ryuk | 88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335

Analysis

max time kernel
4294211s
max time network
125s
platform
windows7_x64
resource
win7-20220223-en
submitted
05-03-2022 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
Size

575KB
MD5

6cad2f7dc809b9353a31753a438aef4e
SHA1

459d816bb020f5da8257076a36d0ffd1f1f02d76
SHA256

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335
SHA512

a67367990452bf21b7c0d0682c598422c78a5ed455a5d5e684d8fabb43366b0e9f9cd579a5f18123f6b1f97945f789904929838d1d893b70f450bfeafb243bb8

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> naebrahedin1986@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html�

Emails

naebrahedin1986@protonmail.com

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

naebrahedin1986@protonmail.com balance of shadow universe Ryuk

Emails

naebrahedin1986@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

788 icacls.exe
1592 icacls.exe

pid	process
788	icacls.exe
1592	icacls.exe

Drops file in Program Files directory 10 IoCs

Processes:

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\RyukReadMe.html	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe

description	pid	process	target process
PID 616 wrote to memory of 788	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 788	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 788	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 788	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 1592	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 1592	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 1592	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe
PID 616 wrote to memory of 1592	616	88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe
"C:\Users\Admin\AppData\Local\Temp\88b1b4966650de59cef20c340b28739c52dc9ead91d9959a338a8e531ad38335.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:788

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1592

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\$Recycle.Bin\S-1-5-21-1405931862-909307831-4085185274-1000\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
0b3f2e7f2063bc76d0cd2e5a517e4d3e

SHA1
76c3b20e3d8d8b68afecab5937967bf858dd271e

SHA256
c41a4f14f34c74eb792e2ea92b6cae23c510cda45cfb1a33ac94148004530aa7

SHA512
e4b9539e18aa435b80c30cd510c9f81647efe5bab9394f15e3bbd2682dceb3360b6dd175c2ed505c172bd5d7b203def6e87b6800172a9a67d0b3181d3c58d364

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
MD5
2c438dbb7a7dcc664436995cb3c422f4

SHA1
63d033ddbb08c4f2f04b6a7231b8bbd019991456

SHA256
4147c83e4810c2bc5d6033a5bfcd8dd83a603869401c71b24d6e1cb7821130f4

SHA512
3a31026c92661e86e5e4059cbb5628a9ec75d16659980a0203b05b82355194c50e8546f9ec1f4df723175438d21c55fdf5748892a40803e379bd1c0653fce92a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
MD5
8812d66a7e5432ed8f9da08b18a1d9db

SHA1
71193636ce18ebd0ca274cebaa238fec0babd89a

SHA256
0315f492a931f5d060a11b163eaccfa06749c2a29c6083e839bb66260cc4def5

SHA512
b2925198a6a222e473c623f0f36a4e896a07649f93a44f54ce97a973f8b24d45e4fcf73f739b3f504a93af2b7e52820feba6289897242916ab2401c3a6aef04b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
MD5
a4eb40c8dc2c4a96b09a02dc0ddcb509

SHA1
e339e9252827e917ba3b01b20174510bc613e892

SHA256
2bb22ea688a0fe9ba17e07eb12cca949578b69b26a0d8f7cd55c4fc9c0045acb

SHA512
83bb8107625436cd3e95bfbf870015b8fbb9f03caa39820a89b98eb02402e084cabf043ec0fd7620e3cdaaa8f78a3f5b5bf97acf740d69a14ccc5e7563f4bc4a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
212243c72548c9b71891f3668aa65ec1

SHA1
91408148f47ad864765e1ed432639694864d86ff

SHA256
d0547ee1fecc26f64b4b6259c7e03611ac2c7bc1c4e09f843a41ef31e8ab6de0

SHA512
7cd1dc33283ee9b4ceca123b520fa7479543a5a10bc00fbb03af1e19d99de7d956fe27c8ea9136e53c82207ca0d07ef4d35d5ddae561b780c9982f38f2cb4b65

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
15df74fe7748a755179c9c95fde1ecd6

SHA1
f542fe8d71016c0e2b7d97d92e65208efdbae483

SHA256
517d95450974f501870153f8b61b24c60bd42f14c1c888c28d0e7d40e9378b5d

SHA512
f87ceca93bbb697f0c822e039b863d25cc9ab37f448bc37d0972062480bc580bcc853fd1e66ac864cb0888f7119c8b6ba49594a00a6dfc2ca82840d3b33ea625

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
MD5
5cbaa65bfae081bf9fde75d5fe4c30b8

SHA1
17d7ff700c31ad9153176eb07a8d62e0e4fd7919

SHA256
e2a875ad7460572405a54ac0ea415d14cc8c4297152e49e43c1412d9506cf9dd

SHA512
a171a8373b145c361fb6a46ad540a097623a04eef8a99dd1f7b78bc82bf6197d362a3b8cadd298ae343277f3c6eabbc06ae58b9801ac4c6f02f2255072a7e2c4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
70a3a1626fca40ed9c3d1d0570e7c062

SHA1
d43da3307e0a65153f1de6e02141843768862e7a

SHA256
7dbbffecce48edeac8550e107a5f33de8bda8ca941fe86d7d307239be96c4018

SHA512
9c667e9db7e62caf02d2669a5bbdcc622ea526c5f7dc8e28367fea4da4170ff025900590fe87242d2aed0bd4e6d21b05298cc92eb9063c00b335b508db8de3aa

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
5e7d29b66ba0ca1c7d4e983ecb41b372

SHA1
d3ede5bb2b52dc83e7bb3528a09f786c198d4131

SHA256
6177be4c4c0b7ca73b4760a86e569d57ac783c024d9cebbf8e7c12bce375d555

SHA512
02d3a0a5a3e1cf685e3f785208be009f80a8ac9c1e67655c977add6a2519737e8f2ed408a315a52d67485044b7c82bf3718dfd579b5caebf6b791d88e76e12cd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
MD5
9460e48ff8cdf7d32e071f6e2a1daf3a

SHA1
177380e74618b7039f91780d36b8371a708eb591

SHA256
201760dd3b243601bbd23a5e7a8f593a05a330e48c96f2dffc3460324153ed3f

SHA512
26e304976186fbdd589022138a725e9cf2b59370f995a68e31c5be4b33ddedc2f2df5e159ddd30739ead01c5376becb90266b6ed0ed00232b393605a6c2097e0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
MD5
b8530b47fd253bf66ed1511e6c086956

SHA1
0d237f7bf5cc99b481d9d99ca3a37652bc6e8027

SHA256
9d296a848b5e3de77334a0d17db8ee1b73dae3781494e83a862d6a19661f7f6b

SHA512
2165f46b26a1929e0c9721640a6e63e2cedfd2a40a4252ecfc52894cb55fb005dd0a6d3744c5d8a6ac7c4dc586d4b90308e0a2963aa62c2e523c4215e1953cce

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
MD5
ab0043539f14861451fdbd88b481e029

SHA1
1e1bfad867df46f4b53adf9cb4161fe62caa29dc

SHA256
da849858584e68a0e6846ccab42bbd493bc0361732148f6d8fd5d27c718092b1

SHA512
c4e86368d95fb73b335c018ec8ba7e9a2f5af1c449a89804d52fe5a0305d112e936f6d9618d7da94829bc3dfe467d777a5d6d53af538ed180f1ed7785e989089

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
MD5
12395f90b3d00ea8ff260132fb96d55c

SHA1
fc6100a0daac472ded518c903291b094a3530f76

SHA256
dc1f641c94ac6486319dadc34714ac49983f31cd51cc823b43bc4b5e25f9ee86

SHA512
8cd4bf4d395696caea743a25deb3ba941ae80cfa58dc068467e304d4d35d2b3c81754fe5c7512b48e5b8d4e8d5b2e1cce2c278adb124836989610910f56cb4cc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
MD5
ee44025c8806ec29fc1bc8f50878b84c

SHA1
94ee57090267e30880399450e96620d8dc61116d

SHA256
ff25cc4eb7764fa3c000e6419f788d0f7290c4a0fabb58a0f1fcdff424b81bee

SHA512
7f9bbcaf4826d2b0c743db44358689a4680585126752e32bb5626fcea97a01076814ad9863c99addfc1f307ee754db360a20aee663f6b15f1c4c5fbbcec7d15d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
7c16b50869467cb285a409bc14b7822e

SHA1
e07a162e61b512fec15693ece46eeabafa701bab

SHA256
498f8b51098a231f6047934508fc58fdb3310a514464d72631ba50d3dab41f91

SHA512
04cc0d3b170eea5c9f7bcafe98222235d58dd958c0530d13c46e339755ec64df9501133818bd97c8440678b8b43f64acf6b8408444ea136f4171cc64cf3386ee

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
MD5
354150079df2a7ffd9ea01b1cc2d583d

SHA1
72debb32842a0073270841a22134774ad038d9f9

SHA256
1d467213351bea855e825a896ffc1a6b8aec59049a89e6679597414f9a4fb57d

SHA512
a6b40a41f1c7c464a63eea2574d3ea469029da75dda5ce8683fd38d15b591ae40946830606c9814f2dba483e0353ddc5455fdcc2346d2874981f693d6cd7ed0a

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
MD5
fc3b071ff348a11aa966d299be85cca0

SHA1
145a3d524b9224d1e89954cb9261545d3c5668df

SHA256
7c81d48267a79625866a4cd050836178b38430352ee42131198a0d2cbc39f502

SHA512
035a21a8691cf6fd90d2b7e9d764623b410fa6e860009c256d4aa1e970a0145cbd96c5c4dfd77708be5d70ea4a0ebc248ff3e9453cc36496012391df7436658b

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
MD5
4518887cc2fec40e14ad71fb7a00e914

SHA1
ec85fac653a325e349229f665dcdd1e0fd5fcbf7

SHA256
cd670cb1d8548947be8b87a4e3f8a777b279ce4c007fe22efec4d1453bff820d

SHA512
59c77ca0a2b65c5049d58bbf0a70986bcb8608ce2895eaf2323fc268d08082f63f3e6c9d509e78aed5c01f366a67f4c76242d0d93cac145c8ad1113dc3fd3d6d

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
eb75c2d07932f7bdf129e41e3b9ecad2

SHA1
a96eb582652dcc7a6bd6a4108ee7619d8f53640e

SHA256
18ce0ce96bd800c755815b9a6996d360086c86fc2638173ee258c0e930c0290b

SHA512
e7c9c15800caabc469517911faa0d64b56b909a972b756e1ecdf19e6406bf3c804723118005022e69a43376acfc31531237b2eaed0710c18b5f24f3c6eae2418

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
MD5
bb8ce602ae731fadb3ca99b76c4decc9

SHA1
f150f9181c1ddd011045355cd6c54a41e8038c4b

SHA256
0fdee12f1542e38acb2c6c9c43067591ddf804fbc59b0c63994281177a58fd69

SHA512
8e040b8474b5be0e56636b7ffcfbd208d36fbbc09f9a32d4eaad78d8cea5eea5b874d79b194b6a91e83e133ae40c8ee9f3af7a12ae502f1941f3ebdbc11843db

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
MD5
5e1b4d1c3d3e3a3aacb2a7ddc49123f3

SHA1
bf7c0fddad088a1a82883e93b7dda8682a995714

SHA256
7b27125dcce51fd6f44c3d253b0290741fd5fe802e17e5ded0298c955158dce2

SHA512
8771033a2f21683836edf81db92d6bc801e2d74fe13892e85f49855dcd6d0a39ffad33f2e4a76f69c66c866586f6f9dd3e47967b64a516cc3b3d31a2a16debbe

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
MD5
4299a0b8a2817897c411068806c8f2c9

SHA1
8d13f4147d0a2c810ead303e72858e62a47c9b4b

SHA256
f6df5086dbdc27086c89a9cae8516263c53079d753ca58762d87d5351e230992

SHA512
8c6ef1af77f716240098fc836bf2e750a0bd81b925cd5e73c3e374a18591a739aa6a7ad0a26e229ff6c73e6f040ad623de6204d06aba871fa265cfd7b266cbe4

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
e34731c4a29d8bb4c4fc9aa51ec8e980

SHA1
a46b124e52909ce4a88eceb33a20552fbb4075b7

SHA256
7ea77872e8a3fdad8a88929bb2e3635a7c74d8ccc7e33935865c822f0151d521

SHA512
f7429c65f7844e9945f17521890c5e20bd0125cf6cc1d5376617c71c0c804af07098440a882f48f2bf4628625f41e25ca259b9fbcce17de2f5866399087ae2c8

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
MD5
a89d393726707962ee24416e93eaaaa9

SHA1
d4186455f728a02b1afa308e10dd93e312e70f27

SHA256
36f06ea3313a74d04ac8541dc24c262fab791330f0e48c08f24d13e149ced5df

SHA512
565c1e21aa0634c325bed13c4b8f8edbad6281a1da93d028104f4581103ca9f11db5769d2368ff235515c9cb9d8847b0c48774c40e84e384f5481b520b717fe1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
MD5
a935a2535b54b3cc56d99fe4cc35e767

SHA1
87880b103ff4216e74bf739df229d864b236408d

SHA256
64bef50a2ead81ac66cc4c07ffb988646f12a4227a48fb14e335820fcb45fc2a

SHA512
de4a06aa2c61b78f37e23c3fa8791fc3ca11355959e46803afef2ca3fb99ccb9c4a1ba4006f429e05e050e706bcf0f7ba70843a1bdf530f57277c3575662956b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
MD5
1025b6d50b4dabfec6d0ad98ea776ff6

SHA1
857704543cd478336afff4105bdf5ea0acbbafbf

SHA256
e2595436d96d167f29448d93048939b68c41de6c66b4222b667e958975752ab5

SHA512
7aac88abfed204db0b9436f8a5fbb31288f9fa3dfbf39aac6177305d45615e7a5f3cb15f5672ff482867a67bdb4717d6b775a143c2e1ab8d1e740701f91e7a34

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
158f6a73a3c1ea16f22f57de3c9d3926

SHA1
56f3dcc07496d8ce41dac3daaefef6b2474f090a

SHA256
8428cc8b7e4afc7dfa46b9f69a342c76d6bd696fee3078895c17597484c60d6e

SHA512
60652a21ffe301d502e292454ec56a86d9da4c3bab74f1ab60b24fcabe069638ee56f218f98dd5621ee1f343bac4e30da595e36c98d3ce5709c226755fb77328

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
fa4671b6d37866c4edc3d1da12ebd0ef

SHA1
f6637950e233358321eb5a54a4c9f46f478529db

SHA256
ac1134be5bbd737f50871e18ad666c28e64f00137b4f912714fb9746b71b1e59

SHA512
744ed25e2f855a83c8bdd9ef47fa9130dc3edd410454e038902eb851d426e1c68ecb9116a1ac5813ec84c2185ede5b6d72d05f23f9ac40a66dc7cd32ea83f9f2

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
MD5
f3b43717bf04245eda8133ebb5a6b9d2

SHA1
1c4506459e52411d9ee2f2c8d2bff3135e8c0ef1

SHA256
70a05617c731aad06671a274118f48b5ff62fbe414ec4c56cac26847a4eb26db

SHA512
a770c6ff6448d3d795e43a3228c169397f82b66f3084659f1c1d65c4befb8fcac6eed7f2d2f0c4e0670b74cd71bd504a346c1e547b6b5e567694eb55b0c3ece9

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
MD5
f9074b5db52638ce3ac53f8b13b3d1c2

SHA1
f6b67e9c9fc1a54977d34a4fd058091a21c83d7d

SHA256
86f5604f708c0db16c1837583b9a8c664d390dc881897f94ee76b5bab049d451

SHA512
d8260380e607f3a2b100abbb7c4288bcba133ba9066cad22e263d18f2dff556b86721fe033a278b975dbc7fbd730bc34328a748a27bced8dae7303094cd9428d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
MD5
df2d761105e04c697dbbb194c3371304

SHA1
25d40f4f4e0f45979f624785be7a7c2b9bed9d95

SHA256
4020d0048a6dd7e80e07fe97a40ddde59fea2d2197bde0275532c93568141ac9

SHA512
06a5ec1ebd563e5ba2c80da905c932999fc594cc44b8386d62ed864e2b6d8e705cb6f2a568edeffaa8772e42083cfdfd52a774eef752edfe719594be482f2516

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
MD5
d25c761b443b416b7c1c82cc8cb1620a

SHA1
2ad6761daffe0736a56a65ecb5d3362bd93842f6

SHA256
764bfb2cca72f29b0ea1b0edfe66754fd2bc0e39bd803efdc38724dbfb74d62a

SHA512
778fdbf79a201eecd1e65cd76dd93c949b19238b471d15fb1858940610d8bb26ae5f39a60317c3e0d3866d37ecb3a31e207cb46434381e78a471722af002c9ef

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
MD5
b783c69941103498629870b5160a246d

SHA1
ddb114fc78a1a0a81f6b14129fccce8b6383000f

SHA256
8623019ceb4eec83259f2619d231029300868335b63947525c3af7eae543caab

SHA512
269f4d5efa7b5139325db2e082faaeda938a8279a9aa852ef324232123d2936ceefbf2751cd88ad9db489f956437a181f63e2869f01e3036f50218431edefd95

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
MD5
aff0257ed87fa5c2ace893bef367058c

SHA1
29870a8011f8ad861d8b4c9f02f1cd82888aad3e

SHA256
a4b20855784e0b11ba34212587392e7ce4afe22265808caeadfe3174e921624b

SHA512
aa1bb31697328eb0fcf1a344eb318951eecbd0b1bf372e25be535afbc86d4e36a8bf71e7f056eee2c2256ea9408b0285412718e01c0807c530b424381a633564

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
MD5
a9def398ec615d16f9c19a33da29ccf7

SHA1
4f3bf2508549b384ffc836b11e540636ba91be1b

SHA256
c3a440a5e2dc3a274a7122681a83ea9b66d2d0baf1b565e1bb4d5ee4a325fe82

SHA512
79f87289b49a00b09a67e0587b01719fe19ac7aa8bb28da33852ad448acaea11b89a3ab886ccb2b939981f82de33ada4dfc92af4ac215ccd015426731cc60cce

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
MD5
55979e5d38af07061fab09547dda1fe2

SHA1
55a2427c54626aab56bee476dc47b52509d97b9b

SHA256
d1cba471192e60acd562171d3ff48e30f811ab5d01a6eb462660ae02a251aaa8

SHA512
5f8cd457935096d04a3cef0a9ac67aeaccf6e12ab69e52a77c2da6e3dba7e6dc3c0888074c3b0412011f2616c8fa4d7857701e39ad145eab615022bedd396833

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
MD5
dc92bf922af1d59318474d39f791b760

SHA1
177b1ed876c2a82eee6e130b5dd2e57c439d000c

SHA256
f9a49dc8bf65964deefca10a29d9704c4857492e5869e28f3d5a90885ac5425d

SHA512
463ef9f850d0e234bfbc799bb9529bce7ec82333c03242e16e67ab210fb5ba8b6251db8a22a0d716a1d649cef6825ad3619aae04d7ca4e247342fd6db6cdcd78

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
MD5
87bf74ed3bdc15d15964f269f5075ff6

SHA1
d2ed87de550e63141d93b7f3b66c4036e8b60106

SHA256
367dcaf12fb2fbb176ba3eccf7aa20c43520902129ffed08f89765dc1c62b09a

SHA512
465adce13accef4c2f1d2d0ed515eeb20a25b645184a47c771f88f718275c4d9df480c70e3dc676cf52493656cbee0aff220f5ede2b504b19b7361be665d1ec7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
MD5
0d594b8f556d7de14372921317a95381

SHA1
7a31b896e3b74f25e0be6fc7d98f36a2c65a3afb

SHA256
24970962747ef992b4d3e52d237593ec53378de67aa275e0d9a90d59e7d1e1f3

SHA512
e9a0282150637d6a18b26f3ac310a52a61557e519ddd8c84978f5ef452624395c8fa95c11488503b5ef06866432ef587c8b3a12ea66b6ab167d0449024db000d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
MD5
a02ff97c830568da6841ab118b433713

SHA1
eb53a67d485468b7ece3dd9a4a0e723344950bc4

SHA256
45f8a6de80b22c9235b05f25a9ff46e191b6412136041e87ec5446ba8041cc71

SHA512
edc4523e96aa763e3a1967b01520214fb98c608556622a1ccb16798d7ad590bbf761300aef7e5916047f220c149a39f0a6d4d41517882457a703591458020d76

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
MD5
410991652785b76f244499e328579e6e

SHA1
8493483792d37e22458be47cfb5011d64eef7d05

SHA256
189e35ed2a4fa2b4e2a26d043d5c0fba9e302152b7264564a30e937af52ad855

SHA512
5c3766b4267182a27ab9fa95823e73da5f96d40cb77e4fdbe6b2a98ab588693fc3593f41d4e93dd5d7fb1787c128c371b598ae7ba207592acc50ae84efae0153

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
MD5
6085fd5ee6e8392671b7a4a56cfcf5c5

SHA1
a6679d8a157a3c8e53e6f892c682baeeb4292a71

SHA256
82bffe8f5cbae1ad8d171bf9feaa8fa310ded06db51a2aebc0411bcb127ced0f

SHA512
b9d94542110f458ec7a4ef5035700a8dc4d4e73f569acadfc7359b9e7bd9d4d4b1a9810267ec2547b030564f05fcceeb89cdb04fd068c0696d827555841058be

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
291d703471eeee80c1d6848a7ccbd23b

SHA1
8290ca5f5e5d4891ccf0d0d71e8499c48a396870

SHA256
cbe90792b87b61086fcdfe766dddda8c56da4153bc1a9870604067e7511850db

SHA512
63455c8e52a6e446f418368d6dbde787f03a023dd2653e0152d1bcd74efe963d2a91c6a58181e184908290481c74765eb47afe80ffb65886115a10347258ee0d

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab
MD5
83869458f482fa86b10dd7462619d659

SHA1
517fb3c7ff36e55ba08fb3aecacbef1f8788cdab

SHA256
39e00944c26b63dfb2569d34cb6566d92f7e15c2a743c9008ca3de6d159623bc

SHA512
6fc7e1330f4d60f7d12081a7b0b6cba433fd00dd40d0316a6b1e9cf5d84faf6ef9b5ae0e31848a76dd7c24f238a3474cc55a2172347e6b1acb9b2e1128401030

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
MD5
519ca945dc5842eca3b6d4e2e6ee43e4

SHA1
68402f31c96d04d3d543956bc36401c823a0fb95

SHA256
4c5f1d248d5b98ade7dcff69c4f0b01abd9f2e4449c38ff0111d450daf6c5d8e

SHA512
03f96ec0b0d599b945f5ee0e53d46a873424733ab285a2bc84d542a6f2decf9840eec057b4a4e3fd3cc9150edbbac8ea6241e0224aba457ee22198a5b8774bf5

Download Submit
C:\MSOCache\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\Users\Public\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
C:\Users\RyukReadMe.html
MD5
ff8331d271aeab6046ea1ae5eec0be35

SHA1
4b212771c593a2535a12040f931f704ad59e9a49

SHA256
8c31b02a288e81359864aa3cc4a087d147cccc391ff98341e504a9b10135e12b

SHA512
d6503fb5419112c4cabbc4749a97ae6304a968071109d69ba0fc1acd50dd533c590740e0c682b9f0849d74207612820aef00f7c6d07b4ac452b0f00f2b8357eb

Download Submit
memory/616-54-0x0000000074FF1000-0x0000000074FF3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads