ryuk | bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9

Analysis

max time kernel
173s
max time network
48s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 02:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Size

207KB
MD5

7899090dd1b61fc2d85b50473e500d8b
SHA1

9c972c2696d68d3d29726cdba061e31c51663c12
SHA256

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9
SHA512

b976e2f12bcb13ff10fb70338fac775356fb40ba36d11c40c72028c723d452e49128050dc30bac9d66e205162f2994d0f07aeb74a271fd494fd39cd1718b9c6b

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> [email protected] </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] [email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops desktop.ini file(s) 55 IoCs

Processes:

taskhost.exebce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exetaskhost.exe

pid	process
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1128	taskhost.exe
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1128	taskhost.exe
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
1128	taskhost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exetaskhost.exe

description	pid	process
Token: SeDebugPrivilege	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Token: SeBackupPrivilege	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
Token: SeBackupPrivilege	1128	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exenet.exenet.exenet.exenet.exetaskhost.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1792 wrote to memory of 1128	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	taskhost.exe
PID 1792 wrote to memory of 1196	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	Dwm.exe
PID 1792 wrote to memory of 1528	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 1528	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 1528	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 272	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 272	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 272	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 272 wrote to memory of 828	272	net.exe	net1.exe
PID 272 wrote to memory of 828	272	net.exe	net1.exe
PID 272 wrote to memory of 828	272	net.exe	net1.exe
PID 1528 wrote to memory of 1620	1528	net.exe	net1.exe
PID 1528 wrote to memory of 1620	1528	net.exe	net1.exe
PID 1528 wrote to memory of 1620	1528	net.exe	net1.exe
PID 1792 wrote to memory of 620	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 620	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 620	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 1476	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 1476	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 1476	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1476 wrote to memory of 928	1476	net.exe	net1.exe
PID 1476 wrote to memory of 928	1476	net.exe	net1.exe
PID 1476 wrote to memory of 928	1476	net.exe	net1.exe
PID 620 wrote to memory of 1964	620	net.exe	net1.exe
PID 620 wrote to memory of 1964	620	net.exe	net1.exe
PID 620 wrote to memory of 1964	620	net.exe	net1.exe
PID 1128 wrote to memory of 688	1128	taskhost.exe	net.exe
PID 1128 wrote to memory of 688	1128	taskhost.exe	net.exe
PID 1128 wrote to memory of 688	1128	taskhost.exe	net.exe
PID 688 wrote to memory of 1288	688	net.exe	net1.exe
PID 688 wrote to memory of 1288	688	net.exe	net1.exe
PID 688 wrote to memory of 1288	688	net.exe	net1.exe
PID 1128 wrote to memory of 1644	1128	taskhost.exe	net.exe
PID 1128 wrote to memory of 1644	1128	taskhost.exe	net.exe
PID 1128 wrote to memory of 1644	1128	taskhost.exe	net.exe
PID 1644 wrote to memory of 1708	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1708	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1708	1644	net.exe	net1.exe
PID 1792 wrote to memory of 16812	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 16812	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 16812	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 16812 wrote to memory of 16836	16812	net.exe	net1.exe
PID 16812 wrote to memory of 16836	16812	net.exe	net1.exe
PID 16812 wrote to memory of 16836	16812	net.exe	net1.exe
PID 1792 wrote to memory of 16896	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 16896	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 16896	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 16896 wrote to memory of 16920	16896	net.exe	net1.exe
PID 16896 wrote to memory of 16920	16896	net.exe	net1.exe
PID 16896 wrote to memory of 16920	16896	net.exe	net1.exe
PID 1128 wrote to memory of 16936	1128	taskhost.exe	net.exe
PID 1128 wrote to memory of 16936	1128	taskhost.exe	net.exe
PID 1128 wrote to memory of 16936	1128	taskhost.exe	net.exe
PID 16936 wrote to memory of 16960	16936	net.exe	net1.exe
PID 16936 wrote to memory of 16960	16936	net.exe	net1.exe
PID 16936 wrote to memory of 16960	16936	net.exe	net1.exe
PID 1792 wrote to memory of 17028	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 17028	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 17028	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 17028 wrote to memory of 17052	17028	net.exe	net1.exe
PID 17028 wrote to memory of 17052	17028	net.exe	net1.exe
PID 17028 wrote to memory of 17052	17028	net.exe	net1.exe
PID 1792 wrote to memory of 17064	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe
PID 1792 wrote to memory of 17064	1792	bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1288

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1708

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16960

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:19700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:20296

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe
"C:\Users\Admin\AppData\Local\Temp\bce33065d06ee9290d73c7a470235508f605c9fef72dd0ebf480876c2ba593b9.exe"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1620

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:272

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:828

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1964

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:928

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16836

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:16896

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:16920

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:17028

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17052

C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:17064

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:17088

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst
MD5
55bc61557008486746a6a0425fbb8831

SHA1
c8a520e16537d3dcfe9134556fa45d249ec297f4

SHA256
ee74b5c6fd0e2f4191cf4006d34525225af83b5d351bd26df01aa1ae39682291

SHA512
8aa2ae47bdb95c7a243a14243f3df600b77b045de3f47938a88905a84a1203d3b87b7e411aa7ef6488c4ecc838918062393c8caf0f361cc4a7c7547f7488e0e2

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst
MD5
9404f71712e579037c7039ac4aafd18c

SHA1
e0138523b2fda12375e3b6520a0605e01ba42531

SHA256
50507d9d31db6f11ffa27a54cfe52220ccb5631f7a1f9f1eac0f25bd129cf465

SHA512
da661466176dabd1bae90fa7dbef14a584e4568efc52bf46393168bdf7412ae0d2f45063d06f033b10fb2ae2842121bf84a2cfe62603802b6ae718019e2ec486

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
9404f71712e579037c7039ac4aafd18c

SHA1
e0138523b2fda12375e3b6520a0605e01ba42531

SHA256
50507d9d31db6f11ffa27a54cfe52220ccb5631f7a1f9f1eac0f25bd129cf465

SHA512
da661466176dabd1bae90fa7dbef14a584e4568efc52bf46393168bdf7412ae0d2f45063d06f033b10fb2ae2842121bf84a2cfe62603802b6ae718019e2ec486

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
MD5
304748ec8a6b4f3d4539f9b9388b5274

SHA1
0e7cc5c9890cf7c0c86c832de6b2350affb99091

SHA256
1196feffb2aa618774157b7a380211324b98137395d37c09b62ab463e929e43a

SHA512
434fc3d1a0b2fcf406b6277fb7d42605f7861c3d6ed3b9dcc9da660a015b03dbd998a68a93591e58d17430fcb04d249935cd6a069b035585c0aeb26ca5cee765

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
MD5
9404f71712e579037c7039ac4aafd18c

SHA1
e0138523b2fda12375e3b6520a0605e01ba42531

SHA256
50507d9d31db6f11ffa27a54cfe52220ccb5631f7a1f9f1eac0f25bd129cf465

SHA512
da661466176dabd1bae90fa7dbef14a584e4568efc52bf46393168bdf7412ae0d2f45063d06f033b10fb2ae2842121bf84a2cfe62603802b6ae718019e2ec486

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
2140d49dbe05bd578b144e165f131f62

SHA1
70a9608e005697d888dc30e34189946f70ed423a

SHA256
279e79787802be132eb3e0cf4c86787858b14b4591b4abedfba08ea8cd1a31d7

SHA512
7bbe73efca1939cf3b14bb1a846d2fefd0d300ed81c5e005a2e81f1b508bc3d98d263f0c478dfd1d449b71f9ef0496d3f5c01ce7c58223c81bf62f6a9b3bcae5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
MD5
7410136f06674e08323934edc1dccfcb

SHA1
68c00debb783a6cbe487df7795ee297f510e83e1

SHA256
d3a6c2ff4d7dff208b6b477788d2d6dcd8f20e6067eb7e0f32edf5524e05b674

SHA512
e62204a7fa96bc64141a59a0fcbc00dfa4e0817dcf81434e97f24f99b4413fa5e04bff666be2a50f85f3b429fc0cca6173bdea7222a3bccb95023eeaae0350fd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
MD5
a19395c4dd60099ccced4eea94679f69

SHA1
f263a46bf6e308e0f31b91d6894d57a5da8fb3ec

SHA256
cac73b8f225d8d18f639c41d5f7a8fb00bd7a8013cd39f8872130b672dd60154

SHA512
114c7001fbc68d56e1ddb53250b6f5c3fa3dec678639778e8d0ac5dc4f75b87a7293eb6f13aff9ee622a8539cea86a60bedf2eb46ce2abca9ae4c47ec8264042

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
MD5
eb37899a206a9b67fb3b087dc1117cd1

SHA1
36f85ca92dcc3450b4b568edbf7d29cc99f93712

SHA256
2c4e22b12775b3a19faf269fc8aa5349e6233c3a1177bd6b6d36f8f8dc688221

SHA512
002e62be1637160eabc9e35d6d91812f1ab5986751d49006ce928c355cca7130ae9244d30a83bfae5292be79929e41af7268cc618850b68cf40e1956caa1c28d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
MD5
80a1b66b12fa122570be9455da762e98

SHA1
865a9b7ef1af555fc4eda4c3b985b3c41591697a

SHA256
b64ec743f37f2475e0ee37a5cb6d6468ea0c3d5c8ff765b6b65d4eab599a9d95

SHA512
895f2b91fb80900bf956e83ea402da76358ec84a85ed8bc4ca5949633955a3d1205a77f609f664f4540108c36e97cda0a5b21cfc1970079944a272d9cf896a54

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
MD5
2d81220e5017133c041994d6df753fe7

SHA1
20edd529dd92449de7f58ee62938a1524ae4d862

SHA256
bd49985e748a346adf52b8a7515be79648a1118a258ce87edff0ff5d9db516e8

SHA512
7bc4ab66c3deed2ada38ef046fea3fc2a01a56b905389c516b8b9c6541f888cec46d26565073e40151a869893983416cd956c8b1e1a6958a4f30baf38fef7d7a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp
MD5
87bf9a188e4e89dfe161a8de407658e5

SHA1
f98174ec5baafef537f05e5f00a0e4ecb02af666

SHA256
5ab2ecbdc287c8966e9cc8efc4e796e83929c2409c4f38b47a102cae4e23deb4

SHA512
e5f90a2721fd4c16440ecae554fde1b1ca3ec7dafd6d9f44975f77d4919039ce66fef5a16dbb80f5c2c4abd980ed518e745e3717ae08fbc8d1b19a8471e3e5f5

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
MD5
66134c89b7b062b8e7a265655e13203a

SHA1
d573af9e017731d4ea66a5091ad2575b6c2be6c2

SHA256
73f0560739538be88f10d3ab5fe2301dcc908bb404d84195484be158e103459a

SHA512
9a7081b9180793a7de7df879242b8839beb62316336c50d1627431945edad4c3b21887f38f7f90974be921928233afd7fbb12a6f48fe2a8d2e2dbffa37c4afc7

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
MD5
9684376075420b388d6adbb108a742a1

SHA1
8ecec34163e1032a0a97b8ec2f22576a86b20808

SHA256
cdb99d99ead3e66486dd1323e9ccb74749a71e3a68fd14451d84120f962d7822

SHA512
806727291f52d7571a62e00fd29b12190eb6c2496ec54c29bb25c86be8aef01d588d68d6b1b5816c78306649559e08ca16b1aa19a4157b42ae66ebd5cf9327d3

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
MD5
1e04259f8373d077c5ea56c62aca8e59

SHA1
6e9a44b1971b11bf7df276f3e04e2a8772da82df

SHA256
3eb60dab329e7e41dbfa0fca1d787f82aec06e6e8f541291c62960a0e186ae82

SHA512
0b472e6ba238235a83663b1a1def9200716f1f86864402545f41b61138451df897a7a61f4f8af62825bce474ecff438a8e7b63c47f9c409c8a4999dcb90fc967

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
MD5
abcf8c17266274e9c3289fa0693e7901

SHA1
5c04a3f7dd67262d2497b09b493066ee0b95dda2

SHA256
aef780fea91abd4393b32f62f47bd874a4478dff97011827db82ea730230a96f

SHA512
b67dbd4d6c6cf3e97d13a4cbcb46bbd5579289d3cc4cc2787d91c00209501522ee3168970d9dddfead197c77c2eb5dbe9baca955c5b36804fba63eceea089cea

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
MD5
f17fc72031d9b03c9305bcddf751f32c

SHA1
fa9486c886fff6438d34af25125443ebb63e1825

SHA256
b547c7f7ee56ba546313db257b67830b13f388ce2d56c82a2dd2bc6895e9e232

SHA512
d0708c89ecd97e5dd20b5497474587d5a3a519d1acde16fab39676e8317c988c539046aad35439e9b5843018b0beef040d881a602f88c4d1d2c26f734106ad6d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
MD5
d81b23106ee91b289a60fef5e8cda9a3

SHA1
87494bb2899645aea36b40bb5934720f27ba319f

SHA256
d38ae422f5dd5dcdae6f40c07177debada8c3aa0aab7ea77a25e2c4426dc5570

SHA512
0d2bb39ccc44dcaf745a3fec087c9903fd885268ee7be874423191e152e9fd6ef172c44db8f51cd5701d82d56fb06ea3f54c28f1a420fa7df26199a99a73e910

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
835dc16ce129d27313e75cd2307d7295

SHA1
be585e505d3c66e816ccce33bcd6284b6cd31088

SHA256
ce613f8fad872904435e80b62d852d67bec922617aafa80b41d42a2d86b71c66

SHA512
ce22a8769766ed78f3d4eca8d49af43b93046010c62dd3d57a7312423e62c20d2d211e18f65f1b19aeef5a5d8c1600a559a7cb9549296995b6ffded0c8461348

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
MD5
f43bbc234277a96ac8750829a56f3ee1

SHA1
13dc07d787955a4b1dbadb1a3478e99fc46e45fa

SHA256
d6e44d37deb83c4a60a3d326a64b221b77508f0313f3f5e2079e5e066ff3a4de

SHA512
4791a7cd06025c309444f7962c8fded75fedb330d80ab0ae1f01fbba16f1783f2374b1ac9fc5b80262c215b56a4ac3c205c4da7ecc68e1c33a8c698d31524ee8

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
MD5
4b0a9508de4d213bc935c7d669e2f8c1

SHA1
8bbbd9c95a83c84f8ab474aea1dd8e2c3304a00a

SHA256
61c9282867bdaa80ef393d6c783cf8139d8868c1d33e9e4c92c1858ec02a990f

SHA512
490cd5c1ce0582135c7d5003923fa7b92f6c9b13489a9b2c73639f6ff5ccdf49e0014c02274f11cfe1a9d4edba81e6fc1a1039db94546feffdfdb5025ca77a2b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
MD5
70b16ea86808266cfef9657620422e67

SHA1
0884917de5d7324a718bf6fb068a6500da418383

SHA256
54147dd54f84ed31060c179d3894a7b2ab94d5fd0de8d5bbb07854ce23c56a98

SHA512
0b6376c1713fe7fc248b33cd505234402bf0618af2d707561884ac361919dd66b6ea1ee428c40dfaa0ab3f8e4c08d11565ceb0e0184e8afbe24a8029d0a06f46

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
MD5
e212965bfa493f632785a36b081d42b8

SHA1
fab5e5a39a1e1f9b7d212e8cc10628db3e6d78b0

SHA256
7a16887ee04b6a3167ca6e334d1ee8243543d68dc027807a14db9d23aa97792d

SHA512
6a2763515801d5f92d026fb86215dbb78900d4278fbe612c05af254c7cdd4689fec5a15ac7b589d66483337cc7573bacaf64879541e1e7b5daf5ef138a3bad44

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini
MD5
0d68faac562bb22abc7692be6df62304

SHA1
addb7b8fdeb16c0fddc83a3f95d0b10babb1a924

SHA256
41bdceb2f1afc07fa0982a53787c0532886e09f1a1232dec6e639ddb843c96f9

SHA512
ec8c66cde573d6ed62c76add7f0076eb58f44efa720960d24dadf1caaf3fd1848f42a4423518e29e1a8f9dcb43a6e41b5ccc01d89f8f68c5376e25cab34a3273

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
MD5
dfcce8becda2f83c9571f60543e1d73f

SHA1
4f0ab1b67b3b09930fe0f35bddb89c8702e91071

SHA256
ae4a703607f1b412855701c3a771b14a99837512bad4ede195cdde1b5e95a9b6

SHA512
46d3c630e8a1accddc95e83ae3b7b8b3220ff1e6d4f362539783f6b011c89ff262a292d2b35954d6eab625646516b76c2da8103882e37159df203abd538ab281

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk
MD5
44ba758e69ec80df9f7a5ded5987b46a

SHA1
904d6e5636e076f791ae386fa2bd22a8570973e2

SHA256
95a05ab6d1c77b86312f3d76052ec21c0558dd7b1cceea7f17106d0bd943f9aa

SHA512
4e52d0d1e88b71c9ba683ec8311a4797020a117da97cc9a685ba77b5a7aa504d40ab7bcd1c3f72f1eff42d3650ceb42abc6c28ad18cd745fefbd029ccf9823ed

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
MD5
d4c94af4d1a4675d71f97017e7d11803

SHA1
fb37e534db126ff8548a8f31aa624504dc4ca84a

SHA256
438500a19b6c88a7dc8251ab0e7edce3f3b38cb9da47d34bf8e224628932b70c

SHA512
1daeb129dc3d6f8b02838a2bd313997be8bbec6430673b6c29de3ed738693a6a1e6f04b25eb8df15c0fc23a9e8cfa619cc5e02774d54d5df42264ebad9476393

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log
MD5
682c164f46efdb7edcc4ba38f16edd07

SHA1
9ea23a86360e23b8e6b977866efbf41ea3ba22e7

SHA256
6481d99a045fddc36c700d63b1d103ef9ca2d0a17b6f8a58b8d46878e5d0ed96

SHA512
d0905755f9084a556947942042c5e6be12112ca35df856d8b566c1d1161a94c789abd585efab06812e3eaf384cffde1a33e2538ad597071bae26766d0d1f9543

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs
MD5
148660c05ce6cc5ea9fb800bcf8a73dc

SHA1
2b1ae54eb5370d8a7b677f9f61e2be398da0c1f7

SHA256
4455ac033f2a71f8b5238609eb61b4bf31e093368941772ff13a85ad52fe54eb

SHA512
554a845e3f9a467bbacc7cabe209228fa8006ff636413128a59d4f1689d97834cd2f782fef0711bb1a211df33f12eb60a0e9a99230a1eb4be796a534490eb66a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
MD5
cc6fdad39027ade1743e4c17d1742a1e

SHA1
f67bbdf276455a8a405e67c89831dce55b8c934b

SHA256
7e41c13a4237517a541b51182886d396c11c08de01908243eb44eb700b353e52

SHA512
80fab558390a63b8161ee4184839594510bee55678daec1211cf4f6eda0137793a2c6626557d288a969d0f87da9ae4428872f77d2dc91e5df6f4b13ce7d1a558

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
MD5
6edc3b89e91b7c901d50017a9d90b71f

SHA1
47a0aedb70b3a76ccd1b5ca0bc898de4d9e2c89b

SHA256
12a65369cfdfbcd5ad5d2f12a178f5f2c6fe4f4f8ba800a28be9851f72a7cec2

SHA512
2759c94fc74a0d9de8efcb8ab940d94217abdb2c54e942d0e80654cae5bd7abeb5bdd7d7fe0dc5b5f84079c0df41ae1589d0ad8ec0fbfeeeb3cf9a18594a4efd

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
b8fbf96b6b44b0a01655b08664e20289

SHA1
091c7ccfe9f20ad39105a2731e2986a388e35d72

SHA256
bef59cbb57ab64bcc91834f152cd111c5c3b5f35078ad95a24242fcdd471e385

SHA512
cc65402cd6724bc35cb7c40a3743d3abbe7888fbd2b6cf21bead2d97fa59d27dc1da11e0dbcc040277676197c838edebb00c8b76d83f4306c51e6aa7a46b50fb

Download Submit
memory/1128-54-0x000000013FEB0000-0x000000014018B000-memory.dmp

Filesize
2.9MB

Download
memory/1128-56-0x000000013FEB0000-0x000000014018B000-memory.dmp

Filesize
2.9MB

Download
memory/1196-58-0x000000013FEB0000-0x000000014018B000-memory.dmp

Filesize
2.9MB

Download
memory/1792-55-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads