Malware Analysis Report

2024-08-06 09:28

Sample ID 230106-rcjp6sce4z
Target msedge.exe
SHA256 3a70394c394cb59907b5798a96a582f37ce62885fadd73267df25ad680141289
Tags
ryuk persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a70394c394cb59907b5798a96a582f37ce62885fadd73267df25ad680141289

Threat Level: Known bad

The file msedge.exe was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware spyware stealer

Ryuk

Deletes shadow copies

Modifies extensions of user files

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Checks computer location settings

Enumerates connected drives

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Opens file in notepad (likely ransom note)

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
File Deletion
T1107
Modify Registry
T1112
Credential Access
TA0006
Credentials in Files
T1081
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2023-01-06 14:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-06 14:02

Reported

2023-01-06 14:06

Platform

win7-20221111-en

Max time kernel

100s

Max time network

96s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\pCEUW.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\BackupOpen.tiff C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Users\Admin\Pictures\WatchRename.tiff C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Users\Admin\Pictures\WatchRename.tiff C:\Windows\system32\Dwm.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\users\Public\pCEUW.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\pCEUW.exe" C:\Windows\system32\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02413_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\PST8PDT C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Cocos C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\mng.txt C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18197_.WMF C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03451_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Thimphu C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Premium.css C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\RyukReadMe.txt C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\RyukReadMe.txt C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03470_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143748.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SIGN.CFG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105380.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\ProPlusWW.XML C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\setEmbeddedCP.bat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Services\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\RyukReadMe.txt C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090779.WMF C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.IN.XML C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0234001.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_ja_4.4.0.v20140623020002.jar C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD08758_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.swt.theme_0.9.300.v20140424-2042.jar C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\UseOut.aif C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_ja.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kolkata C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\PDDom.api C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK_K_COL.HXK C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_ja.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04196_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-application-views_ja.jar C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\PABR.SAM C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_left.gif C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-3 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\RyukReadMe.txt C:\Windows\system32\Dwm.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\pCEUW.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\pCEUW.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\Dwm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe C:\users\Public\pCEUW.exe
PID 624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe C:\users\Public\pCEUW.exe
PID 624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe C:\users\Public\pCEUW.exe
PID 624 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe C:\users\Public\pCEUW.exe
PID 1328 wrote to memory of 692 N/A C:\users\Public\pCEUW.exe C:\Windows\System32\cmd.exe
PID 1328 wrote to memory of 692 N/A C:\users\Public\pCEUW.exe C:\Windows\System32\cmd.exe
PID 1328 wrote to memory of 692 N/A C:\users\Public\pCEUW.exe C:\Windows\System32\cmd.exe
PID 1328 wrote to memory of 1120 N/A C:\users\Public\pCEUW.exe C:\Windows\system32\taskhost.exe
PID 692 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 692 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 692 wrote to memory of 992 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1328 wrote to memory of 1184 N/A C:\users\Public\pCEUW.exe C:\Windows\system32\Dwm.exe
PID 1120 wrote to memory of 71024 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 71024 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1120 wrote to memory of 71024 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 71024 wrote to memory of 71060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71060 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71412 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71444 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71476 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71508 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71544 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71576 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71608 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 71672 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 1124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 1124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 1124 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 34656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 34656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 34656 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 776 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 71024 wrote to memory of 1308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1184 wrote to memory of 1056 N/A C:\Windows\system32\Dwm.exe C:\Windows\System32\cmd.exe
PID 1184 wrote to memory of 1056 N/A C:\Windows\system32\Dwm.exe C:\Windows\System32\cmd.exe
PID 1184 wrote to memory of 1056 N/A C:\Windows\system32\Dwm.exe C:\Windows\System32\cmd.exe
PID 1056 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1056 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1056 wrote to memory of 240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1056 wrote to memory of 1112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\msedge.exe"

C:\users\Public\pCEUW.exe

"C:\users\Public\pCEUW.exe" C:\Users\Admin\AppData\Local\Temp\msedge.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\pCEUW.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\pCEUW.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x1c0

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRedo.mpeg"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\PopRedo.mpeg"

C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\Admin\Desktop\TraceRemove.pptx"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

N/A

Files

memory/624-54-0x0000000075F01000-0x0000000075F03000-memory.dmp

memory/1328-56-0x0000000000000000-mapping.dmp

\Users\Public\pCEUW.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\Users\Public\pCEUW.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1328-58-0x000007FEFBE41000-0x000007FEFBE43000-memory.dmp

memory/692-59-0x0000000000000000-mapping.dmp

memory/1120-60-0x000000013FA90000-0x000000013FE1E000-memory.dmp

memory/992-62-0x0000000000000000-mapping.dmp

memory/1120-63-0x000000013FA90000-0x000000013FE1E000-memory.dmp

memory/1184-66-0x000000013FA90000-0x000000013FE1E000-memory.dmp

memory/1120-67-0x000000013FA90000-0x000000013FE1E000-memory.dmp

memory/71024-69-0x0000000000000000-mapping.dmp

C:\users\Public\window.bat

MD5 d2aba3e1af80edd77e206cd43cfd3129
SHA1 3116da65d097708fad63a3b73d1c39bffa94cb01
SHA256 8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA512 0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

memory/71060-71-0x0000000000000000-mapping.dmp

memory/1120-72-0x000000013FA90000-0x000000013FE1E000-memory.dmp

memory/71412-73-0x0000000000000000-mapping.dmp

memory/71444-74-0x0000000000000000-mapping.dmp

memory/71476-75-0x0000000000000000-mapping.dmp

memory/71508-76-0x0000000000000000-mapping.dmp

memory/71544-77-0x0000000000000000-mapping.dmp

memory/71576-78-0x0000000000000000-mapping.dmp

memory/71608-79-0x0000000000000000-mapping.dmp

memory/71640-80-0x0000000000000000-mapping.dmp

memory/71672-81-0x0000000000000000-mapping.dmp

memory/1124-82-0x0000000000000000-mapping.dmp

memory/34656-83-0x0000000000000000-mapping.dmp

memory/776-84-0x0000000000000000-mapping.dmp

memory/1308-85-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_dae2938e-27ce-4a80-bf74-6da89b87415b

MD5 22361d210bffbc79609741539c1b6c10
SHA1 77587ce99795d6cab91a907b9339356a1b5ea3c9
SHA256 a562f78c2cb7ba437d821697760500429ee5341f3d13759301da888cb948fe76
SHA512 9730a1e5b7db2a909ea21d02c80b9fec0291a9e551fee0280d6bed99549be8c6207a5107dd62678bc8fd67e1977135b278e0ef5ad645739ebb00a31625ab5fde

\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

MD5 b6acc24d357e0c9a276984ab3c669ce5
SHA1 952454d6404ff93111868a327acac28abe259ad2
SHA256 547c36175b43d5aa6a58482409b9f99cea3ba4610260bcd077b54f7bf38d0cd8
SHA512 f08f327f29a3ba5a33c04c2d5ed02d1c329d97a3df4c4d9708456fe24c4cbbbf1fa4cf595f7c58181b289ef0536f9010254c87cf73d566ea58d94915df447a12

\??\c:\Users\Admin\AppData\Roaming\BackupPush.xlsb

MD5 3209a8ae0e857fbbe8586134ffd52b93
SHA1 33c60ab7a229db92935cca4fb0d957b17483517b
SHA256 ffb01968b704fba5aad240578c8fa6184190b2edb42df44fdd4c5a04eb02ead0
SHA512 440f927667a51fd79a4a5708238b3eadcaf52361dc21ecc84684de17c6b457eff038905cd7ecce631c3e7094940f40d1d7da2dda0cd834031533ee4ba5d9ea70

\??\c:\Users\Admin\Documents\BackupResolve.mpp

MD5 33b9ad67a166f5ada25b319b94b91dc0
SHA1 ed25f6113cb77a664ff37ef1d689aef1681a0512
SHA256 ce0860f190f005689aace68e9190bcc1ed54e16ad1e75ed29ca2202b457ef0fa
SHA512 33e5f0eb71d1851771b146c635eb0d1fb99e38e30ce14bf09aa95ecbc9c8c741cbdf71ab87abea0ec69ea9cecc627d4c73045029a49a3a0399c6541142808a74

\??\c:\Users\Admin\Downloads\BackupExport.dib

MD5 4ba8e8bd150be1f7aa27e99bf5b12849
SHA1 6b3947d9be395b9c431a0dc41011906713993560
SHA256 f4be0b30571c27f98fad2060c2d511f24c626140c544dd07608953c21c26aa8b
SHA512 eb4391f36761be1170f61b11f732a55a11388163d80cbd95b419b1bab72ac20c7976d173acbd200298af4a22a537bafbca876d6d61d508eb4073e154546475c5

\??\c:\Users\Admin\Downloads\BackupGet.zip

MD5 cb885393ae02bb7eef193458f6f8c417
SHA1 1a62403d44520ed7a8eb6b0afaf4381bb10e7365
SHA256 0f0ac165dec75124586f1da2e30decf16d139d326fc0e1855e54e94aec1d2385
SHA512 520ad4e60a72c7e556725495615abba2e9c12e9345d31ec999e40399a96746e2e4417c49fae345e5160c36c8fd0d0ad19526d377075aca6863204f94f17f314c

\??\c:\Users\Admin\Pictures\BackupOpen.tiff

MD5 5a87da74ef5fbc2d4f49d0343be20a57
SHA1 858b30300ef7e56806d34919692a4bbfd8b08fa2
SHA256 bc0b5de91d95599739e8ed6d7825adf69ef05b7f3283ff337df7b42f0be94bcd
SHA512 04359048232668bff958401de4116c08edd60d551599fcdc48740a5ba38efac411f7f48884a514e07afe287fc2053d06c8df8b7283f5fd2f0ed1ffeb93a4305c

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\Documents and Settings\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab

MD5 daeffbeef7190b94f188cc33fc51d708
SHA1 ed2d2a9873bd3cff5e686ff7b6cdd1b7d47535a8
SHA256 2655f3e070fbe8f20858b3491be04002158bc0540e75d043089065dbb06fc463
SHA512 0eda842dfaab85b96399a5172e20cef092441802d2dd9df380a30774f5dc98d3133779fdf359584d2c5fb0181223dc08fa6535352313b650609da3d7f98a5c26

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi

MD5 a110ca2b3c821a1cc2fd78546c467342
SHA1 14a80a158a77751879cbc9de17dfdffef0d3e818
SHA256 fb2a948236aaa6c37edf05a632f479d5ea529e372133a705c2601e62a8c2d470
SHA512 528972de300964d151bb0a918a2c289d9644487fbb0005876a05ccc9ea32ad65af04c592d68b784143d5288649d10a25e67b3bc58c51121416c96008491ea1c0

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi

MD5 1916dbe5efa703579e0339fc84cbf5a3
SHA1 acf5f8d0c93b70e351450a08ec9092679a5882d0
SHA256 044139f9dd3ef0078a92cbcf244f47b5354ad981ecdd5ea0f31bce6f1c89c838
SHA512 0ee701e2678a2c3a8a16048220e3d2a37c2cf4d0c203855513db3a06673a03209a2197bcfd7e658d8c1c6018eea7f969c771916f07dd4f6d89b9ead5bf531380

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 e966deb09bbdf475dbdfb4463055c2bb
SHA1 570f2ccb04cad64810b5281ea49862bf1dd3e82e
SHA256 64e95c1a030a7674d188627a52b4a0cf1bcefdcf755dc928b5005c4d70653910
SHA512 d867c459f7018c99f5f69f97219331d25695cc4028c984d5903d9ef62c0bac4711117ad8e1cba07797589562360a9b3a8d54e0b80360a1b52aead4127f2742b4

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm

MD5 ce122e6a9d31a50554adb8216843fec9
SHA1 d02242d8006519ae11e0103bf4f10330ae1b39b8
SHA256 1b6c0ff878aca018bc47687590f0cb05443c41737e15778b77493be3c73f4cb1
SHA512 d31e49d450051c859357536f8afee51d8fe2758822c035e0348cabef1283416c135cc5b6ff647e00cb581f3bfeb53238c77974383a018c890f491d3383679704

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi

MD5 1d1d7f2a1137991276f655a6a039a04f
SHA1 02ebb4e07bac2efc692b62e642bf90c40f99a899
SHA256 7942c912d6ad788a6c8576196b353132066ee742c6381b22597d5a571a46c4a6
SHA512 86971a0cc43168597495c4a43e43419d9305736237adaaae9a1e6caab822104aad9a65c962db74ca2f39481d619be5d0f476cd0d8a9fa072e8f53617f5d12136

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi

MD5 6ef12623d7ae4dcabe0d43fe01b573dd
SHA1 100761fc78803aa84a23b7fb5e8ed67592f6b905
SHA256 20574b91ee171032ea4a0d9740faaa2edf337580e52a047964defbed016fd2cb
SHA512 b55487537ac11a977165ddf537522c1edd7e2a9bce65c9f46ae229cc0bc89a6bb2b9d738a48b2af34c7a56b5b040793320d07f9eb3776f003774824271b5c4f1

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest

MD5 9b687e2115ddae9b0dbc9088a1dba2e1
SHA1 65d17e3b6f6a5feba3fd2ddfb5980f2e92a6bd81
SHA256 68ad6bf84e1be49f24b7940db2697d008f25ed4c9e2f69cd329fa921c6ca82c0
SHA512 8a5397dcf94cd475b23d0ce1030c4455f46d479541179d7962912c3c5c7c57e543ad7e4ae285ba6688502000769f9bfc87537515b228917ee0711e15626183bc

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 d389719eeb4a40510b4b75787f0248b0
SHA1 5926c08b2350d168994ef8e47d47b4dc56ab51e4
SHA256 e15102f41319aa417f674b07853780c996c72c2af7c59e6175e5842c68020842
SHA512 02133d9e0cd396c922bcd1a020cd5a106d9a002dcbf76e1ad1a2526b7f9404448767e8e549058e1198c6c37cd3100b9f6989f8264f33fcf4f37d03ba80a89b2d

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi

MD5 d9ef5f6c574f077bdbac75ef35a0ab70
SHA1 0444659011ed41d7247cb364b08fca2c04f1cee8
SHA256 76830279e6d6bdc0f71fa21e292e9f0eb8d99d276a91dcaa1c23100356e28ce6
SHA512 f4f2cf120d6eb7d85397a04199bf48f9907f9d2099b2c2ef00cd1698621533b3ead7d824f58a55b919a6473b3fe49cf29edd32869e5c52929fc5807d3606ed16

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 64e353dd66521aab8eb8389002e2797a
SHA1 e817ca6f18d5e8cb114eb464f919a54f0b3d28ee
SHA256 eb6e22dd6dfe14eb0058add3eee68868623b456c3782545ed1e683c87a84e160
SHA512 367aa2617551959a7a1dd8d23fc7b66d56af29efde60c024587ba161fd00f4d2b92899da244452d5e15bb373aabf471996a28adfa7d39d8f94857d057f682b69

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml

MD5 ccfcfbf8095b633626cca443f2f71f3b
SHA1 e0f26dc8bf90eb3ba9c0b6265f0d7d11937a0b64
SHA256 5fd967d7aec5b01095866a7e240e79aa33c4e8051a2b16b6b4cc4b6298162aa5
SHA512 04aa85f4353a71a9fbbd60214020387d6dcd1acf63fb61671f4d63addeec6a46d9009a8c1dc7be64d08ae4fdc91bdde60219f74ac80c74c5d2667e47de3a7bde

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 9577b15097a917e8c44398c1eed85f5e
SHA1 a70de33f4620bb479fcce92898baed13ecfdbefd
SHA256 fb090b2f80bac5d7ab37dc1bc0262b59ed6d4a747a3099278d4bef69fb2bb2fa
SHA512 adc0d1c23363394806391f0a8e0e1db1ba368985e98e07465f3f4c6f0aa377fc59f7ec8d722e770b55ed0fa785948fed9d3087beb31f2a4a758dd82c8129bc8f

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi

MD5 bfb13e0e9bc0b350acd15e0dc30516c7
SHA1 a7ec0fd7cab8b1388598ddac319bc7f808c2c16f
SHA256 cd83a44bdf214e65218c31754a0907a97e62738bd1535c5f090cde7c8cde30bd
SHA512 7e4a4ce828797ec8873e78d5317927f735d46c169ef0b07ecff15cafe844449ee02e0c7795ac46a6559be25c1ef00558847b6a33207cb96a10cd8f66e2407d5a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 298fa09ca9df714846af16cb77660c05
SHA1 f5195ff0ca2ba1a8b4a57ca2766305f86f0da17b
SHA256 33f64d926752039082ccc1d3cde8607f957983cbfdda0ccce9ca90abc1e853b3
SHA512 23064be25dce33b3fef27f85735be487c274c29110aa470722ebd609b830ad3a8105b17917350ccee342992185bd294bb209da2ab3d3d62abbbb8994d34f9eaf

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi

MD5 8e81a0ce114185ae6721e46808fc82ee
SHA1 3ed5907d3117a2a6b23d9efaaad6c68c5c1e69f3
SHA256 fc2e407c8e71c226d85ccc946fb66d98c0108e60ed1f5cce09fdb4b9f946065c
SHA512 4774781becaa7d76df46b4e13ab704f9c72d0a26fba8387beaf5cf9a080b2fc6ceee0bab8eb24fbad5f944a26a7f1f39996b7ad6761fef0a3d994c51687c7eb3

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi

MD5 4cd1632b72b09a069d80f6dd44c63399
SHA1 d5734fc08cb825396d7014f098e7681403041887
SHA256 390903054ea11c42d6b2ecbaf73513627520d109b92e5273f684fac1748c210e
SHA512 3f0cbd4c22149208e0ff710b34ebc86feefaa5e2768acbf9f59c3d684b0fd32869045b05de9d3a4f928901bc89c664b35687f5c577b21494a717d82e4cd6c31a

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml

MD5 28f2a0a97ff00104a519cfe4f4b9e5f5
SHA1 c6d69bd089babe09a505b9174cd48f6db9ab8852
SHA256 0f8d45f07e053c1bd391ecd4b84328339be0fc8c1a9b007b58757f14f87d9b27
SHA512 30bacf49406263e708e01c048742363fc3259376060a859bfb2e4d4516852ac87ad1753c5631449f1f4f2f7c4d6eab0eca9b55f39ed7f2355479754173e74c3d

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab

MD5 4ad5d57e7293aa02ab0b83311fee4eb9
SHA1 6db2fb568cd78ed20fa7b6e691de348e9e02626f
SHA256 23797e8ce3e3c0f9c4a742a6532de1297cfcedb5b2b07cebc26eaf56f970914a
SHA512 1b2da0b8b4aadcd90ea411f69adcdd91f9157aa0fa5be15a21b51eb73cfba4a5a1bdd1757dcdaa57311f8feab6befea9d421d60d296f0b79fc18cc2c834f0e31

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi

MD5 02a151a0af7e155571e0b1237977cbc3
SHA1 7bcd8710345a254863bc6f56d5648c043439946d
SHA256 5e1bbf8dfa81d5eecf7267743d9fc45512a1d2dcf853b07e8a439905a2ffb3d5
SHA512 f18959c7762cf16214b1efb1232504e00c013653327315466ff4ec0ada09536c4149dde67b47639c02387ee09c4ef1b10863c6908f9e64b32ea869beeeb92f03

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml

MD5 1719861589bccfa83f7e4a81c0c355db
SHA1 18825d7b267fd848694a7e72fd64837f02d44b5c
SHA256 fdf5c182f52add3cd907ad86cd23978cb465269ff516913cfb06810553094028
SHA512 ff325a46d3088b2a310fb2b47a54bfd21d1d8bbdf0ef965187d3e25f5c30def2d139a0960ddead73ef3e7bdd54ff08cf3c9c4a2ff78ab79885771d826f7fa2cb

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5 3b85d91d68cbc3fef3fd41933c29c0e2
SHA1 3d3af0ebaa9c39a4b30b99902920a48d7b650345
SHA256 987ff32c6205cda98e7471c8389d10c1d73c6f53bc482bd790a15952dece86a2
SHA512 253b54ab8d06a6be6c212799844f94297fe639c91918b58a1089510c77fbbf357c4ab0046a0e32403a6ad53c29d2ee713e3610882e4bf9b9f3a351e42ed96a82

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 8a2c08674d2e8abb4d12142d5ee50ec2
SHA1 e64d2f2d3c159b6c98cc10460ff99171e6f3fd42
SHA256 e03506d1d200311fcf77e93841e57c658280606d631519a614dc4d42dc5a3785
SHA512 2de22faeace7eca371a3760cb3cd61f1a26202cf45b894f37bc77d0851102d7f1e023a294624d1b2dfe8e7b51c08b0d5212f8872e3dc5ce4b174a329d408ae90

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5 43f37013ddf38c9788bb3350406c5979
SHA1 766224c256436698b28b8993007a7176e36e628a
SHA256 35a635c74543162820c111cead30056bf6ed7aedebb22c0d92efdc364b194204
SHA512 c6a962649a45489906bd8a6a7649d30b45de5938635a364fe8844af360bd6c58a87c62929139c4375385b05858c9410b1e8356b74b733aeb6cd50ea84d2d3ba0

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 859ff398223cae36d7a7787eace6a057
SHA1 1061f39755edbb7beec06a05fbb328b568ffbef6
SHA256 801b610b05139ab70446084c8b54a264ee585f5c9c65f932f04c2a1e521926dc
SHA512 bca6a34f1835939869e4607f7a96ea31204552d9428f6fd9f31b6113fd1f7b5fd6d501c8d6c070a9a0490f28883c7ee9888df4e25965e9809f5139a5d83860cc

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml

MD5 59e97d4e6c737ab3929ced7bb593fdd1
SHA1 1f8987f1004abba3ce103948ad0f70bfd9d118f0
SHA256 18889f1f7bb2e3a74acd97906530517630535382e7214dccef0d21751a19edf1
SHA512 823b520ec0adc2e7ab1fdfe92e1e9f56f9341c41d1ceb0dbf661fe93711a1a5593039aeb74ab3d03c650b0f6d744f7be7f0cb22c0c6a67fd6acb8bc0782b98ca

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 a32d7fcc2167347732a907de57b4b324
SHA1 97f5661c23bdbf791e5ed6f0fcd09a844343a489
SHA256 0bd2391b1c7d2d77b0008e01bed23d07cb2a4a97a7db6802943b2005d532f468
SHA512 27e19e71e402aebf099fbaeaf898ba6523f829ab39113b67127978dc03bbf2aacb2dd435fd83cb9562950522f550facca12195693453f793bbe517305d4f1e7e

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml

MD5 66813c9782ed59053a07b948049d2e45
SHA1 22e06c2e0334345a290e88ab4816baf948ed5472
SHA256 89c564542b4036c8a282a7f9e8c75c295e8b13d4ce2c8c71361b0aaaf4df22d9
SHA512 93a9622bd096beb25fa3ec62a127372c9fc02f91673ca0add9758d880a9543ccd91a8dd79d169eff8eb370ca519f7747bd8280b7f7a83a3c2c77a351b0874c87

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 0637ee542d5fdd0ed4328c01e6d6e741
SHA1 de5842c8601c3cc08ffeb4e54b1d443822457b10
SHA256 439852557b1ed5ead653c165c9503c185c5447d32a983976e1290999b5fe3d79
SHA512 98ba248497f9c83ac857268706582bf2f9ce95ea13eebcd63b7f8eaf50bcbf225ab3056eff64b581760fb42b66b8db5ed645990f3a0ab771b4db1e0e2fa4249f

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

MD5 d208516f3749963aea53ef6bd1681ee6
SHA1 210a5eba9a43936ea91d826349f024491ffdd3e0
SHA256 5a47916752b09285cfb3c51d07384ff7b280fe17e7835368de92271b5085d4ac
SHA512 79894800e00db80e6a8ecab20c77af4093b50450e00e444188814c6d9f89340ae190143766fa0779e3d8e49690dff05d94530f2c9ba9bc2c3bdc8908d7fc9bfb

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml

MD5 6c2fce572b7f3efdfc5272d5c8b05f4a
SHA1 aa41fc23d6af51ee2c4d66b76d865390a9cbc6ee
SHA256 f7bcafb9143ed1da0d077559464710772c14de40e10a1aa75a27aa5d06ba348e
SHA512 3f79be5c15e7ab6e55652cfe91f1094819dc7478d614d5ec1297ba15c1e8bea2353d4beb37f69c39a2e44bdc4c8171e60d7613924c473ac8f4dbf82807c894bb

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt

MD5 cd99cba6153cbc0b14b7a849e4d0180f
SHA1 375961866404a705916cbc6cd4915de7d9778923
SHA256 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA512 0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5 d3fa92c6891f0966ab0bf436b8d2a84b
SHA1 158dfee567943d93618886ce46a7ae8f2522ca42
SHA256 bcc099cff10c545ec42b00c64da4aa4a9fac9a58084cc027b6f0d057dfe9360d
SHA512 070820d4ecb75a4eff2742b62753364e643e87a439c978264bd0417a66c329c3a5695d5c4e15133a277f5cc9df7afeb8e23b8afdb284b12eeaed450de83c3e71

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5 1ec015cb0176f05ab2a40f49daee0c20
SHA1 a50ca5a37dbd9f20f0040408c464690e2f17d50b
SHA256 fa415ba07fc62e0e35c4075ec5ed827f342b98aee82949fb26fd2d3226daa635
SHA512 322d0a93438e0b185fd8b2a9874e92a6115b4aa5e2dfd32b34660fc7668b2f4545089ec81310c64c320c83bcde9582c93eeb5b9dd06dbc504d9ab8d7f5402e75

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5 c7f6bd18d56ffae148104a6186f439a1
SHA1 36f1f7bf1193d8aa092ff45739d3910c562113da
SHA256 c0395fe15979335c32ec56c0db730aece404282886a57f7ba5938f00ffbdbf4c
SHA512 4dec3a30a187519f8d6c103d2b6f1b7c216b0eda209ac7761a228438c72462fd2b8ae79691c6b3cd1a29c9253c6e68d7cb5c5207505ac698ab71d6f9a6b57094

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5 26c2b6aae4c52dacac9ff9bf2fa8bed8
SHA1 a4a780ee0be0bc5ed4a4f7338470795bd31e7720
SHA256 9e087bef0845be20d3faf49d3fbbda49393ea0a536c242e91e1dd1d9b533b728
SHA512 639cdc7ff52376bece2b0a57de7b4db2bff62cb0dfe07861df224febfae664cdcfa53d1e0fa522c5a1d538b8c5d9f09c18630349008a53c740c87204a8709eae

memory/1056-149-0x0000000000000000-mapping.dmp

memory/240-150-0x0000000000000000-mapping.dmp

memory/1184-151-0x000000013FA90000-0x000000013FE1E000-memory.dmp

memory/1112-152-0x0000000000000000-mapping.dmp

memory/1932-153-0x0000000000000000-mapping.dmp

memory/71216-154-0x0000000000000000-mapping.dmp

memory/71200-155-0x0000000000000000-mapping.dmp

memory/604-156-0x0000000000000000-mapping.dmp

memory/37324-157-0x0000000000000000-mapping.dmp

memory/43900-158-0x0000000000000000-mapping.dmp

memory/48428-159-0x0000000000000000-mapping.dmp

memory/48324-160-0x0000000000000000-mapping.dmp

memory/1672-161-0x0000000000000000-mapping.dmp

memory/43924-162-0x0000000000000000-mapping.dmp

memory/1188-163-0x0000000000000000-mapping.dmp

memory/1636-164-0x0000000000000000-mapping.dmp

memory/2372-168-0x00000000745F1000-0x00000000745F5000-memory.dmp

memory/2372-169-0x0000000071631000-0x0000000071633000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-06 14:02

Reported

2023-01-06 14:05

Platform

win10v2004-20220901-en

Max time kernel

7s

Max time network

33s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\fmSTr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\msedge.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\users\Public\fmSTr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\fmSTr.exe" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\fmSTr.exe N/A
N/A N/A C:\users\Public\fmSTr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\fmSTr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe C:\users\Public\fmSTr.exe
PID 3856 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\msedge.exe C:\users\Public\fmSTr.exe
PID 2960 wrote to memory of 2376 N/A C:\users\Public\fmSTr.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2376 N/A C:\users\Public\fmSTr.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2304 N/A C:\users\Public\fmSTr.exe C:\Windows\system32\sihost.exe
PID 2376 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2376 wrote to memory of 4832 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 2960 wrote to memory of 2328 N/A C:\users\Public\fmSTr.exe C:\Windows\system32\svchost.exe
PID 2960 wrote to memory of 2432 N/A C:\users\Public\fmSTr.exe C:\Windows\system32\taskhostw.exe
PID 2960 wrote to memory of 2708 N/A C:\users\Public\fmSTr.exe C:\Windows\system32\svchost.exe
PID 2960 wrote to memory of 3228 N/A C:\users\Public\fmSTr.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\msedge.exe

"C:\Users\Admin\AppData\Local\Temp\msedge.exe"

C:\users\Public\fmSTr.exe

"C:\users\Public\fmSTr.exe" C:\Users\Admin\AppData\Local\Temp\msedge.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\fmSTr.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\fmSTr.exe" /f

Network

Country Destination Domain Proto
N/A 107.182.129.73:21733 tcp

Files

memory/2960-132-0x0000000000000000-mapping.dmp

C:\Users\Public\fmSTr.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\users\Public\fmSTr.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/2376-135-0x0000000000000000-mapping.dmp

memory/4832-136-0x0000000000000000-mapping.dmp

memory/2304-137-0x00007FF7F8D10000-0x00007FF7F909E000-memory.dmp