ryuk | 907503b17094e4849d3f2b17f132c745e4a39c4c1b55c08b3e1d381c70c381d2

Analysis

max time kernel
115s
max time network
159s
platform
windows7_x64
resource
win7v20210410
submitted
09-08-2021 08:21

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
Size

273KB
MD5

0eed6a270c65ab473f149b8b13c46c68
SHA1

bffb380ef3952770464823d55d0f4dfa6ab0b8df
SHA256

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed
SHA512

1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'lRwc4TXe'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

bLYVPWLORrep.exebhSWXvhqZlan.exeXzHZOxtwqlan.exe

pid process

1716 bLYVPWLORrep.exe
572 bhSWXvhqZlan.exe
1008 XzHZOxtwqlan.exe

pid	process
1716	bLYVPWLORrep.exe
572	bhSWXvhqZlan.exe
1008	XzHZOxtwqlan.exe

Loads dropped DLL 3 IoCs

Processes:

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

pid	process
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2616 icacls.exe
2604 icacls.exe

pid	process
2616	icacls.exe
2604	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\System\ado\msado28.tlb	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\NavigationRight_SelectionSubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ulaanbaatar	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotsdarkoverlay.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\directshowtap.ax	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_ButtonGraphic.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Hong_Kong	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\ea.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\Memories_buttonClear.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\btn-next-static.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\split.avi	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sv-SE\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\System\ado\adojavas.inc	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui_5.5.0.165303.jar	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Madeira	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipskor.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationRight_SelectionSubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iedvtool.dll.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsjpn.xml	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Rio_Gallegos	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.war	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Tucuman	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\Bermuda	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\rtstreamsource.ax	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Chihuahua	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Auckland	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\blackbars80.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wake	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkWatson.exe.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\OmdProject.dll.mui	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-13	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Kiev	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-highlight.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationRight_SelectionSubpicture.png	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Tallinn	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\RyukReadMe.html	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\MST7MDT	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\MANIFEST.MF	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Costa_Rica	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Monterrey	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

pid	process
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bLYVPWLORrep.exe
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bLYVPWLORrep.exe
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bLYVPWLORrep.exe
PID 1268 wrote to memory of 1716	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bLYVPWLORrep.exe
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bhSWXvhqZlan.exe
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bhSWXvhqZlan.exe
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bhSWXvhqZlan.exe
PID 1268 wrote to memory of 572	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	bhSWXvhqZlan.exe
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	XzHZOxtwqlan.exe
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	XzHZOxtwqlan.exe
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	XzHZOxtwqlan.exe
PID 1268 wrote to memory of 1008	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	XzHZOxtwqlan.exe
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2604	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 2616	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	icacls.exe
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3096	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 3096 wrote to memory of 3132	3096	net.exe	net1.exe
PID 3096 wrote to memory of 3132	3096	net.exe	net1.exe
PID 3096 wrote to memory of 3132	3096	net.exe	net1.exe
PID 3096 wrote to memory of 3132	3096	net.exe	net1.exe
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3244	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3552	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 3552 wrote to memory of 3592	3552	net.exe	net1.exe
PID 3552 wrote to memory of 3592	3552	net.exe	net1.exe
PID 3552 wrote to memory of 3592	3552	net.exe	net1.exe
PID 3552 wrote to memory of 3592	3552	net.exe	net1.exe
PID 3244 wrote to memory of 3652	3244	net.exe	net1.exe
PID 3244 wrote to memory of 3652	3244	net.exe	net1.exe
PID 3244 wrote to memory of 3652	3244	net.exe	net1.exe
PID 3244 wrote to memory of 3652	3244	net.exe	net1.exe
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 1268 wrote to memory of 3664	1268	7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe	net.exe
PID 3664 wrote to memory of 3708	3664	net.exe	net1.exe
PID 3664 wrote to memory of 3708	3664	net.exe	net1.exe
PID 3664 wrote to memory of 3708	3664	net.exe	net1.exe
PID 3664 wrote to memory of 3708	3664	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe
"C:\Users\Admin\AppData\Local\Temp\7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\bLYVPWLORrep.exe
"C:\Users\Admin\AppData\Local\Temp\bLYVPWLORrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\bhSWXvhqZlan.exe
"C:\Users\Admin\AppData\Local\Temp\bhSWXvhqZlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:572

C:\Users\Admin\AppData\Local\Temp\XzHZOxtwqlan.exe
"C:\Users\Admin\AppData\Local\Temp\XzHZOxtwqlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1008

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2604

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2616

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3096

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3132

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3652

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3552

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3592

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:3664

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:3708

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:3376

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:3228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
4159cd5470df126875d4ae15483f2bad

SHA1
b618ce798effbd2f50ee79c4a57d4db9e8a74cc9

SHA256
5c24c562fd61817dcd4a8ac5a6cfef66766c71135335a0cfe018c3b28ffe31a6

SHA512
642a7b0dcb83c85187e7c748f22f3e587a29f376a3aee14d2a45c2dad9fdbb87b6b6d4dd6bd40b491a6d893ab5c304d8951939d7d9d405a64854f71e3f01077a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
46cb029a6163e57b4adbcadd7f19f71d

SHA1
7dead80dc7fc4fb731c90c8ee2bb1ac9f277c7c7

SHA256
1c1157e2e442d96665238da2a6587860d5472e132effbc4c868ea01bb0d49369

SHA512
b1bf0803164aa6f314a9c6963840f7d22a2fb8ce971b9b8df47bbc8e823f09bc23b68be314d45367427d801e0e9941169162added2e48329e68de985aec9f6d7

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
d499cc95f198f2bb8309522d33874cb7

SHA1
237061565b20b640d250ac04e133151e43b7e767

SHA256
17a5bca9ad1e957ffceca4c3646bf127ac03645b008b56cbcdee4673bb0d0bf6

SHA512
69edd6c01bf1278243770c8759fce619db56abd8269059f8099ff2c9e07eaff62e912a49d70b22fe5070af91a6aed489469ca15634c15875836fa5663dd882d8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
32b157b1ef7b9b0ba42be3ceb3bba6d5

SHA1
ff875afdc8083fa3ff059524ec4ea3bf2ccd255f

SHA256
ccc899441ac6814870c8b781a09098c19adbfd966c7c31e6a8cf40c2182c1cbf

SHA512
415d8bcad2536ab45a3031973e459094a1c4550556038b814d963c65fa9eeb5a2174212e189ff80ba453f30e5697e3211ef6e9e20430e49be1843284c328a954

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

MD5
a1c64694a22c8f5a727a1b2c911cccdc

SHA1
49d5763d205b57455a942bb876e330d7620e1c40

SHA256
622ecd7ef7af76463384c1b3fba39f0f4cd184bede7481902be8cb88e0900cab

SHA512
154f4873a17b279fc9a8bc22605ffe02ef87fa029e75f401e73b6c4ebec9e9294e8ef8a80839821cfba0468f007fb824c7c7c415c963de9a41e19b564be6b6fe

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab.RYK

MD5
b387201c0528276d18ca521555c00e7e

SHA1
e59f8f766cc483e570710f97de09826c8b049552

SHA256
288b0369a510ae22dbd6a38c0a5761d4a6cfd668ed501084948af9aafa2b7590

SHA512
376f90bc9782e8897ca0e31227735305b7249863e5fd82d44bbbcc9497700be45e4d38096c4870c653d9d45290a900be355e8178e7408966212bf8c9531d1ef8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
3d8ade5a04daada51816752563a9f618

SHA1
a9ae16ac8ec55ec42e32e8ef3b0f96fbb93d40f2

SHA256
e60f5de323e424d074ea2db0d471c6f8fafa9b3dfafec8990930a7400418f695

SHA512
1233e834befb787e70b303244b19089a8226815273466ba8e89f8475608f6d25209812e1362766c96d63a78b447ff9c9eff0a620e6988a77b254b09aa14e0ab1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
23ef7867c7c5c8b01fbac9ceee69fbff

SHA1
748bd2bbfc349dd9621d11fcc5eb9a6591e8f27f

SHA256
539fbbe1fbfd63813991d641a24fbeca9f5e7ed5b50ccaa912c8541b8f0a34eb

SHA512
a8bf5210d781fe251abb0ffffc0598a9a68187014da7cb891bae26985783a4596896b2059bae98d99feb1cc722a023fd5280dcce9e771f04c77148a9fd3bb87a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
a5fe0e217e626b60d5d2754fa96cfaa9

SHA1
4560ca80dc945b313a0f11980153542815191d3b

SHA256
96626de993c8821a7dd742048b4967504c0d0b55fb8ca1d19f02bf778edfef08

SHA512
8f0901090726764d0b84aa1bcb978ecccbbde96b753eea1dfe81a44f9bc7a4bd49dffbe216bb7f41f61fa44c6482305cbb7487138470ad27ca50b3c29a9055c2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
28f281dde2ce9e69929bd1c9f7bceae4

SHA1
54619c3e0c884ef18d7cedd866e54016828ab1a1

SHA256
ec07038def7166a3f0c9760c2d653ebd87629975d59be4e5dbfafa932f3f1957

SHA512
d844c0a7294487d4694651aa0c875d1822759d9ea59c5054dcbbffd41ec898881fb8522891533923042daafb412da3ed5968d25a0ec17ee22886797919814d18

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
4adda6573d5d15362a1e540ab209f002

SHA1
eb9f79df33f29ac5bc954a6383a93a410b3f1484

SHA256
a4af70b328d518a4e7c4e6a1aa0f537311aea344a09fcf390cba2a0742d3c747

SHA512
45e5debb5826dd6bf5c622a10fc192476cd1b3008725c00a6d163bfaaf8f110cbe24dc16b6a4ae8a98b859d7d279523ed4b6ca5d7488e9016e40d1fb9ed5711e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
955282f14a5cede0a221e189fe4c46d2

SHA1
f862694d5574a87024c099d4339cc20beaf08d30

SHA256
0807b564043b60a342c64e45654a49c9d54a1ce017ce2e6e86ed52e59e8d537b

SHA512
283135102b4654703aa42032a721c703b834cda24649b1ee191d091c94245dbf1414e4280294f9dfa4e1060375e42786bb8fa61aa9c1a7867b3e64077bbf943f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
236ea9bd9988b9efadce8472e9429efb

SHA1
93ce34c385df88dc383ed4b2b0481f0b4a55fe4c

SHA256
6f3770da83f6a60904e4c752e0571b6e78d43561bd9699c2a44881460ec7683f

SHA512
c8d8ef5da3e1cfd0f9b570ce356813dd1ba4089554b461b75ee9d9b03db73449114fe56f3970135c5e70dcd8a9ad61408f6cceb77da178a1ea092541f77385c2

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
6d60d6827517d29637adc5586abe14fe

SHA1
b3933e69710c7d8741b60db41f5a22bb0beb7d5f

SHA256
d550b3a4f1bcc3aeb95e24b27663dbf1e97171e4551cd0a9ff59dc90a2b2a754

SHA512
8620a60d9fb7f0515b0370559da46ab7956bcd1242a784712ce4a88854073ae6718a7016907c96a2ffbcc5b389b6e28226c9856db15bf1fa980aa482d46a25aa

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
8bb69280c95ccd5a1be0e6a5086eafd7

SHA1
a21c8de834076cb56b311f1eef3a1bbe0090d4ae

SHA256
04f172c30df3b522d924958c9687ccb4a2b145ae2a4bf13ad0f5bc15a424c4be

SHA512
5248b070ea4382bf8c62dfbb1e249d9f4eee5d60806cf773cf7aa6e819d294923193b1739c0d149ab91abb46c8dc45b89755bc0e647f9ee7938844104f51073d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
911ef03386e75ac297790e35c4525501

SHA1
5fcebbf55d3b5d6ddbb6bd600ae3637510b43627

SHA256
2ade9f9f0e00425acec3cc19bf2596b6452b919c7d5fa1e24763cd8329dcd398

SHA512
53a0ffb6ab57076dbf9c8808077d119070dba1963f1674d5128274ddbce2afa57fb3e97a6c0cb48984c914c2bae69cfa295f7ee2eb197cccede92f208d5f8678

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
8ec038fa361d992d8b75fa0f9171efb4

SHA1
de422f9b6c2449f244218717801881fde5c836c0

SHA256
197ac97631064ece46170b9b2643e3628a8777dacb521bcba5aa06eb24434453

SHA512
8947a0a029db4d40ea177afe480277eb93981a1381c2cec37b2e4a734e7d9b20c3c6ae0e80d7665565eee3c31d05e3cd20853105c4a997660c28540db3f56a79

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
7007774ecfcb210ad4a04086d6fc7bf0

SHA1
e91eb2231de2177c1e8806dc31e2e4b1c630d1d9

SHA256
c8f0a614fa6ab453be5b01e71f418ee406a27a208dfacf3f30b2217548885461

SHA512
dc4b0ddb4e206383548b1cd03cc4abf9f599eb0ec2464fae4d928ee095988426cdead43a66736512c58d097099e2c267b01dc346a8fdfbf2ff7b34d050d400a3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
097cf713d6d8d484db9d53098888f695

SHA1
8cc0684b5c92b504901521871c7d1e5382d0ac86

SHA256
426bfb1a952339570a5c7b9bfca2e3df31155fab20d8a89f416197c682c022e6

SHA512
a0a5f713eed9e79def68270d884c2aff4a4219b92ba7e88f1ee052b7e296145e6ab0b027483453be668dcf571d4e0cabe5518b229372f019548563ca4729bec5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
2711a59a4763a0dc53d2e06842242e83

SHA1
4f7b009f4b4e58560578f238fc19c97d03caf03c

SHA256
c79939f61fedfc501b321e4f907cd9db8dbe0c5067db298939aae179101fd468

SHA512
d0d1b9a1089481cd3d1549dfaf88ca2e83c5487be59d05ac18b2b3a8790c9f3a8da4eea8d781e9a0c6e14ff97c10f67bc2dbd281e7766e71cb03c2c1924945d9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
fd1fa409f4d79e15b7367f189c5f3a7a

SHA1
cfc33a75ce829696850e05564ddd6d8987f551ec

SHA256
0b2d1e20ff98b37239a3a32bbe4114920591713660d798acbbe8e819c30552ae

SHA512
c9be261473962e0f444e279981f7c261ce135d5a2553291f62c44ce2344e57cd65da6c7f6435add7cc3d8560e7832333669408e9a69982061ad89ff4a367f351

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
d61cb96c805704b8dfc3b32ecd8bf7b1

SHA1
69c52acf92caac582a92838c100c0f7acf5e3a77

SHA256
b4f95a53fcd71e36c26310db91510487ea3ca8f5fc6dabe53d86c8eb75393fdc

SHA512
d66ff32666c8eb08c209e0b90754f8f9e7adb0d20ce46c4321d2fb79fd69ec4120874ca70eaf05053a17f19e1958b5443d05f1426e6ffb29dff5cf23a7153f30

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
7c165e2bc6c8e7e8e48eeabb9a2f38f5

SHA1
8d74cb10b1ba13d4c8a52fea696d7e551fca62a4

SHA256
ff1cd1230576f32cf657e84dfff2680421f22613d30fe09133740db5b7cfbc5c

SHA512
1e40b7b7d6684dfa28215591c89575090347ee14f2e7c4c73aa56c64cb11d1dd44b56c15a9b55ccf0843b125c60d6a06820f3f104995a1d528d0b8e6a53e509f

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
cfbe79c1748093451de3b3e191d2d20e

SHA1
dfbe75246f3cb18c45f73297e7691ad98ad04edb

SHA256
77cac6727ae2fd4bb77363f8fff69af472cbe297f3b808ca5bb36d4bdddf24ac

SHA512
b13d40a8f70719d8a933072267835e78bcf9a8d1e747b55b59a5c26bc14b5811cbf88fe80951605c5a1dd2dcf4ec950d921ead640a7a35e9ca6eab7d763a0f91

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c5f11782d72b4f023f1870abfb4e3b0d

SHA1
5ab82540fdcd0253ff726749aa40d00ed51b0193

SHA256
a8add2a5802c8cbc08c4f335366dd0a13f3d519ab44236b403c1e480039b4292

SHA512
0bb21f74ffd33ae9933003f931e470dbf67763ceae685d4837ada4b650295ac113b44fcd111434f5de4560188dafb91d7eedc211af26a1a521decdd402ead4e4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
8c293f1c7ce4913750d0b927d8b19b24

SHA1
1a67ca38d47afebe681a9eb16eda9af347b2a5b8

SHA256
21ec23b7022076ea3b83db3f99e0a5d3eda08afe6592746fac81975887a52550

SHA512
934943ee8ed4216122bfa8f94b230b3246e6c3882d3d910be26c1f4e1776ceb9e641393ff1e84c41121041652dd05d0102d22e8f9e7f07a3345e7127304bee42

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
aec59bdf94e79db13fc415d9188b071a

SHA1
edc3f77b31f1fd055ea8cc9e0f0456d127d65000

SHA256
49e284c88d07a052fdad65ccb94a3322934b33e84d694834456c6a8f061b3fdf

SHA512
689c975ad3e2d6f71d2e6ff42c4ea7ea9f51232003fcfee9132b3d2f55e336b910054c0b68cfd585b8e8264d37cf6403dfdb7f67e6fe06d77c29b63d3180a036

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
588acfbcf5650dcbe972f5e75b33364e

SHA1
f8b58fd77603173d47e1bfc07713fc6177b1b80a

SHA256
248272b1b4c32c165a949bae8212a34ea49ac0df29c451871313ad4e53645735

SHA512
72241904def8ac6b3ed2bc8f7292a3372bd25a8b2934d8316310ab0162d0150e2dcaedf4540d7ab4ca7707deda0f3dfef72aa241f711d0dd42cc92ed3e172d08

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
7ae1457d854dcb7792aab1ab933979d5

SHA1
04034ab32d9f35d98411e644c7d1984c1bae06d6

SHA256
88bfbb6f6810cc16bb500a4f900b69364502ee221a4240bf53fd50797027b32e

SHA512
fdb47868eec4c626b2a5512f18ccaeb56652f1fbb71091eafc7d11109cfdbf9ac6b5472501dd0d72059c402c5da0926604d30522bf912107f5c1c19104525e81

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
74a236638556a3cff2ebef52228272d7

SHA1
3bce13fc72d7bb63e05e48700e5d2f7ccf31154e

SHA256
5c8375505208424c798258cce016ab5f990c2b98c4e14ab550736d6210b8bb55

SHA512
4777922bdfa92576ea99cd3d1145cb7a966136e560929f2491c96efa373025bc9d66b8b1498f669814264aaaa4714c39e313d615210510f50acbf7c54a92a554

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
4213208fcbbf31e7c17db9968ea5c476

SHA1
463063e6c3ea67f0ff488fe2095ff1ba1b283ce8

SHA256
5fe63841f12f0b055083f545914e7cc46980ab5a99da8b9159a569c0aef11b1e

SHA512
fb8b7b443bc5885dfca9103910100de8ccea336ab94344267ea2b0a73e8b957ec5838718d00525b9c0d997ac5c00a91444c5edcec327058e9821974579f4039e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
86dd995c3cd392bca5678ad935ad7368

SHA1
9ea2922d5182ffb80a23688e731cbf5b1aed56f8

SHA256
4fe34257fe9902b1f0eeb25cdaabff087078553b3596a9277b8e82525e9a0690

SHA512
813623cdd46f1858f51f3045c578bbe18cee01c3f67a0c8fcf82830ebfa10d457456e845252ad8c50cf8ee23c2fae7e6a8b89178871b47cef3d9c3994b540778

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
87410b4f1fa510207cb6603ee0c40f03

SHA1
5c5fb65b0634054af353a1d1684274135048b244

SHA256
99bfea87d284a203ab6457d3923fea42e1526b0a94e8d246c7b7bd856e7d8541

SHA512
3c2219f1881ddf66c3e2dd096fa2b8f5e6b80b689971aaea7fdffc3c4787bdad24ab57ed0258d9fbc1e1633b4e2f97f0801f48186c513739ae8437e099bd7a6b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
337c29488cf329bb38abc356e95709e9

SHA1
ea241356c908e5773d10b8e720dfdc619a809ea0

SHA256
9ca09b7cf815bd00bca0fff1ae59d3bbe510087547c63401ebd747220eb2bb0d

SHA512
0c3a227866798f0a423e89d043747c87896b14cdf6c8bb1430448ef64a6df9e7384119aa11f1b530d4693b50caf742535a956f316e55e66b0f5d4e76153abe13

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
36495ee2962a1d13965b42893a66dfe9

SHA1
332a8d58a9c7ad32d874bfd56a66808b6a8d76c7

SHA256
8a5acb0eea7fd4a679352734c9df8c1d6ac57bee2b0b4cc115b719614780f6a6

SHA512
da7462245bc1850bff5745de910ca809432456576d6b5f2d9e04335fe5ec5bcb3a04c7936248abc16c0a7de5dc2131c382861d7d9da28809150a7c2f5b824d24

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
4dec2c5b96dd203a9b889abd0e819f5c

SHA1
3b7e0c0eb25adf108f7938ddece59560fb3debda

SHA256
943bed7f54157e623654bdb7027a13035e785ffec1619ed45d08db7bf3f81adf

SHA512
ce668b1fd863231a3e7ae37b6d78080c75738ae98e0831a3f136b14b64ed51a1fd1f611fbe5856ae0a9fa4922deb587cd953c3024ca61a01b93686b53e24ceb1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
c1ad9d5ec551447eb4a046bd120b829d

SHA1
3a26ea47cdea7b33e1ce2ed1a095c6b9e6067fc3

SHA256
5f98cf2c63d7b1b165a6dbc6d89bea188d7f4fd2e4c48bdd82cbac509a7c25b4

SHA512
718e7d0e8cd10554012778fe06ecfb1dca5aa183d9013084e74b605c6e0170d7848cfe2c4d12cb6cf7c895e993f7d5121693bc360585f39a45c1a72c3b9dcde0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
157606e37c9702455fa81ccf8d144344

SHA1
89a21181f3bd9830083b2bc926af449ae3bfb4a8

SHA256
18d686db31e51a002b45a05968bf0fd0fc0828ebdf67120ef70d163c884329cf

SHA512
d241d2e1d0a176b1885eb7e6aacc5aa67070c1110cce81ea3fc4a23b6dc9f04631a9e9ddd50926a8520433bba3bf7cf231570c9e73386cf88df56507172fb3ce

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
1d3bec623fb0f7e62261107b97e6b6e5

SHA1
4d01c6f5b0944e59af70d0e5063805483115724d

SHA256
eb85a27f307b2712a2b39bd464a6e6bad137a2a72d0a1f06d9970183b5bfcc64

SHA512
faaf9aa20942750f8c8fba8081c4e35f91be87e4fc565c0cf10358323427b73bed9e7512d00df38fd1c2b156dca8c4d3d00227ea37e5066588e54da5fca7d965

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
fc5942dbdff8abbc868ac71760cfe4c2

SHA1
4695e83e8311f5d17289fcf5e1d9f562ab2b6ba9

SHA256
431e8bfc982bf0a2c010a8281b29c47d6c1e301c11936b5e42a64e53cec6f048

SHA512
09fffe2465ea07296a64da7c1c642c675f5b645bd2dc1ceaf469e48baad7fdc283c28fe95e1d53ed1a136e1e4a8221e6e5674da674e5490eafb44d9a47036c22

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
4818560a9f0121bf71c93ab4a0afcbd7

SHA1
080057fa94c4c210650ed5b99f11799eb8de6795

SHA256
51cb41c20d67df54d4fc8f889c0310a50bd39c07b4c0bcf8a1967631b48b0ba5

SHA512
80249540ca544779301ac00e44409600da2fe2ab2de822217598616ecc32f560eca92294710bdbf03f45ab06c3c1b9513908f516f388d7f9920fa06fd6bb0d62

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
985604b0065ec1ce4e1894f0841b1d38

SHA1
f9aff7c830a19fe3c5bc989e0a4be7a1baff26c5

SHA256
e30f8abac384b1a4845d5ad3d017f63d9c3c317302524f547401044bfedd407d

SHA512
a3730e5aa09089b8b4d2245c6c7327338641ea42883216cdd39552818429d18ee56839498ba46d23585259f4771581693536c9b65a1071f9d2983cd638c0bb68

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

MD5
7b892797aad7825f648342932416cbf6

SHA1
6bb3a01b4723848fd4d0b26619e16d60abb34e26

SHA256
a46964e57480bb9848fc5c7b74b536b953e9ea817f51b6d172e3f066f292df10

SHA512
d1cbd0f660e85235cd62966565f921773ba98c15e2b4519da0adc7b4666313f7fa53562912f2ff932fb471d5bcc486a6002767a8dafe905d23db02b42d4aae79

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
C:\Users\Admin\AppData\Local\Temp\XzHZOxtwqlan.exe

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bLYVPWLORrep.exe

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhSWXvhqZlan.exe

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
C:\users\Public\RyukReadMe.html

MD5
956af70d8f297c73f99600f603321641

SHA1
304d502249ee37891c97265d3fab13aab0188064

SHA256
3ac9900502af1bd4ea6ea50370267203ef7a3c27d6e584cd83765440c08809c6

SHA512
85d4b5e0d55a064ef0f6a1ee534dec3dba1ebe98a914a9b0892f0986c40829f12112455778d8f1cd1d90a85ccbc5995cfbd47a65fd07613a150d35a5f4041784

Download Submit
\Users\Admin\AppData\Local\Temp\XzHZOxtwqlan.exe

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
\Users\Admin\AppData\Local\Temp\bLYVPWLORrep.exe

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
\Users\Admin\AppData\Local\Temp\bhSWXvhqZlan.exe

MD5
0eed6a270c65ab473f149b8b13c46c68

SHA1
bffb380ef3952770464823d55d0f4dfa6ab0b8df

SHA256
7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

SHA512
1edc5af819e0a604bef31bca55efeea4d50f089aa6bdd67afee00a10132b00172a82cda214ea0ca8164b8d7444d648984c27c45f27acc69e227188ec25064aff

Download Submit
memory/572-68-0x0000000000000000-mapping.dmp

Download
memory/1008-72-0x0000000000000000-mapping.dmp

Download
memory/1268-62-0x0000000035000000-0x0000000035060000-memory.dmp

Filesize
384KB

Download
memory/1268-61-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1268-60-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/1716-64-0x0000000000000000-mapping.dmp

Download
memory/2604-76-0x0000000000000000-mapping.dmp

Download
memory/2616-77-0x0000000000000000-mapping.dmp

Download
memory/3096-134-0x0000000000000000-mapping.dmp

Download
memory/3132-135-0x0000000000000000-mapping.dmp

Download
memory/3228-145-0x00000000026E0000-0x00000000026E1000-memory.dmp

Filesize
4KB

Download
memory/3244-136-0x0000000000000000-mapping.dmp

Download
memory/3376-142-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

Filesize
8KB

Download
memory/3376-143-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/3552-137-0x0000000000000000-mapping.dmp

Download
memory/3592-138-0x0000000000000000-mapping.dmp

Download
memory/3652-139-0x0000000000000000-mapping.dmp

Download
memory/3664-140-0x0000000000000000-mapping.dmp

Download
memory/3708-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads