ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
203s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-08-2022 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

WYuHb.exe

pid process

2008 WYuHb.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Dwm.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ClearConvertTo.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\HideStep.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\DenyImport.tiff	Dwm.exe
File opened for modification	C:\Users\Admin\Pictures\DenyImport.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ClearConvertTo.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\HideStep.tiff	taskhost.exe

Deletes itself 1 IoCs

Processes:

WYuHb.exe

pid process

2008 WYuHb.exe
Loads dropped DLL 1 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

pid process

1424 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1424	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\WYuHb.exe"	reg.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00095_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveReport.dotx	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\Documentation.url	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.DPV	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\PDFSigQFormalRep.pdf	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\MANIFEST.MF	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Rome	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01560_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Santa_Isabel	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18208_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0297707.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Dot.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105380.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115843.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\es-ES\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\msadc\handler.reg	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107450.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_OliveGreen.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.commands.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\AdjacencyResume.dotx	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jni.h	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\core_ja.jar	Dwm.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\ChessMCE.png	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.net_1.2.200.v20120807-0927.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222021.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\TURKISH.TXT	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\THMBNAIL.PNG	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Generic.gif	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF	Dwm.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14845_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00121_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03668_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Rothera	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.updatechecker.nl_zh_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB7.BDR	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\TAB_ON.GIF	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\SpecialNavigationRight_SelectionSubpicture.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21314_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(inch).wmf	taskhost.exe
File opened for modification	C:\Program Files\Internet Explorer\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text_3.5.300.v20130515-1451.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\EVRGREEN.INF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1792	vssadmin.exe
68720	vssadmin.exe
36032	vssadmin.exe
71536	vssadmin.exe
71116	vssadmin.exe
71120	vssadmin.exe
70660	vssadmin.exe
220	vssadmin.exe
53600	vssadmin.exe
54316	vssadmin.exe
70416	vssadmin.exe
71576	vssadmin.exe
71056	vssadmin.exe
71476	vssadmin.exe
71564	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

42136 NOTEPAD.EXE

pid	process
42136	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WYuHb.exetaskmgr.exe

pid	process
2008	WYuHb.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

15256 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

WYuHb.exetaskmgr.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	2008	WYuHb.exe
Token: SeDebugPrivilege	15256	taskmgr.exe
Token: SeBackupPrivilege	71144	vssvc.exe
Token: SeRestorePrivilege	71144	vssvc.exe
Token: SeAuditPrivilege	71144	vssvc.exe
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE
Token: 33	1484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1484	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe
15256	taskmgr.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1148 taskhost.exe
1224 Dwm.exe

pid	process
1148	taskhost.exe
1224	Dwm.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeWYuHb.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 1424 wrote to memory of 2008	1424	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	WYuHb.exe
PID 1424 wrote to memory of 2008	1424	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	WYuHb.exe
PID 1424 wrote to memory of 2008	1424	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	WYuHb.exe
PID 1424 wrote to memory of 2008	1424	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	WYuHb.exe
PID 2008 wrote to memory of 1328	2008	WYuHb.exe	cmd.exe
PID 2008 wrote to memory of 1328	2008	WYuHb.exe	cmd.exe
PID 2008 wrote to memory of 1328	2008	WYuHb.exe	cmd.exe
PID 2008 wrote to memory of 1148	2008	WYuHb.exe	taskhost.exe
PID 1328 wrote to memory of 1104	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 1104	1328	cmd.exe	reg.exe
PID 1328 wrote to memory of 1104	1328	cmd.exe	reg.exe
PID 2008 wrote to memory of 1224	2008	WYuHb.exe	Dwm.exe
PID 1148 wrote to memory of 71080	1148	taskhost.exe	cmd.exe
PID 1148 wrote to memory of 71080	1148	taskhost.exe	cmd.exe
PID 1148 wrote to memory of 71080	1148	taskhost.exe	cmd.exe
PID 71080 wrote to memory of 71116	71080	cmd.exe	vssadmin.exe
PID 71080 wrote to memory of 71116	71080	cmd.exe	vssadmin.exe
PID 71080 wrote to memory of 71116	71080	cmd.exe	vssadmin.exe
PID 1224 wrote to memory of 71440	1224	Dwm.exe	cmd.exe
PID 1224 wrote to memory of 71440	1224	Dwm.exe	cmd.exe
PID 1224 wrote to memory of 71440	1224	Dwm.exe	cmd.exe
PID 71440 wrote to memory of 71576	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71576	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71576	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 1792	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 1792	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 1792	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 220	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 220	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 220	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71120	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71120	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71120	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71056	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71056	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71056	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 53600	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 53600	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 53600	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 54316	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 54316	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 54316	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 68720	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 68720	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 68720	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 70416	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 70416	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 70416	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 70660	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 70660	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 70660	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71476	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71476	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71476	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 36032	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 36032	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 36032	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71564	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71564	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71564	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71536	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71536	71440	cmd.exe	vssadmin.exe
PID 71440 wrote to memory of 71536	71440	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:71440

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:71576

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1792

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:220

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71120

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71056

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:53600

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:54316

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:68720

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70416

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:70660

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71476

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:36032

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71564

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:71536

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1148

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:71080

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:71116

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424

C:\users\Public\WYuHb.exe
"C:\users\Public\WYuHb.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WYuHb.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WYuHb.exe" /f
4⤵
- Adds Run key to start application
PID:1104

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:15256

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:42136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:71144

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:71612

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1216

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1484

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
Filesize
22.8MB

MD5
fd85b2a90f3c8e13fa5e9092222e588b

SHA1
c314307c2187a60b42c5956f5eecf283edb226ff

SHA256
43b22bd541fc5b27ad92727b9c1c8c459ccda44af8f272677f6d2926e45af282

SHA512
9e0d0f71a0ef6a2c94d8acb49991974ea43398bc53b5ba47dcbc7b5a1e949581ece3050f228cf99c819a6061ef00be339e97df8f167b5143eb421aa266153bf8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
Filesize
2.9MB

MD5
619d04db101622a12012b0b4aa4ca103

SHA1
e56cdbd6f1bcd8d7358d7fc5346b777de4f081cf

SHA256
b24f029463e6dcf32072c6729025196b41156335fb4b8846dd9deca57f66948c

SHA512
6897ce2eecf84e933d9ab15739d789293a7695951b8443942f1d3cec84e09ea8dd94cec737ad2dffc23e769d3ac9b02ca88e7ba0b3c747d74584765c7e360f0e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
Filesize
4KB

MD5
1badd174d2a7fc7123d3db627b976233

SHA1
db37358bcacf9f575e64c40aa51222ebaccb16b8

SHA256
901f8e318994c2b2db198397dd90fac462e56a226b83791d5279b7934622a0e1

SHA512
ada02268c6dcb651f48a1ba9be03514aa88a2f0c18a9f862d42bfe4c9ac2f30277ce0d05245da445e024ea63d18d97b5d7114be7f9094cfb81cab8cd9095e4f7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
Filesize
23.7MB

MD5
361372e8ed707e6d6b7ccda42ea33d9f

SHA1
7bf055877a488322febaae05a4b983b5203bacae

SHA256
ab1fbe87f520eb1f1c22fd77bd55b63e277f82c069de9125af9d2b9169030057

SHA512
9b15cc53ef1fcfc7f2b5d1c40d0fedf041b99c3e79dfd5a020df02c22e319b6968db3992c0a9b23cd8f3a7e6ab2f2f550ba2820b3b54bc307a7c8b3260245e7a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
Filesize
142.4MB

MD5
5b89988dbf2985769c0fcdf793d90bed

SHA1
64100a835765da1d158c1e8415bc9177ef31c1fb

SHA256
cc17d90e6e263637492ee30c3e523a8919ae65e05982f9f56a3ffd4545d440da

SHA512
fd95202d89d0046685709362ecdea5942b16e44e189cf16dc0734a6ab3f2b2fca8e74a0616a55a90deaf01965fafc5970783d54e6d10c35ec355329ad554d67a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
Filesize
31KB

MD5
84f8f7e00732fba3dd458340366ea08c

SHA1
e3329bc4631d6c9c1e639791acfc90335f018416

SHA256
c1ce8a38c7b5fb402ca27c9e6a6ba532a6d0b37850b3be1ec0a96bc89941da64

SHA512
ac3eaade19d1557d60273d7591ec7ae5cda4b50548e4e147e93e8369ce3c3feaa549ae62bfe685dad6c1838732c47b1a564f997785121a60c80a552cbfbfc4a0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
Filesize
699KB

MD5
4dac9cefd3dc7f5feba819c05149a818

SHA1
1c632642e0cd1633bf7000c5be70f6a8d1c31bbe

SHA256
2052cdd2d19fdc1c410acff2064d6ec0c608cd2b8dbce670c8ad856c7c0302c4

SHA512
0cd3f3384008cabc1bc8b0c402f2b273e46724fe6747da576f78266cdeef5420d72b5178d4b0ec417625e006567d108770df18429525b262efcc88dbd4a49544

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
Filesize
1.7MB

MD5
68c80dd087d5e8063710627a4bce4863

SHA1
ba5d86db5e2cce27bad37fccd0c9baff64feee8b

SHA256
14d6705f80e296a4064d4bc7cc63af79baac6b79e9420ace02adbbad4d81218c

SHA512
10910d4c969d3640a9bc0165b9b8a1e539414d21ba518541e4ce97f482411035a47bd83c2e09a0e65f7be38117248733a4dd288fcd08b68b13b6a4512fe15d90

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
fae75f01c1092c3a32a20e2e13240784

SHA1
b6e7588d4ab0287364c347522b339b64a0c85b80

SHA256
c86ad416f838754a17deea40d78fecb10507c1b8bba0f3131f1228fcf31e72de

SHA512
c11812bb5900f7315d0fb6eec7e79d0b002e1ff30568f3f1d9bd20e819cfcaabad442f8d4fd214c24dd132727291a72aa60c33d173af1006ea259dfa7708e6d9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
Filesize
1KB

MD5
87df4abfa73a121e279c13fca7d8a181

SHA1
e60f3f6e5b57fd53060d91e39beb931479452ca5

SHA256
3266fbdcc9a08b1918f196a34a8f1787d04de0c828c3d6205613856cec329db5

SHA512
6b2f8a08e4d016ebefd33acc8f8f52033acd2cf9d13e2830b2059c8f316ecdbf9627d8a2fc4a6e621648772562fd8c5d3b13733fd9d9099b7addaafb2e96a7ab

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
1374a2fe9b0692d40d81211f31653567

SHA1
7bff94f178b95a9758342dd536fd69ead2f4a2c1

SHA256
3b233e7c1c6a9c6787a90817cfbce2368c06fc16b570ef85006fb897f9a3bf09

SHA512
58e7f554336ba2a8aa77438e69aad2e8fc947e66c6b51d48b7093df962192db4cab3fab6503ab0882ad12b6b1852f19c1b04c3905d9187d38c222905c14caa90

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
Filesize
1KB

MD5
72b407b09a02114f113adda11cd645f1

SHA1
3b478215a3dabd5f9c19e5191c848fbdc15494f0

SHA256
c04b5a973c5f4310d3098e7476c683a23761a2f949217f5997fa4e3e50cf3590

SHA512
9dda55e2eb6ac49d0e3ed60fb490bf06b31812f99c7bb33e9e78f073843dfd0d59551a1f52928fda9b11815ac6f29a1e7f1ea67e8a59fa97ef4684a77247b6ef

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
1KB

MD5
4f76ee2d2459b396dfa8e7d643283eb2

SHA1
5cc7a78f05e3e7c55cc8193c74ffb5d13bdf488e

SHA256
3a95cb187904a9bb60080c2719eaee5d76e97359198b5b35636d7bb8323f3ba7

SHA512
7ac856e12380c5ee75ecf4007ebce8fc63ac6e32234c46539aa9d1b644ba058a5a22291e6442da1597d6e6cfec89a0a4c6d5d0adaa87184368a4d50a58ad6b28

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
Filesize
2.0MB

MD5
3cbf42c9ef0d3cedfef22da1f05caaa8

SHA1
b4e939c35d60d0ed37649c400ea5e68255e99769

SHA256
7aa04fe353082038df6f97947545e1fcc882243aa88732e54199b2ef9597f1f2

SHA512
6209ab72e83b72c3c7d01cccb8acd9581a770e43f8946d85fd4060f027edd12df42eda3e1ec8beadfa7f87177688416aed8106007c56d529be6577d92dcdddc5

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
4KB

MD5
df5c130d2bb31766221b1b42232bac86

SHA1
aa6b8e0f1457e80d84ffbb482771c2e391bc4682

SHA256
0df326d13f58f422c7f3b62e00e60de820e58df3e1a41d8d6df8b5b9b509a013

SHA512
6efa530583ff88f668700d97177a6723c094ead0215aa65daba6f9cf72793f9f23eb99ccf1f0a5e12f837347b8a655b3a04e720af267ce462ba0db5a7dc3de16

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
Filesize
41.8MB

MD5
2758e6db12d9624654b914d45b4c63d2

SHA1
717055fdcd418e833bac0d6b06f20dca588a19ce

SHA256
bda322a936ff732da37025f04718fc0a3d0b2f4de23417530b9a560a8dee05ba

SHA512
ac05599b5b3f16fb1a5c54b0cf4a3641d5322c7cb8bb1b963bb1595b2c989f10945ec0cfc5feadfc9427d6f657cfa72e8c1cd35073fda150c5c90883043e4033

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
Filesize
2KB

MD5
fbe4a9135927a8b67d20b8668f735cb0

SHA1
eb0eb1e5446c58be111b2fefac0aac4d49fc12a7

SHA256
10e4d298e142fd55844455fd9a2ec46d35e52fd96205668f2b553818c511a768

SHA512
0ec471232a40bb5ad51c8cb35f20c17692c279fe94e8ed234b355cc6e0e31f339da96350e2820c336b36ae6c5d20361d049ca66511c4884e60a3488eadb293ed

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
Filesize
641KB

MD5
f446f82f5b5c9a6cadc9224d4d5d0a48

SHA1
19a1bc48d484f5f927f93e1c97affd8897666c27

SHA256
cdc95017d93118b1d1b78c9a4442c402e85b62451d35bcd23b69ea757510dfe0

SHA512
355d9b25e55a34795e9730e4669271189a8120814acd6b88671bc71d7cf4070eafbaa5b408ba39c8a49f9d1ddcc7815902050a900217e52f4710f9e2ed36c745

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
Filesize
12.6MB

MD5
ac2d02b2daf07b7d65a05beaa25be75b

SHA1
4175bcb817fca43e87b0f8a1ce84f9b8fef69d66

SHA256
cbb0175862d5681d4dfc1b3a919ffcdb392e4d7c936d91e990e9c747194803df

SHA512
3cfe20c89e5326a13294389cdd4db8b25e2cf276615dfcf622b4d6369cab64e8271261005b312e505b3b118f6d27f7f74daaf5f7654fdefb2cea9ab919b22861

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
Filesize
1KB

MD5
49b217d247a7a75dd3f7bf23dcb86c90

SHA1
53956158d20927a96ad41571d7c179168a7fa012

SHA256
105dd8794222dc5aad762d024299c0034c879d5501d572a1263686af64872fe4

SHA512
6d3084628ecde53b94f7dc6316c6698526193d7c7b42fe59d1266dd8ce38b56bc0f3e6059d0e6dc13bbcd8bca880443d994b72c0c64a861c2e7804242cbc367f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
Filesize
652KB

MD5
dfe21c9ddca26a1fb23ecfa6a616f8a4

SHA1
79562db06ba06598a7471ce85ade72e42dcb1c5a

SHA256
0a4504f4047e4423068b8b45c3c28cea9c15eda179766e4284176d790d9a8b56

SHA512
7314b2f934469e8e69e747f64a7f16e1ab9b03ac6ed0e5176c2a5a84f82852a2ec0348a29b2fea2df06f8b56e2fc092b6542b98c7fab80b81885f7afe316698d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
Filesize
635KB

MD5
b4d6d8c01fdfd6138b8694d985c9e821

SHA1
d3b125587521e4eb8a71964b85dfde036a6846d5

SHA256
5c937204cacbf893d1d42ae07da559eea15fbbb38bb61be839b5f910c1103cdb

SHA512
0386c0545a218b7df2ab8babfd187b338f99876b993d89c09f961d70bf01a5ae8c5bcacd98b355f2458526cba3a664744cf21b2cdaf200577e7af543f0e22599

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
6KB

MD5
59c9577fad22768faadb22ddd9bfde3d

SHA1
f7cbaeccd4385fe5863ce02baec436c5c65d9e0b

SHA256
6537dea984daf892a4e70919d51f15087c8003eb4a795e24f8930f3c8423ddc9

SHA512
2a5c32187fa8f39f07adec6ddc947c096f8c0c73b05264df595015a9bba455f2575cd54bea93788977369dad54b5752d36959e596e2a7620d69443400b7e2607

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
Filesize
2.3MB

MD5
768f37fbe2ef5b51073eb8e39d73a14a

SHA1
8c9be2566df9e621641adc2a85e7608aa1bc9bde

SHA256
bdec03e6c38eb3e9fb649b8091466863659e5def90b144a01086da0eefca3fe9

SHA512
a53d8e40fd84a14b26c12fb257d6c11848aa43c0e6eed3833421c689ce2a74e46d614ffb95b6c823dcf0201b6448bb27c01e22b6e4d295ad1e940b8e5f956d5d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
a557aeb96d077244cae35e9073e0b662

SHA1
19f0bb8dfe8c5ae10c79532c0a03a5744fbe6821

SHA256
c88f4ff0fd3c533686c2b1486f67121d84697bcd88ad1ef3643617f764e7353a

SHA512
7c92154d2a20565ead3cd8f717310f3b1fdc6c792929298e59a5680cf87b7f266077021ad40a0a256290b0156b782049ec07011ffad09781f7ea01de84a651ed

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
Filesize
1KB

MD5
fe82f8de5550c83f3a511dee0092d433

SHA1
d13b20ebcb3e580fba2d31ac63e5c5aab8645dfc

SHA256
6295d9370b6b11552387b60da0422f579db75f8f410b5e20e9a883ed62da8b76

SHA512
e6fe7d6c3404a6f097bfadddc0afbcbafb082fa21ed5c1fd0e0efaa6c47ea4037ae7bcfb0efa9f4fd36a5573cf6b106ce96c0b04516bea84e8db74640487dece

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
43452f76d1080bef91d43379113f5742

SHA1
078c9ff23a93eca9c5a94096382cd8aa9a20ca51

SHA256
e5f9c7217a0586b8fa2a17a1dd43c3a097b1c1495adfd0ffafc80d4e13c97217

SHA512
99e46e901e25f5c8cff4d6f4c37a8fb5b54e26c70d72a4ae9d503ea0010f10c2aec4192c2eee478fe3dcccf0dab1aeae1e0933c95b527137eb490505d0c1ed0a

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi
Filesize
1.7MB

MD5
a3a932d4c0887ee1d34c13c86ce1582b

SHA1
69ab5bd6584caf6e3224e83624ae925f0031a61f

SHA256
0525f5671a689fb8acfe89c98135fa3b6af224a13819a1530319d89028c1a1e2

SHA512
9962b99e5d6db1eaa9f47f1fe1e0c76ba71db602e4effdfe6d5512a2ff5584eead60609d85e07f196b6bbaec1f24eb6dfa43caeb465b3a79f11a4356d7ace1b1

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
1KB

MD5
3c4db6fec15a87fb845cc435b4e3bf2c

SHA1
a3911fc5308d5cb4a46f81fd1a1d2e205df500ff

SHA256
886bdd314a14b73c9047c120d7769e9d35854fd6ef92cfbc011fda2218111d88

SHA512
e6479fb88148dce6623329444cda15f1371679571d73182caf936d52b45734d968f4056ca1557fbd9706323f69807919075547aa5dea3fbe068d061431120da7

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
Filesize
2KB

MD5
dfe2994b314bcccc9001246654000542

SHA1
92e34db184948943d1098be9407728c8a032364f

SHA256
b299947ad3eb66fee235d826a984f435b6e1105b0d3a4296e897b424b724fdf5

SHA512
041b8fe65b33d90447d2a943200509e979d86f9c3b72fab79ad41aedfb4fa33cfca91eb111c696ba465aff1a9221780b527f63c12c4c6f1f8f813fcc83c2c7bb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
Filesize
2.7MB

MD5
b15ea0bf5f381ed7557fbdced22ec6d8

SHA1
5d06fdb739b753b837b0fe0ef201b960701c04e0

SHA256
f4924d996404b2b7f83e7181e73eeb1490048dfda4480c384ea5cb3fde2d04e7

SHA512
a5d4562324b5d9d0a2a2ded17f2ea9d5c35f66ac2bb6d4c44adb65fcdf38009721d28fa5fb1cd9773afbdbab7b4d176a0a50beb7700d9660b4454d6fd872e9ac

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
Filesize
635KB

MD5
0aec578b231bf9713bc19402722374e9

SHA1
63bf053bd692f25767d61f7654759a90901624b3

SHA256
1527127338a8376e05b5df577f8265bfb4bc783f08b1617e715cc7c996449abb

SHA512
e2a6d1b21f4af49d312d0f67ef5cc458bc67f23894b1db7be4cb3c69ea8f2b64e7f2f829ade3246a2ff6aca337a7e89d281f2400b2795cf0081b652323b13214

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
9KB

MD5
c6cff7291b337fbb6053140e3f792363

SHA1
880f5b134d31065b94778a78cc4855430e9671cb

SHA256
147ce641e48cfa1518d636c7512c213029576d859dcbbf5e97789cd140341290

SHA512
f3ce210297551ebb8a0cf8f32df17ce28219a0692a4adfe5ac44544a35958aeb1125ebd0ab19ece1027d1db57a14ee8d8b916ac4ecae422f1c97384ded64817e

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
Filesize
26KB

MD5
3d3810ffdddfbc94cf5dc1f24c7c3154

SHA1
94693ecfe2906866bbe320dd6231afaa368b2296

SHA256
0ea843a0f051da501662e29bf0c475090d2576e0d6e7369f661f5a05e00236cb

SHA512
4169e6f7c239dfaebf1ab092e68d86bb5554d27de85975d558304c14c11872e2e5b6fdc62556e3c8b6931c9bf4d590b8aadb79e8de9b02f92d9e317f91910416

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab
Filesize
1.1MB

MD5
1d36caf7af9c7ac759bfe7fce8d9060f

SHA1
327e55b539a1c3954618075e7ef5c75109a6b433

SHA256
49fe89a1513bfdc9e442acd3193b4289704214f0c3c46beb38d04d8283ca2603

SHA512
8aefcf52530546d80189511ec931bfbd2c6ad4372ff38fba6ef6723793dc5fd0ba0836347df3113b0facd18bdca5ed10c2f673805c636ca5187c52bac03240f8

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi
Filesize
638KB

MD5
5ecaa76e872d85d8f2d54752d6b24d1c

SHA1
716554cfc6cf063c18973391ea49d066a5a76025

SHA256
ffb1aaf9a7236d9e0439d928e078dff476d00e7014bdf0c6ec1cca1a1ad85708

SHA512
be3d901fa3294f21c6bb00faafa172426ef483f2fca30ef07db33195e9fddc793a4703b48fd0b8170267d58ab36867856197cf5be5a49de890cb3dea06297628

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi
Filesize
635KB

MD5
b0558ee9dec62dbf7393daf0c4712e5f

SHA1
6a506ee2d306130aadd697f5c9465ae711150e14

SHA256
d8591fc493930f9ec3672b79999b6f0ad1684eaf7d83e125f6810d84a3aff319

SHA512
ef11f2776e7c455f269b2a472104360fcb3111b9aced6a65fdaec86ec181b2fc51701ae78b70746ea1941d93f49226a10a41cbba4319635897b50d521812cdff

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.msi
Filesize
1.7MB

MD5
d9cf849cbc1bb03a29cf76c25d7260d7

SHA1
02571eaffd81082d9704f50a0641318c28122aa3

SHA256
d4df1d3c112a33090768f411b674e22c2f501070bb09eff7db70ce1a0730ffc1

SHA512
398039febbfe4a9c1d09db23127617659b7c7f05a6add687e623f0c5290d70b6f6fb7faf6a57c0ff6a90c5c5d712d4769b0df1519df191cd02724a4ee9c54924

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_4d2ef0d5-1240-4a07-93d0-06481c31e0ad
Filesize
338B

MD5
d50a16e0e20b1824ebbc80e41316324c

SHA1
33c1070297bc3b78d8ac39a3b0d1d620a93e0692

SHA256
a9b86670afb3d383dbe0579646c03a2a8f3ff4e826edd607c06bbaf9840bdfd0

SHA512
915b67bfcb3d1af8e2163437c7d02cd3f0f7662df517299b9800ef4c2bfe34402c7a254ec3466cc10100d6fc5b50c405b842f316ba00f9b331328ec84781981b

Download Submit
C:\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\Desktop\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\WYuHb.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat
Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\Users\Public\WYuHb.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/220-143-0x0000000000000000-mapping.dmp

Download
memory/1104-62-0x0000000000000000-mapping.dmp

Download
memory/1148-66-0x000000013F750000-0x000000013FADE000-memory.dmp

Filesize
3.6MB

Download
memory/1148-76-0x000000013F750000-0x000000013FADE000-memory.dmp

Filesize
3.6MB

Download
memory/1148-60-0x000000013F750000-0x000000013FADE000-memory.dmp

Filesize
3.6MB

Download
memory/1148-63-0x000000013F750000-0x000000013FADE000-memory.dmp

Filesize
3.6MB

Download
memory/1224-139-0x000000013F750000-0x000000013FADE000-memory.dmp

Filesize
3.6MB

Download
memory/1328-59-0x0000000000000000-mapping.dmp

Download
memory/1424-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1792-142-0x0000000000000000-mapping.dmp

Download
memory/2008-58-0x000007FEFBD11000-0x000007FEFBD13000-memory.dmp

Filesize
8KB

Download
memory/2008-56-0x0000000000000000-mapping.dmp

Download
memory/15256-68-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/15256-69-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/36032-152-0x0000000000000000-mapping.dmp

Download
memory/53600-146-0x0000000000000000-mapping.dmp

Download
memory/54316-147-0x0000000000000000-mapping.dmp

Download
memory/68720-148-0x0000000000000000-mapping.dmp

Download
memory/70416-149-0x0000000000000000-mapping.dmp

Download
memory/70660-150-0x0000000000000000-mapping.dmp

Download
memory/71056-145-0x0000000000000000-mapping.dmp

Download
memory/71080-73-0x0000000000000000-mapping.dmp

Download
memory/71116-75-0x0000000000000000-mapping.dmp

Download
memory/71120-144-0x0000000000000000-mapping.dmp

Download
memory/71440-138-0x0000000000000000-mapping.dmp

Download
memory/71476-151-0x0000000000000000-mapping.dmp

Download
memory/71536-154-0x0000000000000000-mapping.dmp

Download
memory/71564-153-0x0000000000000000-mapping.dmp

Download
memory/71576-140-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads