ryuk | 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

Analysis

max time kernel
147s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20-08-2022 10:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x0008000000022e2c-134.exe
Size

170KB
MD5

31bd0f224e7e74eee2847f43aae23974
SHA1

92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256

8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512

a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\BlockImport.tiff	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SkipDisable.tiff	taskhost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0x0008000000022e2c-134.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Paramaribo	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench_1.1.0.v20140512-1820.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_ButtonGraphic.png	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\MSB1FREN.ITS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107258.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\TAB_ON.GIF	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00190_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115868.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEMS.ICO	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-jmx_ja.jar	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_07.MID	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_btn-back-static.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\J0143754.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00260_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18238_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTLOOK.HXS	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\BLANK.ONE	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYER.XML	taskhost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui	taskhost.exe
File opened for modification	C:\Program Files\UnblockUse.odp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Excel.en-us\SETUP.XML	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01186_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\AD98.POC	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212601.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME33.CSS	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\TitleButtonIcon.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Wallis	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239941.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153307.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14769_.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\TAB_ON.GIF	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\startNetworkServer	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Indiana\Knox	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Inuvik	taskhost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN04355_.WMF	taskhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

71080 vssadmin.exe
71344 vssadmin.exe
6924 vssadmin.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

6908 NOTEPAD.EXE

pid	process
71080	vssadmin.exe
71344	vssadmin.exe
6924	vssadmin.exe

pid	process
6908	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0x0008000000022e2c-134.exetaskmgr.exe

pid	process
1196	0x0008000000022e2c-134.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2036 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0x0008000000022e2c-134.exetaskmgr.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	1196	0x0008000000022e2c-134.exe
Token: SeDebugPrivilege	2036	taskmgr.exe
Token: SeBackupPrivilege	71116	vssvc.exe
Token: SeRestorePrivilege	71116	vssvc.exe
Token: SeAuditPrivilege	71116	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe
2036	taskmgr.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

taskhost.exe

pid process

1256 taskhost.exe

pid	process
1256	taskhost.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

0x0008000000022e2c-134.execmd.exetaskhost.execmd.exe

description	pid	process	target process
PID 1196 wrote to memory of 1652	1196	0x0008000000022e2c-134.exe	cmd.exe
PID 1196 wrote to memory of 1652	1196	0x0008000000022e2c-134.exe	cmd.exe
PID 1196 wrote to memory of 1652	1196	0x0008000000022e2c-134.exe	cmd.exe
PID 1196 wrote to memory of 1256	1196	0x0008000000022e2c-134.exe	taskhost.exe
PID 1652 wrote to memory of 2028	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 2028	1652	cmd.exe	reg.exe
PID 1652 wrote to memory of 2028	1652	cmd.exe	reg.exe
PID 1196 wrote to memory of 1332	1196	0x0008000000022e2c-134.exe	Dwm.exe
PID 1256 wrote to memory of 70992	1256	taskhost.exe	cmd.exe
PID 1256 wrote to memory of 70992	1256	taskhost.exe	cmd.exe
PID 1256 wrote to memory of 70992	1256	taskhost.exe	cmd.exe
PID 70992 wrote to memory of 71080	70992	cmd.exe	vssadmin.exe
PID 70992 wrote to memory of 71080	70992	cmd.exe	vssadmin.exe
PID 70992 wrote to memory of 71080	70992	cmd.exe	vssadmin.exe
PID 70992 wrote to memory of 71344	70992	cmd.exe	vssadmin.exe
PID 70992 wrote to memory of 71344	70992	cmd.exe	vssadmin.exe
PID 70992 wrote to memory of 71344	70992	cmd.exe	vssadmin.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1332

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:70992

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:71080

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:71344

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:6924

C:\Users\Admin\AppData\Local\Temp\0x0008000000022e2c-134.exe
"C:\Users\Admin\AppData\Local\Temp\0x0008000000022e2c-134.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\0x0008000000022e2c-134.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\0x0008000000022e2c-134.exe" /f
3⤵
- Adds Run key to start application
PID:2028

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:71116

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6908

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
Filesize
22.8MB

MD5
ef0f7fbc2ad8b6b918d3aacdec962dec

SHA1
c6f1ef7ef0e98889d8e9e7c22c5bb46e6159cb96

SHA256
aa72b2f5b4b5d28a6201e6813b63193c0c6f236e9e95bcdb78c68c87442cf49f

SHA512
5855c0e678d51f478ed15631f4047206590084b392861d0a8ee9bae7d4d16a595b09d9ea497e51a749bfb6a335c97e6313accc958cc8bf41536f7edfd2880d35

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
Filesize
2.9MB

MD5
381bf89d1aa629fe45b79c78f58fcb09

SHA1
81297a72ac3039dc77cefe150ad078728579d513

SHA256
427b19cb7ead14f12afb82f22ea7dd02dab8e8a50ce55b70f786218f1503fe31

SHA512
1ad401a26f1896f3a8f03dd68a79fab2f6d101dd5791d3b80aee57136e8b5645d5703aa1b770b9dcbd1a0425e88078a6a8fa0dd3fabff4dc8997728d6c03d431

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
Filesize
4KB

MD5
85be660f6dbc8ed4246ab0ab271f9a7e

SHA1
914e4b99208a525d935081451c98937d7f60c49f

SHA256
aab3ddb3d7e893b624b6e3647678686e614b3276e6416881be0b3c080c8b0c06

SHA512
0932793b7d48084406d9440998f9628f56ca36caf2c1f13073a673ceb3cff140178504540ce6bf6f35634256e01194ff048d95995e3d918a15cb79d5855cd84e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
Filesize
23.7MB

MD5
fab1eda05160a4d26a8430b4d36948c2

SHA1
1ce8028d7efddfc6c07111057143c4783329a784

SHA256
9c8f3fde60f0b34c10407605019ea1b5c702beced2796c76ca398002487d1eed

SHA512
803f4296703f33ab83615cf4002b3e45a9763228aa662c2ded9c54e49b89f7c11ca5f7ed6f2485219a9813e66fafdee16b36fdda43cae11273b40e10206cee02

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml
Filesize
17KB

MD5
f04f3455bdba245f71ef4ffd53cd68bb

SHA1
323bbe8ceec84172aa51c24d8b4e3a9dd1adfb6e

SHA256
9ebbe028f047855a31029c7ca65365ad343509e002fe6fe5432e33cb89d77700

SHA512
59823c295f823503d3fa778fccf81d514b755837a335f4f1d82a109b16089bd5ad10764225be04f32698af3899c4d4fa78ba55f9cb32efa51eb0f0c29cf078dc

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
Filesize
49.5MB

MD5
faa29210d24dbbfec13e39dd0279ac33

SHA1
7d740f8b0943dd174c58e06706b6f401bf459e86

SHA256
1bcda3fff36f42f5e20de951a42a7c4f93d15cabd119f9fcb882799bb13dd71a

SHA512
6fb0a66f6c220bb8cba348f8fcf0884fc13072ef7724abacbdae96f00f0cbede53603edd74121d43600d1a0bd59c0b62843cb0403c618620ac821e054cc09337

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
Filesize
49.4MB

MD5
c283ea483dfff13f309d950ac51f28c2

SHA1
b50dc13d3e76e09410f2a78dbb1ac5a97a992723

SHA256
80aca68af1b44e0c3e8a76a7e7a1286c83e68851382f7fe059b7b1ecd3b3923c

SHA512
169f6bf55cdc28ac48af783d4800905d4bd39ad093911cf734c83098cae6a8eb095639155a6df4d120fecb670105c3d403d4281efb5b0eb90f708e9c013c6ce0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml
Filesize
31KB

MD5
1052ab4f13de638ed6f7222a5f853a74

SHA1
026aac32d25081f49243b6e731d6397f17b1e2a6

SHA256
7a2b1684fa13d820b6ca48724b592f98dad6d549c6b96faa335d3b16e3793383

SHA512
357afba71a47377f679de57e856fbf52ea57f36e9b3e4f82368099c58129a5edf20e45f4a4939252dee6bea7326103e105bce2a4633323fdb5f70ab28d6ff3db

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms
Filesize
699KB

MD5
35c0cffa01fd8244dd54da6a80a55c72

SHA1
57ab33a25dfe6ac5bdcbd00ab145a860d4df7554

SHA256
ed87414149dd4a374e46f9caba8c94a615c3f9bb55dcd81cae878b73ec3cd44c

SHA512
80243780e2341cf20c13c8dba749e527ce23d704424adee58321aae00299224a1d74e20aeb0f6c18565ae777543b4992921e10ca685a6c2138793648a3fbe3e1

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
Filesize
16.1MB

MD5
fdf1e2e08f3b0a5663871f18b23c6263

SHA1
d95d7df4d187860bbb74da162f8f979d5d0b518e

SHA256
7c33ae594d3a702962103a5188f9d5b36cc8726f292c0ceaa4a3d8ebba51a93a

SHA512
fcc61b95b0a79287abe3d219a0fb3b07948ca8ae993ae2909b7ebed173648364839b120cc0c3e5d6e1c10f662fdc9efb9597f22719a7542f203e7b01e09c34dc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi
Filesize
1.7MB

MD5
1da70b53980a050b8c2db93c70570a9b

SHA1
09c878ea11584b2a1f27e64a2dfdc380c50b812b

SHA256
ea8e6c8d2ffc3b487d0417705a7a54111d35bd1d837bc8e450644064bdace1a3

SHA512
e4a93970e9e29abd0ae1d6ae032cc60134aef883daf74362c75d5b15077b836b2221969424385f16e02688d7e9a5e65e6a81ea94fdfee8182e5e5e2baeba82cd

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
Filesize
1KB

MD5
28f4d443bc77fb1b2d1994a46c9ea5b1

SHA1
a2821d524b7697d8f6a01e58147919604c4e3d5c

SHA256
06af551885c51f00d93774ed7ea3edb788dfbaa8fc84b3bc0faba5fb2dc80cdc

SHA512
9842974474be1c96be976ccc368d4377b021c6adc8a373e9e772045c9fb106d53ef27b4a8ac646af9e56c10a5fe4e9795bf1df0aef059cd0372d539b37857b30

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
ccd42423bb75bcaeb5291f1e796e995b

SHA1
745899aae8adf16cc29b4298553162bdceb6b558

SHA256
0c79d979ac80c4057e6013405ed8ebef3aff0e3bf4f9880d4086697988552295

SHA512
0087b75a9d0b6305384d295f4de6267648b550c45069025393dd8ca7e3c9e06d15dbb8763e6f2598fdca54cb885e66390caea68bd4323d8bad77852ac6395944

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
Filesize
1.7MB

MD5
8d34223aac9fe4069f5cc1fbd163a8f5

SHA1
d45b2969083a9dea0604b7ad1d83777517e4d11c

SHA256
2b402b5596f898e6efcfeb0a75f3bc8258605f14936c06f204c5fc5ce99b282e

SHA512
4a5fb0610c7fda5850203773f19904bffda8ae18e0099510c5d6bd6226b7c9d19b718612e37fc04496c8d662fd7ad6dc3d3fc90027674bd2fbebdd32810a3d52

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
Filesize
1KB

MD5
a9c8fa9ca571f76d22e81f3b1f3a8f5a

SHA1
fb405f089bbe233283e861da28f2d5442a5aa0d6

SHA256
cb4ef9adbe93ee045043729cc7ac0fcd89fc036bafb69c438713372d990dff82

SHA512
315009709846afbfdc8a8b41b0caf19f575413815598a65cd1b7457f11c296a20303902ed3e1b148a401ed09a91026c8f0529b09bfa44a9cbaf4ed56f426bbfe

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab
Filesize
49.4MB

MD5
8cc2f517efb11611e20eaa70f19056d5

SHA1
7cc4d541de9b484c8f9c10ee83e1427a512873a2

SHA256
90a753163528d945de02c829542c0b796eb1e461b626fd37e175b9e68d08e007

SHA512
f12d23670a58906e84901bb9135b4c707adbd3447859466d88b792f1ef06240dfadc2032675b87e55d7e555de3c4f8a74dc1fca516e52d7cd08437f4c7ca0b10

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
7017c2534e5c9f40f32e598b8131bf92

SHA1
0f257d8a4ec52eae2ff04726d34f8b0b290b8586

SHA256
d8d9fc65a27d43e4bc12757ed89c7627fc310002c5fe0be2e4b11788fe9e4154

SHA512
3d067050dfaf00e1b7dbdbe3ab47e465a775e97b3be7b4566b095b158f06ec81e78ac8cce22256b275e9a5c8a872f89a42e4e4968ed9f6e64417ef43fc58956e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab
Filesize
9.5MB

MD5
efebd4ee99f626a540e79d0dacab3cd6

SHA1
7ea05bde4c286118b9c126bd7ef3e0b0d2796644

SHA256
f1fdbc634f1d4b1b6768ae07b530663ff8769e620f4d32670656f4693be9aa42

SHA512
6a711dff722b470a5effaf8d4f5a2c007a83892d825557016872c77eaf09f1cbe9661b20b08506a210ac741ee7fac0c4eedbc1f62665df3d41fe2c20e220fff4

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi
Filesize
1.7MB

MD5
7968ea864657ab0a9e1635e2f5f40613

SHA1
f026152afd5a48b58b0ef3aa1e58d3eed831374b

SHA256
ebb637cc47c94163157c8e335ede1018a9bcab1a03d903e6362e636b37b9268e

SHA512
35142c4a9b4fd77bbec55195f0308baf35d9780dfa3d521f911c937047b55adc9df613b6963234cad9abfedf1ce2039fd0ad4ee5dda509c5ef799058e0418169

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml
Filesize
1KB

MD5
a8c77088de191202eeae2e3811f21c4c

SHA1
eab745c992d513fb351ef6702d0c89c88f1a92ff

SHA256
a8eb969f4c923ee90694d5cfafae00291c9c4508c6cebed6f7a1e659a685fecb

SHA512
7dc470b1d0692b04e8808929b627e4bc17cbab0c978753863b6c97e7a097008ef6c4eb908523316b0cb4587702f202fd2c8efe40faf47af657a362c6402758c3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
1KB

MD5
46a8e9cd974fa3a1164edbed7a2707f0

SHA1
83fd9b52fc761ec53595585b14b3ecf7cd215054

SHA256
8e45364b263e36927c029ef1eab7cad268c2b83f1cbd5d88207686eaa00b97a3

SHA512
d2eba89192cc67ee3932f8693adb4b107bd7dd71fc8f9eb7ae35c3e2f97453f6e9da6fd3ff962ddac66d720d0578ee4097afde4eca6e077611d7aec5ae18f801

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
Filesize
2.0MB

MD5
57c7cd0fd36db5c05f49a754adc5de34

SHA1
5592339c2d5d4822d2add849f738b483f5741ce4

SHA256
87ffe0f16c37a7105a3b9b27df330378257dc214e3d2523d76bedf8269678524

SHA512
5d1dc0ffcb969220be8f2b960af860b9b4eccd0e662d6d7be0ba79c13b8be69714214d4e2e49fce5ac65d48ef1402ff9a2ee4a1d3d22d6238f3b4980e028d6df

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
4KB

MD5
01dca4379df2d6d60f8ce97ed9857b20

SHA1
053ecb4e8a42adbe250e8fdaad2e771ada0fb646

SHA256
b801256dd47e74916565b7480811e9ad56bf64bb3605fb7997f1fe8428846886

SHA512
789b0ea21b3e3f19d78e0b57dc4ce25d1164bcb9c8fdb06e39a870a4e9bbac5316e147841113d1acbb3958f6d0e8f6a54922f8c9e290fd253817b59149443546

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
Filesize
7.3MB

MD5
7936ecc6133719a1a1610bb313a9512c

SHA1
3d13a541b1ce3383f20e9a28a1faa06fd4439bc4

SHA256
b9189d910c8782439024e49e6ada28f9e8abbe7948051419b9d32d42f7e67c24

SHA512
698da24da262e13e93a055d6d76a172805c03b0e67dec40e2a5e443933b129700d0f10af2103a2d52160efd689fe4734c29225e7b4edca1757ab0d0b65aafbe0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
Filesize
2KB

MD5
b1d733260bba564f00dbe2fcd3843306

SHA1
0326e14e32a5c6c91eab8009f015755db51f986a

SHA256
8c1a7a21a15204e42ebde11055d8a2dca15d13acd27ccb42332e98c1381aaa30

SHA512
a7dad9930e914a087c8ec63b0a576d79d5f5a501a6dde5c17d72661dc3afe951a4b487e7825415499e84e396a63547ed65cae04354c1d2f5747c32119fe187ef

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
Filesize
641KB

MD5
1427a20bace89462a9974d3d95387092

SHA1
8cd5f3aad19de001af8f1927a73bd687b7ac2fd0

SHA256
7006d42bd98a37e1c773670818a0c46a322e98283070579ddbfc09728e420400

SHA512
9d852834ca94976dd86a401bae2e9505c21bf476a9f6702ca581dfe703751cb403994b1396e796a54fc0a7eb8842f52f1cbe69cb6e140219615cdaaf2cbbbebd

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
Filesize
7.2MB

MD5
ccc84f4078c5493fd1cc8f61fae7eb39

SHA1
5856c0b55082ea4a498cd30050b2bcf24a954e42

SHA256
b10603cc18f48dc1c8f08084d9e7c50cdd9ef98671ac5f8cdad58fdb7aa2f110

SHA512
afc3195a0de6cd3637ebfa92403823bcdcfbf2c7cdd575bd6a28e7e82dad41af073e48b4e1296be67dcb6789bf2060eb168b50e3239e7931e7e3212f5b78abce

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
Filesize
1KB

MD5
e58a520b71ba0fd78897a73869b2666b

SHA1
077816a5af5ee3bbf2cb83e4ecc66808aa0af451

SHA256
b177142954bb59b0162658b35e1974ce2ffd104ff9f32e8819453aae3bfb479f

SHA512
447f3d7abb4671ccd894398d5f2093ec2e08fc450017930ca262fb383ac69e6f48ef9b7a1ae6c0f078dc7a21c923e57e9eab89a996494b35eaf09ed698bd7872

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
Filesize
652KB

MD5
a1d1a84fdc00d86559d919894c5c292a

SHA1
622d7b9d5b1d1c866aef3b29b8ac170f79138709

SHA256
d016a1ac2f91d776037108f1dc5eb722eb717f16b8eb88fa0061acf7d2c2e72b

SHA512
f737a3adbb54d19417c1802ab052e5f9827de886427e8a0c8d6f833b31f08ed7fdf677acfb93e7ba09191138ef5a4d32e94954e237e0925a05dfd5f96ef708f5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
Filesize
635KB

MD5
04c8847dcd514990dd64e2a0cb8ad564

SHA1
72d0bab493d7ae041a243b215fcb85339518a9bf

SHA256
a0b8a14d7edf3b753522d5fbc1d5b67bcf2a42d881a84509e7d23882c41d04b2

SHA512
5185a16002782d8b96a2479c03508b01caa25cb50bc4b3cf9245e47dbf840811705dbc32acdecc74a56baa0e6352cfe619bb1b33fed2c1f4850b2505d73535d1

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
6KB

MD5
900448dc0bc601bd0bb92bfa59a84b51

SHA1
eecf12e5efebc9dffbd238a6ddcbfef0ff73487d

SHA256
3aa22164bf230363199cbfaa599043acdc3b8c26619252e33515571ff7e79a69

SHA512
f3615636d8b09ce02a43c922cc2713a277a9e04cabd14dce78c693c66e5cacab08322abe3f40e2210ea7f2524dd484227e7655cc08b6156d364ac1bc5c6e9364

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
Filesize
2.3MB

MD5
56e35ac6c775161baa3205e553d34da3

SHA1
74bec94ac07042b001db3ad31de49c6a9ceea4d2

SHA256
d60a1e517b89ddecf2dd551d810086d02c5b6dd34348b42bc5cc8113e1878741

SHA512
909d820fe83369626906016e02de5c471e35bb8f28db14230cf777753312e5214deb5bec36dcdd564484db06aa367ee2c1510f0bd3ce7ade20dcbd04e86d3209

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
6e709a712c1d1e96c1dbdbd698658250

SHA1
1efe366e1792b3d838081ffeca10c21bf49a5755

SHA256
8a003dcf0700afbba70292ee7a7dd22dcd91696482ef66d95384ece0d9efb0d2

SHA512
44061de5b8bc2913bffaf9bc506831cb48f25bd42a730a15a63f34a076e2fd76be3b801f5cc401914de0ad83ddfb78b826b2a79243d96f04c677de1c722b640e

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml
Filesize
1KB

MD5
2a7e7b4db7fcf26852aef196921a23ad

SHA1
afb78ce0098004f093d33c4f0c6ad9f5013cd803

SHA256
9e4703d8438077816f7891808823cd0730566c97665bc034391336ef16e4e6f4

SHA512
c3438dc1bb677e94338872d9ced8dd5ac6ce7be269803efa60b52a52a433c9de97e7f57cc5737cb904dc21d2ba2c80729feb46143cd6d63819f36ec1a9c07244

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
2KB

MD5
b2b2ba8cc60c7f1001ecf2365df56d2a

SHA1
2782b779721ab4ecfe212db19f994ff49b552d0a

SHA256
60c2a6d4b70fe377486be2783fdf8d74a5a1dd2cff9004ba097429b28205373f

SHA512
7c50a72ae3b1e50d6ae9903c7359a93c12cbe6cd12c0e70878971ed0b3eb3d10059b3c80600960c58c098b1e774d04a9868993689e0149c1c6fc59f441640e37

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi
Filesize
1.7MB

MD5
ebcca9f39961f461166996985f5a2342

SHA1
12c82a43cd5c7a64159d78995d2d88a9165c5f85

SHA256
bcff9a857c3ccc92e97c60f5a883b4601e742eff8c0adbdc9c8afaeca26e9d5a

SHA512
31c077bc8e4371bfc1524fc8bc8b037f5f36147eece3c9c65b0f559d05a2eb8f8321b979cfad62bc472a434bcfbdedd584f93e392509cdefc84ab7fc0b83ac57

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
1KB

MD5
653d58277d281982faa7d1807944dc58

SHA1
b3546dc35564e2e887e197bb3622d8c2ce4512b4

SHA256
1b830a96703721d52a39690e7b0f9d244f1e7447ddaf4b963f1315a4623cd1e2

SHA512
1cd3c462b90d348ebf3698855f4250a3555607850f1388fb86154c2c77bedb519cecb5ae81cddbf3aec75d10467d1d1a318ca1e5459dc23a3da6cb5afd517892

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
Filesize
2KB

MD5
5e796923a3b1b75ecd5dbde4c9fe8533

SHA1
d3e323cbde16c69e0c74d48e3e7c1e9bb8eb28f3

SHA256
ad1c614e133c6195ba7f3a3c79073b867b34491015446b5491fa6b4759cc6c8d

SHA512
d8c20657b4e6c9fe461afb83d45570c3ec322fb42cc233900e3450de3f16180c30e5d0a0b88e5e24dd1d2300fdf7256b19fbf709704c65e5e3be6285feeaf646

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
Filesize
2.7MB

MD5
a9d216e68eaae2dbb8bbdd789b41a929

SHA1
5f725427daf85f373f8c93a3351151313beca173

SHA256
1813f2c0fc40fca4686b7276f86083433b871ca3a44cb9c487ced4ee181867ac

SHA512
f1abb404197805df761fd3efd1917c26880a0762cacdb1c9f74d45314824097c33e03b496950605ce64a46663f0d0fe6e579f5e796cd716c67e4815455cf6757

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
Filesize
635KB

MD5
adbd535eb700434334a57b7cfbe5e8ea

SHA1
eddfe7b144d86fcfbaf512426842b9373bbb3898

SHA256
c9d1eec3732776ab97385e1a2b920b127ca475482e98872ad0e08e7292fa9bb0

SHA512
6dcbdab99fbcac417e43c9c0b3618677822eff341c14f0b97c552e9e571a54200333d2d3422b8b62d96a81aa0996dd9fa3754e74cec878497ee52f672f33fb70

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
Filesize
9KB

MD5
b8d3a01f6bc7aa9890ad2254fa3a3271

SHA1
c5b1f1e44216a8db7f97566dc1ce51ef74a0f16f

SHA256
d76fe3016986f1f15182d7d09fd6d43aeb72835c54ef5d1381d152cd0bdab41e

SHA512
34d57cd436395afa6c7a0e63b811979e0d9f8b14c0b10424a006608cccc436742cfdbee5ef893f23aae2f0ecfcbb4ed0f65d6f6dd5f3dcdb2c3901aae6af3284

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
Filesize
26KB

MD5
ea33c393a44e7b439777e098049d1bed

SHA1
b79b4e2db75092ec3fa6a827692113557c06334e

SHA256
253069096123b712ba8e25530e3b65fd64d93e601edd7eff26c6f3861814766d

SHA512
b3383a4942aba708993efc5eecbdc5de21ccf26952df7bc21d7509b54d7e3d664aa65e78c0db7101c9788875bec674e8c412efdab65be5dfaf523ca65960ac12

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi
Filesize
638KB

MD5
cd005c1beb301d2d6c416bbb3f13079b

SHA1
11261bbe4b362e9aa2ee9d5a4305bc36543bbf6c

SHA256
e2aa8417085d8fc8c3301a8530ce385c42ba71c63bf1f5f71865faa41bade6bc

SHA512
991105176a8c3002110d8508c6893cf6624115fc2847faf8b3737deb224e41cdd76d34fca4ed0d575bcd716e9fc756f6a8f6d64398bdad536c00f716fbca49f8

Download Submit
C:\MSOCache\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_7725c12a-7257-458e-a47f-7029d9191548
Filesize
338B

MD5
b6cc042c035beed4ec1402fa4903ebee

SHA1
03f4d7819e0677f99a36febfabf67ddc64219f9c

SHA256
f5f5ff49f09fd7d101eb36c57fed510d8f217f3772df37f32de11ba1e1d9b7e1

SHA512
8d8dfcdb18aeb57711569f026743f64a4e434341108dc56330202f2225934576b79b83653b3ad5c26000ade3be5e1febbe027c93931739ebb910f90f0b64251d

Download Submit
C:\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat
Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
memory/1196-54-0x000007FEFC161000-0x000007FEFC163000-memory.dmp

Filesize
8KB

Download
memory/1256-67-0x000000013FA50000-0x000000013FDDE000-memory.dmp

Filesize
3.6MB

Download
memory/1256-56-0x000000013FA50000-0x000000013FDDE000-memory.dmp

Filesize
3.6MB

Download
memory/1256-59-0x000000013FA50000-0x000000013FDDE000-memory.dmp

Filesize
3.6MB

Download
memory/1256-64-0x000000013FA50000-0x000000013FDDE000-memory.dmp

Filesize
3.6MB

Download
memory/1652-55-0x0000000000000000-mapping.dmp

Download
memory/2028-58-0x0000000000000000-mapping.dmp

Download
memory/2036-63-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/6924-135-0x0000000000000000-mapping.dmp

Download
memory/70992-66-0x0000000000000000-mapping.dmp

Download
memory/71080-69-0x0000000000000000-mapping.dmp

Download
memory/71344-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads