ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
101s
max time network
122s
platform
windows7_x64
resource
win7-en-20211208
submitted
17-02-2022 12:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d

Score

10^/10

ryuk persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

ISiNe.exe

pid process

1812 ISiNe.exe

pid	process
1812	ISiNe.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResolveConvertFrom.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveConvertFrom.tiff	Dwm.exe

Deletes itself 1 IoCs

Processes:

ISiNe.exe

pid process

1812 ISiNe.exe
Loads dropped DLL 1 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

pid process

524 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1812	ISiNe.exe

pid	process
524	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\ISiNe.exe"	reg.exe

Enumerates connected drives 3 TTPs 36 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exeDwm.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Essential.thmx	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Currie	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC	Dwm.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02054_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html	Dwm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV	Dwm.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HTECH_01.MID	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.properties.src	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	Dwm.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\RyukReadMe.txt	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG	Dwm.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF	Dwm.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	Dwm.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299171.WMF	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 28 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

pid	process
832	vssadmin.exe
1992	vssadmin.exe
1812	vssadmin.exe
2160	vssadmin.exe
1696	vssadmin.exe
860	vssadmin.exe
1520	vssadmin.exe
1688	vssadmin.exe
57268	vssadmin.exe
2096	vssadmin.exe
2144	vssadmin.exe
2336	vssadmin.exe
70628	vssadmin.exe
1680	vssadmin.exe
948	vssadmin.exe
996	vssadmin.exe
67248	vssadmin.exe
2060	vssadmin.exe
1840	vssadmin.exe
992	vssadmin.exe
56352	vssadmin.exe
2388	vssadmin.exe
1876	vssadmin.exe
1488	vssadmin.exe
2372	vssadmin.exe
964	vssadmin.exe
1852	vssadmin.exe
2428	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ISiNe.exe

pid process

1812 ISiNe.exe

pid	process
1812	ISiNe.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ISiNe.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1812	ISiNe.exe
Token: SeBackupPrivilege	70552	vssvc.exe
Token: SeRestorePrivilege	70552	vssvc.exe
Token: SeAuditPrivilege	70552	vssvc.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

taskhost.exeDwm.exe

pid process

1116 taskhost.exe
1184 Dwm.exe

pid	process
1116	taskhost.exe
1184	Dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeISiNe.execmd.exetaskhost.execmd.exeDwm.execmd.exe

description	pid	process	target process
PID 524 wrote to memory of 1812	524	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	ISiNe.exe
PID 524 wrote to memory of 1812	524	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	ISiNe.exe
PID 524 wrote to memory of 1812	524	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	ISiNe.exe
PID 524 wrote to memory of 1812	524	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	ISiNe.exe
PID 1812 wrote to memory of 460	1812	ISiNe.exe	cmd.exe
PID 1812 wrote to memory of 460	1812	ISiNe.exe	cmd.exe
PID 1812 wrote to memory of 460	1812	ISiNe.exe	cmd.exe
PID 1812 wrote to memory of 1116	1812	ISiNe.exe	taskhost.exe
PID 460 wrote to memory of 1740	460	cmd.exe	reg.exe
PID 460 wrote to memory of 1740	460	cmd.exe	reg.exe
PID 460 wrote to memory of 1740	460	cmd.exe	reg.exe
PID 1812 wrote to memory of 1184	1812	ISiNe.exe	Dwm.exe
PID 1116 wrote to memory of 70584	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 70584	1116	taskhost.exe	cmd.exe
PID 1116 wrote to memory of 70584	1116	taskhost.exe	cmd.exe
PID 70584 wrote to memory of 70628	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 70628	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 70628	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 832	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 832	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 832	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1680	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1680	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1680	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 948	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 948	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 948	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1876	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1876	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1876	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1840	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1840	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1840	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1992	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1992	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1992	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1520	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1520	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1520	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 964	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 964	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 964	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 996	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 996	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 996	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1688	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1688	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1688	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 992	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 992	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 992	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 860	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 860	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 860	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1488	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1488	70584	cmd.exe	vssadmin.exe
PID 70584 wrote to memory of 1488	70584	cmd.exe	vssadmin.exe
PID 1184 wrote to memory of 43536	1184	Dwm.exe	cmd.exe
PID 1184 wrote to memory of 43536	1184	Dwm.exe	cmd.exe
PID 1184 wrote to memory of 43536	1184	Dwm.exe	cmd.exe
PID 43536 wrote to memory of 57268	43536	cmd.exe	vssadmin.exe
PID 43536 wrote to memory of 57268	43536	cmd.exe	vssadmin.exe
PID 43536 wrote to memory of 57268	43536	cmd.exe	vssadmin.exe
PID 43536 wrote to memory of 67248	43536	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:43536

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:57268

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:67248

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:56352

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1852

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1696

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1812

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2060

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2096

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2144

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2428

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2388

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2372

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2160

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2336

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:70584

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:70628

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:832

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:1680

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:948

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1876

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1840

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1992

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1520

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:964

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:996

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1688

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:992

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:860

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1488

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524

C:\users\Public\ISiNe.exe
"C:\users\Public\ISiNe.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ISiNe.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:460

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ISiNe.exe" /f
4⤵
- Adds Run key to start application
PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:70552

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1716

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
a7557406d504a868f311878960b580eb

SHA1
a7e640d75b9e0449efe7b807dbcd7c195fb4fdac

SHA256
55e188297d45ae3ab7b89541a912657252be252072de0a052bec12d781babc7a

SHA512
59da7720e6f8b8bc838878e3a75ddb28f2be0e500bf1f5e2d6b49c2337715dfa2b7540fc67b5a022bf2d788a026cb05eb5549f79a52bfa21c2e71b46c9f41667

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
MD5
7883e933b950e23aede2e410ec5b274a

SHA1
f29d044848eb7aa16f78161354ba1d9d2bb42e93

SHA256
08116b7959d31130cad2d8c374a00c1f7d499e60b11a666c2cc6f6cfbd7047ec

SHA512
10f4bfdd4744af7694fa4b13c8a2f61c4946b2ab1036c607158daec495e5d9460a445eb1a8af17db4ee9c7f42ed02531d67490822489e2bc6f162f8e94cb6cbf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
MD5
91f5533b7a94ff0082c9f56951ec994a

SHA1
f2722e1fde300bf242bf0c723887f7e6afa1421e

SHA256
aa4b575450393cda9017e540b34c4b37c55bb80ab791034ce1b97150605a3c59

SHA512
8857ac1fbe4f431ec6799da32f47a5d19a9ff78051fa6849972e37c92c80f3b3d50f349cc3983e0a8764624d17ddfaac4d4af8a14bab5d4b83c5b6721076dcf0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
e7684b2a8453f696225e8b2a8f3aa5f3

SHA1
a616637ab5c66de835e1670b476bdd36103c97f6

SHA256
0aa947ef3bbd241544a3accc370b35c9bddb279cb659523a192519f547cd6aa0

SHA512
7a55139333c688934db17f5b907dd2e9957b29dfc5f9603dd33cdc1c73501db40f34f04155600be5ca89ee4d612ef5deda1ae45a4bcf7df2950e878bc0764470

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
MD5
ff7eead0b88f39163ca037d8aa323b29

SHA1
ba9851cc4b723bac9c1a0153b81683a63f128ed4

SHA256
3b8967a0a651d5ed6a51a8060e1c5ed1f2081ba38781cfff90214fc6b9449b19

SHA512
939171bc04a04805a07859a05b8968c52b64913dac4ac975d1580e19a4e592e1ce03a8b165a4138576f2cd4c3f72eab3f622c842c468231dcc89954c9d16e9c8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
793fd0364c4c830f0bf4630b56c5967c

SHA1
71f720d2173809324f6f30a29557037a3c1da7a3

SHA256
d854d0a35ee1636894c7a2a20edda85745bf50e6d7e4188c6f6cdc4559b5dbb7

SHA512
1700905fd16592532cf8f67c0608cc87196beab03a071a7560fa69f92ad681dcb57de4c7a6c89a3a6c25242abeaf551bb7d070e0f0a82934b5fa548e075e7b5a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
155f39a11e705467a07de1f1707b5e48

SHA1
38002fbea1bb66c3e80d502d737e9745eba88a64

SHA256
a9b07e69b0c119747e9126aa1e665947d78df8c30c6e9900a873ba184bf2f3e9

SHA512
8fa177fb29b84e28f17cf97bf633752fa9e2cf283bb1825f6825f183358755bdf9d5e1471925eb5e6ce018873b3e74065349baa6a92e731b7a7b1db15e7d5ca2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
MD5
d6f0d8d3f88ebc70e328d497f357df05

SHA1
8bcd8dbedd0a2eff3c306c3c124d59edac417b52

SHA256
392379d2c7dd5f1f3e3981ac59f86512f974194362fabcc97dad25e274ce43d4

SHA512
014b79be96744d233d81640cc397ada44b35577731ff04c39ea929fa427871139554cabea0033968da9be8800151fd5a88216007ddac8b99f1bf9430ddd151ef

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
MD5
1bb4b751ee59e1bca3d1d991d5168d8c

SHA1
c8aa2981a4a71cdbe8ccb7294678887f419dc1e7

SHA256
e034e0ca684fe75fd1d0cdab26393ffcd4944aa74939226fdc8ac2e54c851b45

SHA512
dfef346a04d62c81f345c514a3f7dd6563d07dc7b0295a1507cd6b120517ce394f7418d590f0e8e156ddabf1f92ceba14ae4e3f7366891f20a92e41ab05b24d1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
MD5
3b9e529d66812825b1cd108fed21a1d3

SHA1
46f3974bc8a5026de06cc7835ec15b1a0eabca15

SHA256
fed71107d63e8e0e92b77ea898081d504904f66426dba93ebd2b9896d246bee6

SHA512
318eac45cedf2789135a6c1c9a972b4794d4335a135a7ce6b134605834f041772ea0f01b7a5e6f205a7dfc7ca3165044397095b60dc82bdd7bcdba4fa415d966

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
MD5
2c0378b52db5b43397dc758356c31d9e

SHA1
d7ee05c4f9852de47c7f36939a9463c1ab95ead0

SHA256
b47b6ae1f6ea7335770b0053ef4056d2b8fb585871176779a341e45b1f64838c

SHA512
c852568e8b15e94dcada9c59d6e5b4551d59e082963a4437c87109ace105af24176c9ba6004302cccbb30a72b61a66968c353aebc51eafc7c459bf7fab627083

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
MD5
7211589e865ef4400dc918b05bc6d55b

SHA1
3a3a359ef0614c327a9f2ba04b4524778cbf6c44

SHA256
4283899b94822e589173b239e18bd6d872bd0de5b9174b3b167e4d14ebb018bc

SHA512
4215517a5bc285464b37c5c061634fd062dc276eca0ef3a2c0c207c3e9992387518ddece1a6b9c853169d151eab51b372b78de956a45ddb4142d3f3adad5fe53

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
f64121b675dc7607560c5c5a05ea3174

SHA1
a30b1ba668d17f9ed7ea866ae3b756d755074a4d

SHA256
eb5b7a70f312aad84baa8438702eacf16015201bf72d91f1f9405a1a77b5c4b2

SHA512
45f7c93c0b3be65d4de3296ffe7d02633bf909d90fd16d6d901edef58ae6569cc9c91a32397d381d9970b5f6bcc966f5638f41b2683331be2fb61555358d446a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
MD5
ec4f7e380cca6ed54fbe9a63696933e6

SHA1
74152af45e5a98f0a0d8c3b84bc6ce935ad7a869

SHA256
b350094ecd5702e25c92556094182f51dbd89884dfb75c9a5d1de6704240adb0

SHA512
f57788077559fd24c1010ea7a7cf3fa51f927323cd1d052869ba8f077aa2034786c506f937959a982ceefc217a5ec28a70252846054ee07edc8435afc5ccab0a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
MD5
d3d584fdc0269b1a2f75b7f752bbd27c

SHA1
7ff61d139a6363957799d56474953327e78a7be2

SHA256
5a4e6013cbaa08617a54cb9138e8ca5b36f770e6fe3adf5355c94e35d76b1d32

SHA512
28c7586dc16e4f589683775cf092a15566040fe33e4b1d4e4e777ad38602560655183fee8453a311853eef00021ac4aea512061a076d3203586f6d67369746bb

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
MD5
65a35f3bde5f424cc4c5a1aa8c2b9bb4

SHA1
6c348f0f6aa93f3ec5cc18170741b050e8639fd3

SHA256
6d7484c89daa48944bc4445ce1c364d1d455260ca562e1c39c3516233258a2e3

SHA512
a1f42621cfc1149b6de24923996f4023e7afaa846254330a3887a7c6627d1fe3d864f590b5a6fcaba7860b57f229d4bf54e4da0c3b59647a2b202ef8311c3a4b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
e0849e89907c8c9e41c17b5b0e84afc0

SHA1
15817e2b0d8e2c5b0e2f3bf64a77235cb432abcc

SHA256
231a09bd5c5cf9c2479b9552f39c6ede125de213c4df3f346fe1fc2e9b9a51eb

SHA512
d92ae4cc081d81795b412c493e7fb1620880157b1e4ec898b2b020e53f99600f5c4f20f73ba5a72271ebcfe45e9022b80f9993af363806533fc4584dcd6d356e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
MD5
62bb2d0b8596d74845b3869567dd0a55

SHA1
d4e4c9e156bce3d5104ab93e95e4f09704e3dbeb

SHA256
8fd785830564313d925f21ca83cb954c150cfb0441b05d0d82708ec2e1fab477

SHA512
5bae9ef4f6d0ff8374a876715b4133ecbcd44652b2e45258126f23c63d9c8888cc3b5175aae2571850ba9b06ca3ac6c1e304011f38f44f90648dd7b499ffd473

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
MD5
725ce5349297f6585ac64bcb8c7d4bc7

SHA1
5cd1977addf761dedef813b42c491fea9ced0ad5

SHA256
74dadfe7d9f697c9c8a35554879227d61921578561f572ad9b4cc91479b711f1

SHA512
ae1144704a0f632bd705fa01e67b9e3763bb52c80117ca07aeec80756155e102049c4c9c5eb739324518742e33a73cfe60eb4b5f5432cd30cb2953b3d2cc8516

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
MD5
714e80f8e9c39d125950504878c70767

SHA1
fb6117b7e526fcadb1458a74c3211bd3a8961461

SHA256
77dd1405cdc0b853f825646a2617aff08231e7b51cff65df6b9d92492d58fd3d

SHA512
5b84d2f7f1e2c78f7ad0706809e72488606123133d2556a53cea3e8573b375967947f04c1bf5e7114b767b9999e916e2b0168f21fb6574ea877388b2471c4524

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
7e07532d0170c442baa67bcf72a2a8de

SHA1
4142eb9915a0a1ce17f80244825121ebf5dc0637

SHA256
0cbd700d71ec685a1934ecb0d1b00765afd0485ff8bd789982b32efe901ec1a7

SHA512
31c6f5893e2ffa1efed0951666fbd8b10313fb7beaf8cf5993d3530131d278e696c714e31965f34672072266667596560a5e5e55e266bf28d9c2bd962f74e066

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
MD5
81b7e38ce740ea0c9ad364bc0abd421f

SHA1
545376d9670deac254d09ae5955b85517663f651

SHA256
882a791e8fa36401a2374af8a34e0984483468b4ba2c5f777ef5aef63d0e6c0e

SHA512
1e9ac6f3e4c504ca9405ce119886132ff231f176f399c6118c1196ad383d1e708a041dabe12c32f22b385f4ddabf075b0760f10fb42abfed3c73a0c7e752cca4

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
MD5
dbad26fc84a3e19afc06fb7a341b8a5c

SHA1
4b30671681ee1448520ed2be0298201c7a8cccaf

SHA256
3609b05d0cd08bf8a521f2ef65d29b67ee3b14529ad9c2935084e3ecb275b55a

SHA512
d33f570f6c785c1a27982329916bd78f1c09b56a09295467792cca9b38f9e7b5932d1700185cf83e453c30667752600543ba4f0ccc9108d2ea0d1dc599f3cf4b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\Admin\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\PerfLogs\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\7-Zip\Lang\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\7-Zip\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\Common Files\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Program Files\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
0d5881c5b6b16e80fba7b9a7caf95f5e

SHA1
958d567b971e59c2dd1071201eddaeb947ca0c65

SHA256
974ba45c0df40b2cd4117cf623cfc9394a02ab4ebc0f94b7a775217ac3ef196f

SHA512
d41ad56017eb590fa8f1bd4b1ad94567755af3f70b3ea4afff61c2d18e66161ab5f487036730e04703135ced976599ed45424da27161cee5da02f976ea5b727f

Download Submit
C:\RyukReadMe.txt
MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\Users\Public\ISiNe.exe
MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
C:\users\Public\window.bat
MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\Users\Public\ISiNe.exe
MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
memory/524-54-0x0000000075531000-0x0000000075533000-memory.dmp

Filesize
8KB

Download
memory/1116-58-0x000000013FFE0000-0x000000014036E000-memory.dmp

Filesize
3.6MB

Download
memory/1116-60-0x000000013FFE0000-0x000000014036E000-memory.dmp

Filesize
3.6MB

Download
memory/1812-57-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads