ryuk | 3a70394c394cb59907b5798a96a582f37ce62885fadd73267df25ad680141289

Analysis

max time kernel
100s
max time network
96s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
06-01-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msedge.exe
Size

413KB
MD5

cee276c40f8aa85fe77c1e43cb87cb9b
SHA1

f57853fb3bb038887c0773a100cec95837bc2039
SHA256

3a70394c394cb59907b5798a96a582f37ce62885fadd73267df25ad680141289
SHA512

7db64681c0d854d1e3beed72ee4cabbd7c71a9eae84c41a9cd03da6e9494986943975596a4a3ba8ac9d164dd27cb4437d16a2b7150f9a78445d06699abe3ca2b
SSDEEP

6144:95yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQCU:9TX6WSofcZ+KCIGDU

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

pCEUW.exe

pid process

1328 pCEUW.exe

pid	process
1328	pCEUW.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BackupOpen.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.tiff	Dwm.exe

Deletes itself 1 IoCs

Processes:

pCEUW.exe

pid process

1328 pCEUW.exe
Loads dropped DLL 1 IoCs

Processes:

msedge.exe

pid process

624 msedge.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1328	pCEUW.exe

pid	process
624	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\pCEUW.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\PST8PDT	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Cocos	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Premium.css	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03470_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105380.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090779.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar	Dwm.exe
File opened for modification	C:\Program Files\UseOut.aif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Panama	Dwm.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\PABR.SAM	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\RyukReadMe.txt	Dwm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
776	vssadmin.exe
1932	vssadmin.exe
604	vssadmin.exe
71060	vssadmin.exe
34656	vssadmin.exe
71576	vssadmin.exe
1112	vssadmin.exe
71444	vssadmin.exe
71544	vssadmin.exe
37324	vssadmin.exe
1636	vssadmin.exe
71508	vssadmin.exe
71216	vssadmin.exe
71412	vssadmin.exe
48428	vssadmin.exe
1672	vssadmin.exe
1188	vssadmin.exe
71608	vssadmin.exe
1124	vssadmin.exe
71476	vssadmin.exe
43900	vssadmin.exe
1308	vssadmin.exe
240	vssadmin.exe
71200	vssadmin.exe
48324	vssadmin.exe
43924	vssadmin.exe
71640	vssadmin.exe
71672	vssadmin.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2052 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

pCEUW.exe

pid process

1328 pCEUW.exe

pid	process
2052	NOTEPAD.EXE

pid	process
1328	pCEUW.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

pCEUW.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1328	pCEUW.exe
Token: SeBackupPrivilege	71092	vssvc.exe
Token: SeRestorePrivilege	71092	vssvc.exe
Token: SeAuditPrivilege	71092	vssvc.exe
Token: 33	48716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	48716	AUDIODG.EXE
Token: 33	48716	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	48716	AUDIODG.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1120 taskhost.exe
1184 Dwm.exe

pid	process
1120	taskhost.exe
1184	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exepCEUW.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 624 wrote to memory of 1328	624	msedge.exe	pCEUW.exe
PID 624 wrote to memory of 1328	624	msedge.exe	pCEUW.exe
PID 624 wrote to memory of 1328	624	msedge.exe	pCEUW.exe
PID 624 wrote to memory of 1328	624	msedge.exe	pCEUW.exe
PID 1328 wrote to memory of 692	1328	pCEUW.exe	cmd.exe
PID 1328 wrote to memory of 692	1328	pCEUW.exe	cmd.exe
PID 1328 wrote to memory of 692	1328	pCEUW.exe	cmd.exe
PID 1328 wrote to memory of 1120	1328	pCEUW.exe	taskhost.exe
PID 692 wrote to memory of 992	692	cmd.exe	reg.exe
PID 692 wrote to memory of 992	692	cmd.exe	reg.exe
PID 692 wrote to memory of 992	692	cmd.exe	reg.exe
PID 1328 wrote to memory of 1184	1328	pCEUW.exe	Dwm.exe
PID 1120 wrote to memory of 71024	1120	taskhost.exe	cmd.exe
PID 1120 wrote to memory of 71024	1120	taskhost.exe	cmd.exe
PID 1120 wrote to memory of 71024	1120	taskhost.exe	cmd.exe
PID 71024 wrote to memory of 71060	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71060	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71060	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71412	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71412	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71412	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71444	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71444	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71444	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71476	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71476	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71476	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71508	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71508	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71508	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71544	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71544	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71544	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71576	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71576	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71576	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71608	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71608	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71608	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71640	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71640	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71640	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71672	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71672	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 71672	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 1124	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 1124	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 1124	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 34656	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 34656	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 34656	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 776	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 776	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 776	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 1308	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 1308	71024	cmd.exe	vssadmin.exe
PID 71024 wrote to memory of 1308	71024	cmd.exe	vssadmin.exe
PID 1184 wrote to memory of 1056	1184	Dwm.exe	cmd.exe
PID 1184 wrote to memory of 1056	1184	Dwm.exe	cmd.exe
PID 1184 wrote to memory of 1056	1184	Dwm.exe	cmd.exe
PID 1056 wrote to memory of 240	1056	cmd.exe	vssadmin.exe
PID 1056 wrote to memory of 240	1056	cmd.exe	vssadmin.exe
PID 1056 wrote to memory of 240	1056	cmd.exe	vssadmin.exe
PID 1056 wrote to memory of 1112	1056	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:240

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:1112

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1932

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71216

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71200

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:604

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:37324

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:43900

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:48428

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:48324

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1672

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:43924

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1188

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1636

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:71024

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:71060

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:71412

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:71444

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71476

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71508

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71544

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71576

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71608

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71640

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:71672

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1124

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:34656

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:776

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1308

C:\Users\Admin\AppData\Local\Temp\msedge.exe
"C:\Users\Admin\AppData\Local\Temp\msedge.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624

C:\users\Public\pCEUW.exe
"C:\users\Public\pCEUW.exe" C:\Users\Admin\AppData\Local\Temp\msedge.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\pCEUW.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\pCEUW.exe" /f
4⤵
- Adds Run key to start application
PID:992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:71092

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:37320

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1c0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:48716

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2052

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRedo.mpeg"
1⤵
PID:2116

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRedo.mpeg"
1⤵
PID:2216

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\TraceRemove.pptx"
1⤵
PID:2372

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3160

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
Filesize
22.8MB

MD5
c7f6bd18d56ffae148104a6186f439a1

SHA1
36f1f7bf1193d8aa092ff45739d3910c562113da

SHA256
c0395fe15979335c32ec56c0db730aece404282886a57f7ba5938f00ffbdbf4c

SHA512
4dec3a30a187519f8d6c103d2b6f1b7c216b0eda209ac7761a228438c72462fd2b8ae79691c6b3cd1a29c9253c6e68d7cb5c5207505ac698ab71d6f9a6b57094

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
Filesize
2.9MB

MD5
26c2b6aae4c52dacac9ff9bf2fa8bed8

SHA1
a4a780ee0be0bc5ed4a4f7338470795bd31e7720

SHA256
9e087bef0845be20d3faf49d3fbbda49393ea0a536c242e91e1dd1d9b533b728

SHA512
639cdc7ff52376bece2b0a57de7b4db2bff62cb0dfe07861df224febfae664cdcfa53d1e0fa522c5a1d538b8c5d9f09c18630349008a53c740c87204a8709eae

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
Filesize
23.7MB

MD5
1ec015cb0176f05ab2a40f49daee0c20

SHA1
a50ca5a37dbd9f20f0040408c464690e2f17d50b

SHA256
fa415ba07fc62e0e35c4075ec5ed827f342b98aee82949fb26fd2d3226daa635

SHA512
322d0a93438e0b185fd8b2a9874e92a6115b4aa5e2dfd32b34660fc7668b2f4545089ec81310c64c320c83bcde9582c93eeb5b9dd06dbc504d9ab8d7f5402e75

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
Filesize
142.4MB

MD5
d3fa92c6891f0966ab0bf436b8d2a84b

SHA1
158dfee567943d93618886ce46a7ae8f2522ca42

SHA256
bcc099cff10c545ec42b00c64da4aa4a9fac9a58084cc027b6f0d057dfe9360d

SHA512
070820d4ecb75a4eff2742b62753364e643e87a439c978264bd0417a66c329c3a5695d5c4e15133a277f5cc9df7afeb8e23b8afdb284b12eeaed450de83c3e71

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
Filesize
31KB

MD5
6c2fce572b7f3efdfc5272d5c8b05f4a

SHA1
aa41fc23d6af51ee2c4d66b76d865390a9cbc6ee

SHA256
f7bcafb9143ed1da0d077559464710772c14de40e10a1aa75a27aa5d06ba348e

SHA512
3f79be5c15e7ab6e55652cfe91f1094819dc7478d614d5ec1297ba15c1e8bea2353d4beb37f69c39a2e44bdc4c8171e60d7613924c473ac8f4dbf82807c894bb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
Filesize
1.7MB

MD5
d208516f3749963aea53ef6bd1681ee6

SHA1
210a5eba9a43936ea91d826349f024491ffdd3e0

SHA256
5a47916752b09285cfb3c51d07384ff7b280fe17e7835368de92271b5085d4ac

SHA512
79894800e00db80e6a8ecab20c77af4093b50450e00e444188814c6d9f89340ae190143766fa0779e3d8e49690dff05d94530f2c9ba9bc2c3bdc8908d7fc9bfb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
0637ee542d5fdd0ed4328c01e6d6e741

SHA1
de5842c8601c3cc08ffeb4e54b1d443822457b10

SHA256
439852557b1ed5ead653c165c9503c185c5447d32a983976e1290999b5fe3d79

SHA512
98ba248497f9c83ac857268706582bf2f9ce95ea13eebcd63b7f8eaf50bcbf225ab3056eff64b581760fb42b66b8db5ed645990f3a0ab771b4db1e0e2fa4249f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
Filesize
1KB

MD5
66813c9782ed59053a07b948049d2e45

SHA1
22e06c2e0334345a290e88ab4816baf948ed5472

SHA256
89c564542b4036c8a282a7f9e8c75c295e8b13d4ce2c8c71361b0aaaf4df22d9

SHA512
93a9622bd096beb25fa3ec62a127372c9fc02f91673ca0add9758d880a9543ccd91a8dd79d169eff8eb370ca519f7747bd8280b7f7a83a3c2c77a351b0874c87

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
a32d7fcc2167347732a907de57b4b324

SHA1
97f5661c23bdbf791e5ed6f0fcd09a844343a489

SHA256
0bd2391b1c7d2d77b0008e01bed23d07cb2a4a97a7db6802943b2005d532f468

SHA512
27e19e71e402aebf099fbaeaf898ba6523f829ab39113b67127978dc03bbf2aacb2dd435fd83cb9562950522f550facca12195693453f793bbe517305d4f1e7e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
Filesize
1KB

MD5
59e97d4e6c737ab3929ced7bb593fdd1

SHA1
1f8987f1004abba3ce103948ad0f70bfd9d118f0

SHA256
18889f1f7bb2e3a74acd97906530517630535382e7214dccef0d21751a19edf1

SHA512
823b520ec0adc2e7ab1fdfe92e1e9f56f9341c41d1ceb0dbf661fe93711a1a5593039aeb74ab3d03c650b0f6d744f7be7f0cb22c0c6a67fd6acb8bc0782b98ca

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
1KB

MD5
859ff398223cae36d7a7787eace6a057

SHA1
1061f39755edbb7beec06a05fbb328b568ffbef6

SHA256
801b610b05139ab70446084c8b54a264ee585f5c9c65f932f04c2a1e521926dc

SHA512
bca6a34f1835939869e4607f7a96ea31204552d9428f6fd9f31b6113fd1f7b5fd6d501c8d6c070a9a0490f28883c7ee9888df4e25965e9809f5139a5d83860cc

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
Filesize
2.0MB

MD5
43f37013ddf38c9788bb3350406c5979

SHA1
766224c256436698b28b8993007a7176e36e628a

SHA256
35a635c74543162820c111cead30056bf6ed7aedebb22c0d92efdc364b194204

SHA512
c6a962649a45489906bd8a6a7649d30b45de5938635a364fe8844af360bd6c58a87c62929139c4375385b05858c9410b1e8356b74b733aeb6cd50ea84d2d3ba0

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
4KB

MD5
8a2c08674d2e8abb4d12142d5ee50ec2

SHA1
e64d2f2d3c159b6c98cc10460ff99171e6f3fd42

SHA256
e03506d1d200311fcf77e93841e57c658280606d631519a614dc4d42dc5a3785

SHA512
2de22faeace7eca371a3760cb3cd61f1a26202cf45b894f37bc77d0851102d7f1e023a294624d1b2dfe8e7b51c08b0d5212f8872e3dc5ce4b174a329d408ae90

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
Filesize
41.8MB

MD5
3b85d91d68cbc3fef3fd41933c29c0e2

SHA1
3d3af0ebaa9c39a4b30b99902920a48d7b650345

SHA256
987ff32c6205cda98e7471c8389d10c1d73c6f53bc482bd790a15952dece86a2

SHA512
253b54ab8d06a6be6c212799844f94297fe639c91918b58a1089510c77fbbf357c4ab0046a0e32403a6ad53c29d2ee713e3610882e4bf9b9f3a351e42ed96a82

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
Filesize
2KB

MD5
1719861589bccfa83f7e4a81c0c355db

SHA1
18825d7b267fd848694a7e72fd64837f02d44b5c

SHA256
fdf5c182f52add3cd907ad86cd23978cb465269ff516913cfb06810553094028

SHA512
ff325a46d3088b2a310fb2b47a54bfd21d1d8bbdf0ef965187d3e25f5c30def2d139a0960ddead73ef3e7bdd54ff08cf3c9c4a2ff78ab79885771d826f7fa2cb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
Filesize
641KB

MD5
02a151a0af7e155571e0b1237977cbc3

SHA1
7bcd8710345a254863bc6f56d5648c043439946d

SHA256
5e1bbf8dfa81d5eecf7267743d9fc45512a1d2dcf853b07e8a439905a2ffb3d5

SHA512
f18959c7762cf16214b1efb1232504e00c013653327315466ff4ec0ada09536c4149dde67b47639c02387ee09c4ef1b10863c6908f9e64b32ea869beeeb92f03

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
Filesize
12.6MB

MD5
4ad5d57e7293aa02ab0b83311fee4eb9

SHA1
6db2fb568cd78ed20fa7b6e691de348e9e02626f

SHA256
23797e8ce3e3c0f9c4a742a6532de1297cfcedb5b2b07cebc26eaf56f970914a

SHA512
1b2da0b8b4aadcd90ea411f69adcdd91f9157aa0fa5be15a21b51eb73cfba4a5a1bdd1757dcdaa57311f8feab6befea9d421d60d296f0b79fc18cc2c834f0e31

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
Filesize
1KB

MD5
28f2a0a97ff00104a519cfe4f4b9e5f5

SHA1
c6d69bd089babe09a505b9174cd48f6db9ab8852

SHA256
0f8d45f07e053c1bd391ecd4b84328339be0fc8c1a9b007b58757f14f87d9b27

SHA512
30bacf49406263e708e01c048742363fc3259376060a859bfb2e4d4516852ac87ad1753c5631449f1f4f2f7c4d6eab0eca9b55f39ed7f2355479754173e74c3d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
Filesize
652KB

MD5
4cd1632b72b09a069d80f6dd44c63399

SHA1
d5734fc08cb825396d7014f098e7681403041887

SHA256
390903054ea11c42d6b2ecbaf73513627520d109b92e5273f684fac1748c210e

SHA512
3f0cbd4c22149208e0ff710b34ebc86feefaa5e2768acbf9f59c3d684b0fd32869045b05de9d3a4f928901bc89c664b35687f5c577b21494a717d82e4cd6c31a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
Filesize
635KB

MD5
8e81a0ce114185ae6721e46808fc82ee

SHA1
3ed5907d3117a2a6b23d9efaaad6c68c5c1e69f3

SHA256
fc2e407c8e71c226d85ccc946fb66d98c0108e60ed1f5cce09fdb4b9f946065c

SHA512
4774781becaa7d76df46b4e13ab704f9c72d0a26fba8387beaf5cf9a080b2fc6ceee0bab8eb24fbad5f944a26a7f1f39996b7ad6761fef0a3d994c51687c7eb3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
6KB

MD5
298fa09ca9df714846af16cb77660c05

SHA1
f5195ff0ca2ba1a8b4a57ca2766305f86f0da17b

SHA256
33f64d926752039082ccc1d3cde8607f957983cbfdda0ccce9ca90abc1e853b3

SHA512
23064be25dce33b3fef27f85735be487c274c29110aa470722ebd609b830ad3a8105b17917350ccee342992185bd294bb209da2ab3d3d62abbbb8994d34f9eaf

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
Filesize
2.3MB

MD5
bfb13e0e9bc0b350acd15e0dc30516c7

SHA1
a7ec0fd7cab8b1388598ddac319bc7f808c2c16f

SHA256
cd83a44bdf214e65218c31754a0907a97e62738bd1535c5f090cde7c8cde30bd

SHA512
7e4a4ce828797ec8873e78d5317927f735d46c169ef0b07ecff15cafe844449ee02e0c7795ac46a6559be25c1ef00558847b6a33207cb96a10cd8f66e2407d5a

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
9577b15097a917e8c44398c1eed85f5e

SHA1
a70de33f4620bb479fcce92898baed13ecfdbefd

SHA256
fb090b2f80bac5d7ab37dc1bc0262b59ed6d4a747a3099278d4bef69fb2bb2fa

SHA512
adc0d1c23363394806391f0a8e0e1db1ba368985e98e07465f3f4c6f0aa377fc59f7ec8d722e770b55ed0fa785948fed9d3087beb31f2a4a758dd82c8129bc8f

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
Filesize
1KB

MD5
ccfcfbf8095b633626cca443f2f71f3b

SHA1
e0f26dc8bf90eb3ba9c0b6265f0d7d11937a0b64

SHA256
5fd967d7aec5b01095866a7e240e79aa33c4e8051a2b16b6b4cc4b6298162aa5

SHA512
04aa85f4353a71a9fbbd60214020387d6dcd1acf63fb61671f4d63addeec6a46d9009a8c1dc7be64d08ae4fdc91bdde60219f74ac80c74c5d2667e47de3a7bde

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
64e353dd66521aab8eb8389002e2797a

SHA1
e817ca6f18d5e8cb114eb464f919a54f0b3d28ee

SHA256
eb6e22dd6dfe14eb0058add3eee68868623b456c3782545ed1e683c87a84e160

SHA512
367aa2617551959a7a1dd8d23fc7b66d56af29efde60c024587ba161fd00f4d2b92899da244452d5e15bb373aabf471996a28adfa7d39d8f94857d057f682b69

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi
Filesize
1.7MB

MD5
d9ef5f6c574f077bdbac75ef35a0ab70

SHA1
0444659011ed41d7247cb364b08fca2c04f1cee8

SHA256
76830279e6d6bdc0f71fa21e292e9f0eb8d99d276a91dcaa1c23100356e28ce6

SHA512
f4f2cf120d6eb7d85397a04199bf48f9907f9d2099b2c2ef00cd1698621533b3ead7d824f58a55b919a6473b3fe49cf29edd32869e5c52929fc5807d3606ed16

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
1KB

MD5
d389719eeb4a40510b4b75787f0248b0

SHA1
5926c08b2350d168994ef8e47d47b4dc56ab51e4

SHA256
e15102f41319aa417f674b07853780c996c72c2af7c59e6175e5842c68020842

SHA512
02133d9e0cd396c922bcd1a020cd5a106d9a002dcbf76e1ad1a2526b7f9404448767e8e549058e1198c6c37cd3100b9f6989f8264f33fcf4f37d03ba80a89b2d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
Filesize
2KB

MD5
9b687e2115ddae9b0dbc9088a1dba2e1

SHA1
65d17e3b6f6a5feba3fd2ddfb5980f2e92a6bd81

SHA256
68ad6bf84e1be49f24b7940db2697d008f25ed4c9e2f69cd329fa921c6ca82c0

SHA512
8a5397dcf94cd475b23d0ce1030c4455f46d479541179d7962912c3c5c7c57e543ad7e4ae285ba6688502000769f9bfc87537515b228917ee0711e15626183bc

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
Filesize
2.7MB

MD5
6ef12623d7ae4dcabe0d43fe01b573dd

SHA1
100761fc78803aa84a23b7fb5e8ed67592f6b905

SHA256
20574b91ee171032ea4a0d9740faaa2edf337580e52a047964defbed016fd2cb

SHA512
b55487537ac11a977165ddf537522c1edd7e2a9bce65c9f46ae229cc0bc89a6bb2b9d738a48b2af34c7a56b5b040793320d07f9eb3776f003774824271b5c4f1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
Filesize
635KB

MD5
1d1d7f2a1137991276f655a6a039a04f

SHA1
02ebb4e07bac2efc692b62e642bf90c40f99a899

SHA256
7942c912d6ad788a6c8576196b353132066ee742c6381b22597d5a571a46c4a6

SHA512
86971a0cc43168597495c4a43e43419d9305736237adaaae9a1e6caab822104aad9a65c962db74ca2f39481d619be5d0f476cd0d8a9fa072e8f53617f5d12136

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
9KB

MD5
e966deb09bbdf475dbdfb4463055c2bb

SHA1
570f2ccb04cad64810b5281ea49862bf1dd3e82e

SHA256
64e95c1a030a7674d188627a52b4a0cf1bcefdcf755dc928b5005c4d70653910

SHA512
d867c459f7018c99f5f69f97219331d25695cc4028c984d5903d9ef62c0bac4711117ad8e1cba07797589562360a9b3a8d54e0b80360a1b52aead4127f2742b4

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
Filesize
26KB

MD5
ce122e6a9d31a50554adb8216843fec9

SHA1
d02242d8006519ae11e0103bf4f10330ae1b39b8

SHA256
1b6c0ff878aca018bc47687590f0cb05443c41737e15778b77493be3c73f4cb1

SHA512
d31e49d450051c859357536f8afee51d8fe2758822c035e0348cabef1283416c135cc5b6ff647e00cb581f3bfeb53238c77974383a018c890f491d3383679704

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab
Filesize
1.1MB

MD5
daeffbeef7190b94f188cc33fc51d708

SHA1
ed2d2a9873bd3cff5e686ff7b6cdd1b7d47535a8

SHA256
2655f3e070fbe8f20858b3491be04002158bc0540e75d043089065dbb06fc463

SHA512
0eda842dfaab85b96399a5172e20cef092441802d2dd9df380a30774f5dc98d3133779fdf359584d2c5fb0181223dc08fa6535352313b650609da3d7f98a5c26

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi
Filesize
638KB

MD5
1916dbe5efa703579e0339fc84cbf5a3

SHA1
acf5f8d0c93b70e351450a08ec9092679a5882d0

SHA256
044139f9dd3ef0078a92cbcf244f47b5354ad981ecdd5ea0f31bce6f1c89c838

SHA512
0ee701e2678a2c3a8a16048220e3d2a37c2cf4d0c203855513db3a06673a03209a2197bcfd7e658d8c1c6018eea7f969c771916f07dd4f6d89b9ead5bf531380

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi
Filesize
635KB

MD5
a110ca2b3c821a1cc2fd78546c467342

SHA1
14a80a158a77751879cbc9de17dfdffef0d3e818

SHA256
fb2a948236aaa6c37edf05a632f479d5ea529e372133a705c2601e62a8c2d470

SHA512
528972de300964d151bb0a918a2c289d9644487fbb0005876a05ccc9ea32ad65af04c592d68b784143d5288649d10a25e67b3bc58c51121416c96008491ea1c0

Download Submit
C:\MSOCache\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_dae2938e-27ce-4a80-bf74-6da89b87415b
Filesize
338B

MD5
22361d210bffbc79609741539c1b6c10

SHA1
77587ce99795d6cab91a907b9339356a1b5ea3c9

SHA256
a562f78c2cb7ba437d821697760500429ee5341f3d13759301da888cb948fe76

SHA512
9730a1e5b7db2a909ea21d02c80b9fec0291a9e551fee0280d6bed99549be8c6207a5107dd62678bc8fd67e1977135b278e0ef5ad645739ebb00a31625ab5fde

Download Submit
C:\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\pCEUW.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat
Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak
Filesize
12KB

MD5
b6acc24d357e0c9a276984ab3c669ce5

SHA1
952454d6404ff93111868a327acac28abe259ad2

SHA256
547c36175b43d5aa6a58482409b9f99cea3ba4610260bcd077b54f7bf38d0cd8

SHA512
f08f327f29a3ba5a33c04c2d5ed02d1c329d97a3df4c4d9708456fe24c4cbbbf1fa4cf595f7c58181b289ef0536f9010254c87cf73d566ea58d94915df447a12

Download Submit
\??\c:\Users\Admin\AppData\Roaming\BackupPush.xlsb
Filesize
160KB

MD5
3209a8ae0e857fbbe8586134ffd52b93

SHA1
33c60ab7a229db92935cca4fb0d957b17483517b

SHA256
ffb01968b704fba5aad240578c8fa6184190b2edb42df44fdd4c5a04eb02ead0

SHA512
440f927667a51fd79a4a5708238b3eadcaf52361dc21ecc84684de17c6b457eff038905cd7ecce631c3e7094940f40d1d7da2dda0cd834031533ee4ba5d9ea70

Download Submit
\??\c:\Users\Admin\Documents\BackupResolve.mpp
Filesize
1.2MB

MD5
33b9ad67a166f5ada25b319b94b91dc0

SHA1
ed25f6113cb77a664ff37ef1d689aef1681a0512

SHA256
ce0860f190f005689aace68e9190bcc1ed54e16ad1e75ed29ca2202b457ef0fa

SHA512
33e5f0eb71d1851771b146c635eb0d1fb99e38e30ce14bf09aa95ecbc9c8c741cbdf71ab87abea0ec69ea9cecc627d4c73045029a49a3a0399c6541142808a74

Download Submit
\??\c:\Users\Admin\Downloads\BackupExport.dib
Filesize
509KB

MD5
4ba8e8bd150be1f7aa27e99bf5b12849

SHA1
6b3947d9be395b9c431a0dc41011906713993560

SHA256
f4be0b30571c27f98fad2060c2d511f24c626140c544dd07608953c21c26aa8b

SHA512
eb4391f36761be1170f61b11f732a55a11388163d80cbd95b419b1bab72ac20c7976d173acbd200298af4a22a537bafbca876d6d61d508eb4073e154546475c5

Download Submit
\??\c:\Users\Admin\Downloads\BackupGet.zip
Filesize
486KB

MD5
cb885393ae02bb7eef193458f6f8c417

SHA1
1a62403d44520ed7a8eb6b0afaf4381bb10e7365

SHA256
0f0ac165dec75124586f1da2e30decf16d139d326fc0e1855e54e94aec1d2385

SHA512
520ad4e60a72c7e556725495615abba2e9c12e9345d31ec999e40399a96746e2e4417c49fae345e5160c36c8fd0d0ad19526d377075aca6863204f94f17f314c

Download Submit
\??\c:\Users\Admin\Pictures\BackupOpen.tiff
Filesize
362KB

MD5
5a87da74ef5fbc2d4f49d0343be20a57

SHA1
858b30300ef7e56806d34919692a4bbfd8b08fa2

SHA256
bc0b5de91d95599739e8ed6d7825adf69ef05b7f3283ff337df7b42f0be94bcd

SHA512
04359048232668bff958401de4116c08edd60d551599fcdc48740a5ba38efac411f7f48884a514e07afe287fc2053d06c8df8b7283f5fd2f0ed1ffeb93a4305c

Download Submit
\Users\Public\pCEUW.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/240-150-0x0000000000000000-mapping.dmp

Download
memory/604-156-0x0000000000000000-mapping.dmp

Download
memory/624-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

Filesize
8KB

Download
memory/692-59-0x0000000000000000-mapping.dmp

Download
memory/776-84-0x0000000000000000-mapping.dmp

Download
memory/992-62-0x0000000000000000-mapping.dmp

Download
memory/1056-149-0x0000000000000000-mapping.dmp

Download
memory/1112-152-0x0000000000000000-mapping.dmp

Download
memory/1120-67-0x000000013FA90000-0x000000013FE1E000-memory.dmp

Filesize
3.6MB

Download
memory/1120-60-0x000000013FA90000-0x000000013FE1E000-memory.dmp

Filesize
3.6MB

Download
memory/1120-72-0x000000013FA90000-0x000000013FE1E000-memory.dmp

Filesize
3.6MB

Download
memory/1120-63-0x000000013FA90000-0x000000013FE1E000-memory.dmp

Filesize
3.6MB

Download
memory/1124-82-0x0000000000000000-mapping.dmp

Download
memory/1184-66-0x000000013FA90000-0x000000013FE1E000-memory.dmp

Filesize
3.6MB

Download
memory/1184-151-0x000000013FA90000-0x000000013FE1E000-memory.dmp

Filesize
3.6MB

Download
memory/1188-163-0x0000000000000000-mapping.dmp

Download
memory/1308-85-0x0000000000000000-mapping.dmp

Download
memory/1328-58-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

Filesize
8KB

Download
memory/1328-56-0x0000000000000000-mapping.dmp

Download
memory/1636-164-0x0000000000000000-mapping.dmp

Download
memory/1672-161-0x0000000000000000-mapping.dmp

Download
memory/1932-153-0x0000000000000000-mapping.dmp

Download
memory/2372-168-0x00000000745F1000-0x00000000745F5000-memory.dmp

Filesize
16KB

Download
memory/2372-169-0x0000000071631000-0x0000000071633000-memory.dmp

Filesize
8KB

Download
memory/34656-83-0x0000000000000000-mapping.dmp

Download
memory/37324-157-0x0000000000000000-mapping.dmp

Download
memory/43900-158-0x0000000000000000-mapping.dmp

Download
memory/43924-162-0x0000000000000000-mapping.dmp

Download
memory/48324-160-0x0000000000000000-mapping.dmp

Download
memory/48428-159-0x0000000000000000-mapping.dmp

Download
memory/71024-69-0x0000000000000000-mapping.dmp

Download
memory/71060-71-0x0000000000000000-mapping.dmp

Download
memory/71200-155-0x0000000000000000-mapping.dmp

Download
memory/71216-154-0x0000000000000000-mapping.dmp

Download
memory/71412-73-0x0000000000000000-mapping.dmp

Download
memory/71444-74-0x0000000000000000-mapping.dmp

Download
memory/71476-75-0x0000000000000000-mapping.dmp

Download
memory/71508-76-0x0000000000000000-mapping.dmp

Download
memory/71544-77-0x0000000000000000-mapping.dmp

Download
memory/71576-78-0x0000000000000000-mapping.dmp

Download
memory/71608-79-0x0000000000000000-mapping.dmp

Download
memory/71640-80-0x0000000000000000-mapping.dmp

Download
memory/71672-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads