ryuk | 180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

Analysis

max time kernel
151s
max time network
188s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-09-2022 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Size

635KB
MD5

a563c50c5fa0fd541248acaf72cc4e7d
SHA1

4b8c12b074e20a796071aa50dc82fe2ff755e8f6
SHA256

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843
SHA512

d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479
SSDEEP

6144:LA+0uP79QAbIhsU2Hl7A6P+ZT6EnW5TMGRx4S7SM22C4:LACbIhs5He6PtgvS7SM2T4

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = '5GqsR1ewcO'; $torlink = 'http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://piesa6sapybbrz63pqmmwdzyc5fp73b3uya5cpli6pp5jpswndiu44id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1932-63-0x0000000000300000-0x0000000000322000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

yezJfllMsrep.exefWwRgwSZclan.exejbkTZLQwXlan.exe

pid process

1232 yezJfllMsrep.exe
948 fWwRgwSZclan.exe
5604 jbkTZLQwXlan.exe

pid	process
1232	yezJfllMsrep.exe
948	fWwRgwSZclan.exe
5604	jbkTZLQwXlan.exe

Loads dropped DLL 3 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

pid	process
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

26176 icacls.exe
26188 icacls.exe

pid	process
26176	icacls.exe
26188	icacls.exe

Drops file in Program Files directory 64 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\content-background.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\NavigationRight_SelectionSubpicture.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12Resources.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdeu.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqlxmlx.rll	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.jpg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\ado\de-DE\msader15.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Eirunepe	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Toronto	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Karachi	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tehran	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Content.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Monet.jpg	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaTypewriterBold.ttf	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-1	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derby.jar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\TipRes.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\micaut.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Internet Explorer\images\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_ButtonGraphic.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationUp_SelectionSubpicture.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Anadyr	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\InkObj.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrusash.dat	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Lagos	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Maceio	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationUp_ButtonGraphic.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\msadcor.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\NavigationRight_ButtonGraphic.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_VideoInset.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Cuiaba	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\it-IT\msdaprsr.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\de-DE\sqloledb.rll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\RyukReadMe.html	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Notes_INTRO_BG_PAL.wmv	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\1047x576black.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\NavigationLeft_SelectionSubpicture.png	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\FlickLearningWizard.exe.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\dblook.bat	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\tzmappings	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

pid	process
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exeyezJfllMsrep.exefWwRgwSZclan.exejbkTZLQwXlan.exe

pid	process
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
1232	yezJfllMsrep.exe
1232	yezJfllMsrep.exe
948	fWwRgwSZclan.exe
948	fWwRgwSZclan.exe
5604	jbkTZLQwXlan.exe
5604	jbkTZLQwXlan.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1932 wrote to memory of 1232	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	yezJfllMsrep.exe
PID 1932 wrote to memory of 1232	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	yezJfllMsrep.exe
PID 1932 wrote to memory of 1232	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	yezJfllMsrep.exe
PID 1932 wrote to memory of 1232	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	yezJfllMsrep.exe
PID 1932 wrote to memory of 948	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	fWwRgwSZclan.exe
PID 1932 wrote to memory of 948	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	fWwRgwSZclan.exe
PID 1932 wrote to memory of 948	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	fWwRgwSZclan.exe
PID 1932 wrote to memory of 948	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	fWwRgwSZclan.exe
PID 1932 wrote to memory of 5604	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	jbkTZLQwXlan.exe
PID 1932 wrote to memory of 5604	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	jbkTZLQwXlan.exe
PID 1932 wrote to memory of 5604	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	jbkTZLQwXlan.exe
PID 1932 wrote to memory of 5604	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	jbkTZLQwXlan.exe
PID 1932 wrote to memory of 26176	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26176	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26176	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26176	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26188	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26188	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26188	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 26188	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	icacls.exe
PID 1932 wrote to memory of 75684	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75684	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75684	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75684	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75696	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75696	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75696	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 75696	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 75684 wrote to memory of 80032	75684	net.exe	net1.exe
PID 75684 wrote to memory of 80032	75684	net.exe	net1.exe
PID 75684 wrote to memory of 80032	75684	net.exe	net1.exe
PID 75684 wrote to memory of 80032	75684	net.exe	net1.exe
PID 75696 wrote to memory of 80044	75696	net.exe	net1.exe
PID 75696 wrote to memory of 80044	75696	net.exe	net1.exe
PID 75696 wrote to memory of 80044	75696	net.exe	net1.exe
PID 75696 wrote to memory of 80044	75696	net.exe	net1.exe
PID 1932 wrote to memory of 80064	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80064	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80064	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80064	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80100	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80100	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80100	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 1932 wrote to memory of 80100	1932	180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe	net.exe
PID 80064 wrote to memory of 80140	80064	net.exe	net1.exe
PID 80064 wrote to memory of 80140	80064	net.exe	net1.exe
PID 80064 wrote to memory of 80140	80064	net.exe	net1.exe
PID 80064 wrote to memory of 80140	80064	net.exe	net1.exe
PID 80100 wrote to memory of 80152	80100	net.exe	net1.exe
PID 80100 wrote to memory of 80152	80100	net.exe	net1.exe
PID 80100 wrote to memory of 80152	80100	net.exe	net1.exe
PID 80100 wrote to memory of 80152	80100	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
"C:\Users\Admin\AppData\Local\Temp\180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\yezJfllMsrep.exe
"C:\Users\Admin\AppData\Local\Temp\yezJfllMsrep.exe" 9 REP
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Users\Admin\AppData\Local\Temp\fWwRgwSZclan.exe
"C:\Users\Admin\AppData\Local\Temp\fWwRgwSZclan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:948

C:\Users\Admin\AppData\Local\Temp\jbkTZLQwXlan.exe
"C:\Users\Admin\AppData\Local\Temp\jbkTZLQwXlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5604

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:26176

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:26188

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:75684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:80032

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:75696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:80044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:80064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:80140

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:80100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:80152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\$Recycle.Bin\S-1-5-21-2292972927-2705560509-2768824231-1000\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
Filesize
22.8MB

MD5
d853afd872c8c35a1be20071f0fd456e

SHA1
dcad01c1c8ee2e005a610ba55ffe741a8d8518c4

SHA256
c10e623d89fc3950dc7a1a9e4f6823703efae3ac4782e7a9616d3417ef6a2140

SHA512
6cc4a59b33e00962e07fa78990f1b38c78b4b7fe853f3fe53cb376edd30bc4e2a86ef028aca81329661f1568fc3f7d0af8bd9043370366b290a78218f1650244

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
Filesize
2.9MB

MD5
e36f152173f95ed6d12096439e4ad3f4

SHA1
e1a59371d91a0e0781f5351fbc61f4dc79d395af

SHA256
69b53e9f85024cb8ad20f66fcecae4ad73810387b2b25d44a45854d936c4e263

SHA512
1544e1571baa2e770675d65bcc3f42c45aba29dd62fa7b9e6ce2d3809f0f4f3badbdf4799e5ab9b2c4aa902fee4c9b406565f033f217bc1179b8179f4129462b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
Filesize
4KB

MD5
c4c714030d7a49bd4efbc5b2a2a6d9d8

SHA1
0a27982a3bd1cb9b5aa6b065d1b988459dfdfefd

SHA256
20d59fca63a01cda45e2545d8053d11c78310e98482b0bdbb9e240540fb4df2b

SHA512
e4cea6210e6696c4662c67884c5a627aaeee23a516539ff641b444f9b0df44389679ab5b6c51f29c78fddc9e7eeb348644af1be1ff75e0e4d1b0ece96eb111ef

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
Filesize
23.7MB

MD5
643af5d6070f68218c9814c9a2ce20d0

SHA1
051ad2568f3cf3917e91f743ac1041b8bad1cffd

SHA256
edd9c16c81025003bd85d29b43a149ba48dd28b3924cd3f3e6819b9e883cf346

SHA512
6429c96ee87134531bf0c45e86a26a7e2cc84ef42f48862092f2406eef7ac4579010e14ecc304b9ecf7249d414a712b7bfe0d1afe2a366fefd45166fc1f42ab6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
Filesize
17KB

MD5
dea277b0bb62dfd6e7da742ca990ac3a

SHA1
261a3940b7687eba397e686514e846d8011c564a

SHA256
cce8455966a8693f52bf13f49bc0721eb0d24edd8f7e147304a55cc438a10569

SHA512
1cda1caab5cc725701067944514d99d110f8fb5f915b0b8be39f6a4727ad11fb48eab072c90a14bf1090d44a773dc0a39b28be4b7714387635b62d4d917bd982

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
Filesize
124.9MB

MD5
c4041bb56ffc9243f76f17f5f825012d

SHA1
434a42a29f9d5a2c1b6ed992d61be10b30938959

SHA256
bfdbcde8134e4ecae79cbcadc6fc96d5016455d22c96b9ea0e87afe48c980ac2

SHA512
567198eb0bbfa6b1e9f1dd933fea1b1cdd41c877d3d209bf89b2f2092ec62643475cc16ed61a26fb2ef86b03d9c0816d23bff4f3eb39ff056adf097b58eafc45

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
Filesize
131.2MB

MD5
187b1a95181244383f1d40cd6fe99fe2

SHA1
d2d6301d643fa2a6234981933f7c44717a674805

SHA256
ebc72c594195826c8dc801fb7ea1c57cf9bd6b2ea88075f0faaa7d34b1a913e3

SHA512
47d97a257b9b3e16a380896b75f5d75a1a5a77629c270991f45c1b2a4cc7f645464f817c0034ee52ddafeeb78ddd4d6e4be7cfedcf6216dd19fa1d7ccc305704

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
31KB

MD5
d6914a65900e48722344a91356c903c7

SHA1
1308ce59e3499d87b83932dc705e0c3613e18e01

SHA256
eaaec32f7efef66ba5b57c86bfff9f44868f3d7297e1ec820c0642e5efaf24b5

SHA512
85bdca89e565934e49770dbc612010547eef3abf1074bc235c13122c060dd476afbaeadaf922bbede0716d634805fd490ecfb598a8f17ad30b7a51dfbaf1263e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
Filesize
699KB

MD5
27ffb38fa22f62170c37ca48b6b9ef82

SHA1
f3938f28cccfcf2fa9cbc64c48ec2e17966d79fb

SHA256
4a78aed320f14c2d534ee47b83e553e729ce7c393c4836bd9e55ab7e9ed46d09

SHA512
573703c472fb9736a5cfe3b5e8a350922ed1690e05d421f937ba2f875c76b638feeeecb736739607b69a78c0cc1e6493be7baea11da3499f7f7af1923770efcc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
Filesize
1.7MB

MD5
77b9e8bf685ab4b7ff406a9d5c4e8c18

SHA1
18edb8bdf2b7415e2e19cfb6b9aa2f4430027e12

SHA256
abab4d536e82b2c81869dcd32a4c41a96834537b54a0e4b4a78b1d96303cba4b

SHA512
fdb09c2259ed1edb7727a99aa3832cefd94b9dda7322a442f0fa104425ee3b45b96add5f644dd75c95686ec932c38c5f350914d828888f31473ba9e08570d436

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
Filesize
1KB

MD5
07d657d7858d245f46dcf7057db66a99

SHA1
d1c0d3af36f348d0a78aa4cd8018d5dbba1a7aa1

SHA256
e7f76f0142e875bba008f6f7acd71310775c387a25bdbbb9fd236310fba00aa1

SHA512
fa10e54e940192ac41f107553ec2af2a038d78441dadcd74c5819c453c6a314f2348e8634bf7ab92c6140a599cbfbd2f821bf46cee1f851ded7b57860d0aa549

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.msi.RYK
Filesize
635KB

MD5
60e889fc070fdbee9937ee8e07710055

SHA1
31e27c6c931f88cdd94202af5a04c31a5301e6ce

SHA256
7f06a0f0e77e7d81ee7bb8c697b2c7f28bd60fd80f510af548463566ca50be9a

SHA512
8a0e1e1b3683b62b52ae2baf7c04549d5957f6f7c6cbeb4a01cfe2bf97a07a53d37af918f6e95f93fd3dd15df15386c69f31b7cffecabcadd7368110ffa0f711

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml.RYK
Filesize
1KB

MD5
38d4c9622740d132a17b6f7aa40b4127

SHA1
cf0903b8c20185580f2126a654a30aa598e10777

SHA256
e0bf6f8f0e80213cdd4f5e3fd4b285360c63edde60d931d6e85af19918b1911c

SHA512
7ca4623617f8ebfa57904c3f28da83570c597e2c41c9cad06bb35d7cd7d8976f202ed7858245396bbe058b6c07e249ac38c9e3e96d41e13284d31f6262622342

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
Filesize
2KB

MD5
2ba7224fd8f791cacfa7b3d89f4518fd

SHA1
051d9bbe306a7e7160b678a3cbcde0260ca37295

SHA256
a208f2b768934ebf0f51c496a9b3891b0ad99f7a7c454ae40baf368fd29804a5

SHA512
0be5358daac77e13f36e770daf50b6d1f11afd34c78b1620e6004610dd76337933e714392433e43a039ce736d747f3256312d1c64c585663e032e65000c88ded

Download Submit
C:\MSOCache\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\PerfLogs\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWwRgwSZclan.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\fWwRgwSZclan.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbkTZLQwXlan.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\jbkTZLQwXlan.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\yezJfllMsrep.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Local\Temp\yezJfllMsrep.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2292972927-2705560509-2768824231-1000\0f5007522459c86e95ffcc62f32308f1_4339b52c-c4ea-4bc4-b41f-93efca473d02
Filesize
1KB

MD5
f79e1a1a7808d903ef91e6cfe34e017a

SHA1
55177f9129346f4ca15afe9f94b24456f86a9e97

SHA256
9d69a407c3ca8835c9767a64f6acaf7c28817882bc57c91df50054ba22b3875d

SHA512
b8cc8ec63c35c09a35d84d2f279c614ce3ba04366a8d0011fbc0771398f6f94e39eff552aff98c0e8ae78a44fe0689e9fd08802bbd0079e69dcc71f67056579c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2292972927-2705560509-2768824231-1000\0f5007522459c86e95ffcc62f32308f1_4339b52c-c4ea-4bc4-b41f-93efca473d02
Filesize
1KB

MD5
48692002900160a0cdd0a9355d215ca0

SHA1
ae286580357f659b4285170e57f23af204efc629

SHA256
bb2ccb3a339829344011568aed82dd96c393b9ace76cbb6b7028505c56c1b95a

SHA512
06f4f55bdbb175f9b9083fa83be311549da1c5658af21890713cafcc4b6637108a20ced19b0a5a188a1543dd128be657865aebfd95623ff957e6459b36cb701c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2292972927-2705560509-2768824231-1000\0f5007522459c86e95ffcc62f32308f1_4339b52c-c4ea-4bc4-b41f-93efca473d02
Filesize
1KB

MD5
48692002900160a0cdd0a9355d215ca0

SHA1
ae286580357f659b4285170e57f23af204efc629

SHA256
bb2ccb3a339829344011568aed82dd96c393b9ace76cbb6b7028505c56c1b95a

SHA512
06f4f55bdbb175f9b9083fa83be311549da1c5658af21890713cafcc4b6637108a20ced19b0a5a188a1543dd128be657865aebfd95623ff957e6459b36cb701c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2292972927-2705560509-2768824231-1000\0f5007522459c86e95ffcc62f32308f1_4339b52c-c4ea-4bc4-b41f-93efca473d02
Filesize
1KB

MD5
f79e1a1a7808d903ef91e6cfe34e017a

SHA1
55177f9129346f4ca15afe9f94b24456f86a9e97

SHA256
9d69a407c3ca8835c9767a64f6acaf7c28817882bc57c91df50054ba22b3875d

SHA512
b8cc8ec63c35c09a35d84d2f279c614ce3ba04366a8d0011fbc0771398f6f94e39eff552aff98c0e8ae78a44fe0689e9fd08802bbd0079e69dcc71f67056579c

Download Submit
C:\Users\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
C:\users\Public\RyukReadMe.html
Filesize
1KB

MD5
d043a5e64678c60680dfbdbbebf3c848

SHA1
2a54c86534bfb34067a271f28e0c3849649a56ee

SHA256
7bedc9a9f63c58209b9c14243d671c893bbf397db77ff88d6b79c5cad33ce9e5

SHA512
6984d7be07844a1171032612f5ad39703fa775e59133c61fb8c865a2511309e6377f3d207fc599d64de9c5975a7214ea563dc231eacccf08ad4eca4eb9da835f

Download Submit
\Users\Admin\AppData\Local\Temp\fWwRgwSZclan.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
\Users\Admin\AppData\Local\Temp\jbkTZLQwXlan.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
\Users\Admin\AppData\Local\Temp\yezJfllMsrep.exe
Filesize
635KB

MD5
a563c50c5fa0fd541248acaf72cc4e7d

SHA1
4b8c12b074e20a796071aa50dc82fe2ff755e8f6

SHA256
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843

SHA512
d7c4c92b3eeb8cefe6d007b7b4fd79cbec388582ca0f3708d520a2c3e432d490d2f69ce365edbc1141f13e71ac473fed74a4367b7898af68d5c1e3b4e4899479

Download Submit
memory/948-79-0x0000000000000000-mapping.dmp

Download
memory/948-84-0x0000000000590000-0x00000000005B4000-memory.dmp

Filesize
144KB

Download
memory/1232-65-0x0000000000000000-mapping.dmp

Download
memory/1932-54-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1932-59-0x0000000035000000-0x0000000035029000-memory.dmp

Filesize
164KB

Download
memory/1932-63-0x0000000000300000-0x0000000000322000-memory.dmp

Filesize
136KB

Download
memory/1932-55-0x00000000003D0000-0x00000000003F4000-memory.dmp

Filesize
144KB

Download
memory/5604-93-0x0000000000000000-mapping.dmp

Download
memory/5604-98-0x00000000005E0000-0x0000000000604000-memory.dmp

Filesize
144KB

Download
memory/26176-107-0x0000000000000000-mapping.dmp

Download
memory/26188-108-0x0000000000000000-mapping.dmp

Download
memory/75684-130-0x0000000000000000-mapping.dmp

Download
memory/75696-131-0x0000000000000000-mapping.dmp

Download
memory/80032-132-0x0000000000000000-mapping.dmp

Download
memory/80044-133-0x0000000000000000-mapping.dmp

Download
memory/80064-134-0x0000000000000000-mapping.dmp

Download
memory/80100-136-0x0000000000000000-mapping.dmp

Download
memory/80140-137-0x0000000000000000-mapping.dmp

Download
memory/80152-138-0x0000000000000000-mapping.dmp

Download