3491a2e10d59e1657d027b1e0b498143aea2f3b7be90a802eead7

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e0ffcd78-9b22-40d1-a23f-5e55cdd3b217

Filesize
338B

MD5
4101c08c254a982fed9cb7211f085b04

SHA1
d238b21a47b8a7b4414ae63dd116367ab66934b1

SHA256
08f3b409b890352f5682cd5f7d18311aa42685332ca55b703e47928dc71e17cb

SHA512
953dce22fea9e12dda4067414e602b027d41211f01bc62d446c25412a67afe4eca51344c1ba0db12e0c73648a18046c88a17942c94f33b723eb6ed706824aed3

Download Submit
C:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\SwOPh.exe

Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\Users\Public\SwOPh.exe

Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/992-58-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp

Filesize
8KB

Download
memory/1132-71-0x000000013F910000-0x000000013FC9E000-memory.dmp

Filesize
3.6MB

Download
memory/1132-63-0x000000013F910000-0x000000013FC9E000-memory.dmp

Filesize
3.6MB

Download
memory/1132-66-0x000000013F910000-0x000000013FC9E000-memory.dmp

Filesize
3.6MB

Download
memory/1132-60-0x000000013F910000-0x000000013FC9E000-memory.dmp

Filesize
3.6MB

Download
memory/1220-139-0x000000013F910000-0x000000013FC9E000-memory.dmp

Filesize
3.6MB

Download
memory/1600-54-0x0000000075CD1000-0x0000000075CD3000-memory.dmp

Filesize
8KB

Download