Malware Analysis Report

2024-08-06 09:27

Sample ID 221125-ljfn7sgc52
Target 0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
SHA256 0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87
Tags
ryuk dave discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87

Threat Level: Known bad

The file 0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87 was found to be: Known bad.

Malicious Activity Summary

ryuk dave discovery ransomware

Ryuk

Dave packer

Modifies file permissions

Drops desktop.ini file(s)

Drops file in Program Files directory

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
File Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-11-25 09:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-25 09:33

Reported

2022-11-25 15:37

Platform

win7-20220812-en

Max time kernel

143s

Max time network

45s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe"

Signatures

Ryuk

ransomware ryuk

Dave packer

dave
Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\Lang\kk.txt C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-dayi.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Anchorage C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+1 C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin_2.0.100.v20131209-2144.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\az.txt C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\de-DE\msadcer.dll.mui C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\soniccolorconverter.ax C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\jawt.h C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ro.txt C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\HWRCustomization\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\en-US\MSTTSLoc.dll.mui C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\notes-static.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\dotslightoverlay.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\ECLIPSE_.SF C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.properties C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\vignettemask25.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application.ja_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\layers.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-highlight.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_hu.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Jerusalem C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.logging_1.1.1.v201101211721.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\be.txt C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\sa.txt C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\es-ES\micaut.dll.mui C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIconSubpictur.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Port_of_Spain C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Zurich C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-mx.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\mip.exe.mui C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Belem C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\th-TH\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\doclib.gif C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Genko_1.emf C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\header-background.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Davis C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 1880 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

"C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

Network

N/A

Files

memory/1880-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

memory/1880-55-0x0000000000320000-0x0000000000343000-memory.dmp

memory/1880-59-0x0000000035000000-0x0000000035027000-memory.dmp

memory/1880-63-0x00000000002F0000-0x0000000000310000-memory.dmp

memory/1724-64-0x0000000000000000-mapping.dmp

memory/1380-65-0x0000000000000000-mapping.dmp

C:\MSOCache\All Users\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\$Recycle.Bin\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml

MD5 5548b3782fd69c2d5cbf295e03e38cc2
SHA1 538745cae8a310136c98473c522594326113f313
SHA256 fbde7bd32dc8e7e8619235d6c40012198e496861b358bad2acb394f350b7b18f
SHA512 f51a651054b1bbabdf86722cd56769e8e4ae02d4adf0c845e5358cb1bc11c3fbd4bc715d4893771a72ff90c5d16bb8bff3e7b6629ab91e0348e4cab7e72a1407

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi

MD5 726506484dc2adedf169d19b100220b0
SHA1 628181f2d0481cbdb6105a1594d8314bad85983e
SHA256 8e22ccd8f29e8fc07cea6e1e89c7fdf3400cb47e12c6dc769976d9174e8a401e
SHA512 dea82eb6c93b19859d16a2d0591b7da3592533b28fb05f2ee2bef348929bf275a7b5aee3489c04f3626864396674cc908bb8694cf701fcfc2122c6a5453a26f5

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5 726561c903f67b533a82aad61708fa6e
SHA1 35fb72daad75a3f85f2e2d691971a77159615024
SHA256 a6f6bb2376f957ddb6215e552e496ff9f146921989d7e6bd554d4ba44f8f1746
SHA512 8e4eaccdd33c4ec62df41e1c0db67f0db2808d5a81182bd78a5a8fcd379a909b9e6444ab096835a80f2aa0bb4e0186e54393fa083be22d0dbeeeee93b2896b66

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5 975186eb8a7ac938aba01611eaa37540
SHA1 7c956a717800d7ed230805999d04773b87863194
SHA256 daff1b0c16f93af388b214a549a882c8692e92c4b6cf802c67ef82743d07db0e
SHA512 008e51e12b218f41a4e9c83aa8d1d95e468e3a9169c92742d196ea0f970edbb2cde1a319bb93353d5512a049f3413c139e6064f41929dda789e175e9d83c4c74

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5 20515500597094bba53786350fe3800f
SHA1 43d2480c693bfeabdc8ff6e1ad9afd3bed470726
SHA256 18aeb66f42b9e928c27604b232423d67604ad4ed81c15cceb918edb41d3446e7
SHA512 e48825af313e6376513f8f18c1442ec4eb2002869c9db503ed89ccb890ca08a37a18f4c53ee604df539bdddaa2dcca67f29e3ab377e694964bcff93acfcb759e

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5 d4d46cb0f90d422746f385b54005dc32
SHA1 003aba9e87d925fc421c9212ff5f5f2fea699d18
SHA256 429bd0b4b8cd9cccd28ac22ffa5b939e54da1360786541d579fc9a07e1950285
SHA512 49850d31f6da22ca0d5991e81513f9ad9801053846779c73be043013a59cb749f59d2ce85c835e17036a6cac9b649a5c9812332febacbf16bfbace75adcc75bf

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5 4d77fae488fe5a7331145160b466ee5c
SHA1 3bcf075ac8eee8dcb24d5b1fc4fa9986fac27e59
SHA256 98ee92ea5950f1cd32912fe363446e710fc79bc5b0d5102137aad3003e055fbd
SHA512 aa2ad46be194b47d8c1ba49128cf2884c5ec9a6275fc0dad98af9bc28749e836929a6c7d61302df9af1afe380c5a10b387878340d133a8b91eaa8f30035dc90f

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 8c14ef4344e6bbd90aba97ed671b4b2f
SHA1 26f25c85f5923f3d3fd99184f9de1a75e1829299
SHA256 df93d88f171c56f4780819b1f7189133388d15ed0d0ef1a6bf64e2133fa43582
SHA512 cded60e1a9f60bd71d10b1b81ddd0bbc090aa893fa7a1b9953684a4ee6c28bc63f41214bfb638193e38c5805b0f9c7f100aa291718a23bc5b1db74d23a6fece5

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5 2e78292b368278b48174e00086413e39
SHA1 5d488d73439e5302f065d3371d365a8aacd46ec8
SHA256 6a294a5c96bc2731a8e2ab0c0570fe50add44f57b8929a8ef15e6034c32e7614
SHA512 0f27378f3d4208c1d5cb463b85fe7822972d420fb5418a230b884303c352fdb6f5709cdeb76e72aef8ddfe1eacfa7b71a0be435552a1e7eca189d21778f092e7

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

MD5 c0b91552945488326cd0ebf294bbe8ad
SHA1 c66aea0817ea9071a71e6f7cd82ca70e222d6fe8
SHA256 891adf3664f0cfc532ec41c5d5d902cb9af88c50185d703f3bff22e2ec10516d
SHA512 7e5286d8e4027b4167f1bb78cb1ce2187bb01366174e020e9bb5575c4500b4641e4ca617c42cfea8169d0236ba780bc571139ba7b131dd59f08369424d9a685c

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5 99bbbf49d9a581bee86d3bc143144dde
SHA1 f0a3349d17fe43bb92205c26acea985d291d9f72
SHA256 73bbce8743317dd233a1ef3cf58701929d512f674fce3bb4d3d908a39a694ad0
SHA512 7d472aff5290fc5e992b03dff012fbb8b27e66fee1936870db9c53563a3fb11159054b7f2a97aa9bc5659fd5378f4f4caa403f94173f2233c4afdc08bf44802c

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5 87a74ab0cee783a3267dcc2123888784
SHA1 01e80651828e06e236f9cb611856a0a0322cda61
SHA256 743c9b61e596568cd460d87ff4e7c6446b46f4dac7e434c09ec0e80d3df51ba1
SHA512 0e92c8df1a652b2845ba637102615bf73be742f0ec844ac1e38e1caeb574f70e588d133e20b420b63b38309c97f907ad6544e1c85342e04579a0cd955e1c613d

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5 aecae472c2b8e17c19a3d2ed0ad88f76
SHA1 5b31ce222fc4723719f1f5bc5a7b00941e084c3a
SHA256 9563d5940510028c937e06fa95ed6adb2dffd89c1819b97d91750fab63c1ad05
SHA512 e72c941c609507d4bc59b4c328d3c798fe989c8b724b85fbc94a401dbcd999cfc8697fe2e829a851df50a4ca7c0f3916b404197a2f196563a542c484a4cd5f60

C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 0737582364b15cc69135a5f3615b5a43
SHA1 bd371829a5cf42bbfcef036d0afb3b47678fb2bd
SHA256 922b22560c58400249391889ad52c14840d66787f8de96e262d9095c6f652238
SHA512 0ae413f7f513e142fd2f45c07720adb94a7f481abd9d4097a210892986621acb915e983fc13bfea5312781a552eb567a939109825cf02f47a01a9cf4a8ef5afc

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 798d8d0dfa2eeb2f18903c540062a60c
SHA1 874a09196a0fe549e72dbe8da90917868e84dbe7
SHA256 d22dc3ceefdd79c33ddcfc636257dc7e1af36575cd431cb658da26329218a76f
SHA512 63c023777ef2269c5d962e3343a68a718501cc8efc7f34f9574a59a1d84126acb19fc5471d726168d3439596973a2f52b72d2a2473a9b6ae222d7ee986698a8e

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5 ffbf544a702175451f7229345942cf12
SHA1 4ec25ba1c6e6fcb936ae784c30a2d7ea89218301
SHA256 0f795aee8831a854e618139ae89cc6568473459d036539735e9604fb0ec0dec5
SHA512 8990c2650c01860b894044c548a0768fbdab79b201d95d772ebf10e7edb3b1d3253082d0e42d335e7c6794e12410164557ab72094c8a18a6eee434d1bf34c79a

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab

MD5 95f2f12031801867fa7f7f67e4135a1d
SHA1 5e85e42adcfe21c393dbfb914a7e3be8e1c207e0
SHA256 771a38cd5c0548c553d5bfb43628be64959f87a3bb7235b9b4dccbb4ce9e0bd9
SHA512 0bf792a0e9f3239549f2e35bb6ac5c9c67dc240c9428215e41d45d1b47ba100809785c5fc2ef9a29f05ececc4ca1e26e958c7783b4fc83a0fd180a5d8d42198e

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 c25ba8005d29bdb5a4661410a2048835
SHA1 4ec332b2e013ef5bb348f9b05ac396c6b625f691
SHA256 cdd293c7a9cc941db648d2434a4622563d4783b41928e92618d2fefffa6dd1ad
SHA512 d98b785ddf596a64ce67f1e3aae07f9cdfd76cefbc2b9bb701bddcdf6062fd21eeb282af32c9b74dc069284f3d6be2615e9bf7b95cae1ab9c8173cf1112006f8

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5 4fd6d2667569713ae49f4859b7309342
SHA1 2b1ff559de6271f506aad31b453113c11d8c1ac2
SHA256 92f24e85f47ac0951e3c56ce21084cb853f4bc10e6a8df0c1ab1b1100a7529fa
SHA512 eaa21720fa3be03680533ee94d033ac12d9845907ade54b19a451f5e472ff9c9fedcefe45f1fa9e029a457c557af111effa22b9eaba419d94f77755135c99b75

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5 2fb0aa01f365d0f4fb976342a50c104d
SHA1 85f9597ad6870484f814a38b4b3c31c19c09578e
SHA256 a2b2f8e3a4e095623f699295aaa287a2af91e673beac501ebb8fc37e15ec92a6
SHA512 6f28f871e9775af2e10be1457483d2d74248204d867426f4092deee6e0990ea0d11458afa58baf8b1b01c2d743567b06af0a4c39e69d2c778fa44661299be248

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi

MD5 8787943aa5ae4e8a7a79903faedf8330
SHA1 b3ac97b10cd416da8beb0ef0b68fc5c0148b6b0c
SHA256 3f8386479407804a24650d4e1dbd27e6f7b99de2310f34168111a41dfdf58094
SHA512 14635f94c0900fb1fb6cc26b18da96e3a4f1b3bd44949c714922f64366c04e83c59dc13b56d6ddd55b3606580385051f50eb5ab3250b7258beea7b8e4dcd4443

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 6ddcea88897d19fa4f103179eb91badd
SHA1 fdddcdb62783347b15e25dc129c54d87657b5442
SHA256 3ef19725e6cc9388435aa6f8128dbf80ddd4cf8058ef83aaa722ea0a67b4df86
SHA512 e2cb42b3c24d82d65e9f23101626c943a660ce0bd48541e4ebd4ae2102b25f07a324a4efe3f2447b622d0e3930c7a1c0d8b62d52b44bc7d3cdb5f4a93f24a982

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml

MD5 bbe4165ca43e1b46d6b19f53e04cd8c2
SHA1 548b5c69ec5330c3be76d662324a66c107ea7c3d
SHA256 c5e9a6bd04d4614ebdd8438ec87a3f3dabf81062a52750bf8fd83fbb09e9de7f
SHA512 7ca79042cdc8497a13b08899e5a46b619e7e4e62f85bb92c2b84859b560742e4de3288fde23285b8505c714bf3a422f082df3556ff2640da3208df6f1f636039

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5 4f3e36ffca8b4f1b97be1d03a9a70218
SHA1 a3228ea0cb1fecd401e7bcd10ac50e7377e18946
SHA256 f9af2bd6dd33e438d494d0c530cb26208152fb1d322e54473e190fbf4bc1c31a
SHA512 094727f5323a21922f0c9ecba00875056b2373b3ad433aaa92835d410af35cb8248d50d67aa42d4921535dbab416502906e59392be8734a84278ebd3e2084d22

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5 e178b2b782203ad4dcb808c04e8195fb
SHA1 d2c289c4b71c610ee6b66c48d2d5a8ce73a0c293
SHA256 ae19377d8b659f692c4088ecd4043c739bf9766cd0ae04bdbf2c84a8f80f5554
SHA512 04bb9e08d3f86a67c446be330058ce734aa569758b845f435885bb676df7aa9d5a05702ca2743d0b8716463f0bd2f1601237b24c8b1aaca55d777085ff9a1feb

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5 8bbd27311622d2010922fa860b29c0c3
SHA1 69a45c755ace5f52a47144bf8bdaf743b099efb9
SHA256 0c5d503a5d4af41990393919461745fd99d2d24af63b0cbd1443677646fabdae
SHA512 5ef24147d57cf66d6fd7fa12a9a87746d401000ca2d3fe3be27ff11c44f43569df5e9c5e90144ad6107f3e64c6ebc65915d32aba03523b630bdfec08bc98823f

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 617b0b28cd86244d0fcdbaaeeb65e634
SHA1 c1cb392adfa6bf9cdb0d1b553275c56db5e292f5
SHA256 1d0b9052affbdbfb6e5cb8205ccf9c87523f0f35f3c882366802bc79a32aa6bc
SHA512 1ad45911538cc7e4f569475ef9cca878b97f807ee9a5ac13cdb53edbad9794e516d62e8f3ff5c916b7a0802a9a31bc95a219eedd04086e2ea4b87d023007aba7

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml

MD5 f56013e69a65cd8470a2b5ffb7e480eb
SHA1 010668fab71159a8a48b1e543c6feac9ebb92b96
SHA256 a6da0fc4761a0828faadfaa3b10cb88d54641c718e5c84be5295363f09a9f710
SHA512 4c9a57dc26188870eadf92ee82dfacbfa61041b452dc371c2ca1cb888d23c60a920df79a25554d383967e0c18ec6663cfa8d23155427d34984c9890c960a7768

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.msi.RYK

MD5 40540ad4cbbbbb48d5e95ad62df60408
SHA1 79a802fb833299cda7f0e4f097aec02746b78766
SHA256 bd67b1887addebda531d7d8660708866b914932c7e88d5d36ac189433c8e87c9
SHA512 0995b34be5e0de70e16801ba4fb9dded7b71376de3afef6536d4760b78cf1333cdab543b9e3ccda4c2734db8889efd1d898586d6a69654312a6c5c99ef0a8b48

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveLR.cab

MD5 8b74af84e282632eb9491589783bb178
SHA1 288a323db801ff96296f8dbd83cdb360890ece14
SHA256 dc0930524d9ee57e8059d723682da762d6e4bab9dc8a4dbcfe4f60ebe3c76688
SHA512 5448b54ff90431d4eff0c6f692c9fd2b8916717aac46a86de8707f748e8afe108d4639108ab889a92153bf5e8fc993fd0e599180b9964d68884ff1766ae9e675

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 1415209988bdcc9d7826b72594d58624
SHA1 23b8f5cf2d378968002a80de1c2531c733dbb389
SHA256 907410968021634125fcae3ae229aa121192e16a61151b59f2d3a389db8651ad
SHA512 b47adc3666ffc6094468baffee23de6b25d9d57a810d306ef5a2c07692fc7043c9605035305e73bf62ed56c81b7354e3f76d3d192eea2485e13c70f13e78ef71

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml.RYK

MD5 380cc4a96d51f1f8a8dd38232dd184b1
SHA1 afd4da4fe7ebd7ad3faf65027f655479cfbb814f
SHA256 58a00f2f7caf2a162a6a26e8b3030cef562714f1174186681092885d910dc47e
SHA512 6fba18a577d6040c9e2ff862aa4f54418294df2edfc6db338bd9134b799b63c3ec7074df946c9bbc8275e0aecd681a925ed0d4ae96a80a7fd1aec121a7e408b0

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi.RYK

MD5 568419a5a30303043e1f61b4375c3a01
SHA1 a9b73f01c74260dffa721df9c34be9b9fa7fbbcf
SHA256 67b1c5d9c1c507165d75028817cb82fa0e236e69cde9387fb9a7b85f54bba10d
SHA512 033cc1b0468a751906bc99db5c1ac1c238c72411bac3e2d5d1725fb0ab6fd29a3f3bb40fb8e6ebeb3b2ca0908abd1a86824051df60c4678efebce7c93b9d9b9f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml.RYK

MD5 f5f9b04f0514254fe8dc798fc334fb94
SHA1 0d8f2bb9001d7ced97ab60055695670b7f3600b7
SHA256 cb124c5e6cb10f6bf502f28b20240e30d6bf7bfda7eb4059612af27c3c43a49a
SHA512 e4d9870995b9ffca6a213fbf39dc553eb35ebd3e210059f12225d933654d06a427dc042c9c0398fab02549b9afc39812ee6e9969d7ddbdd54a27a105fa8e7bf7

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi.RYK

MD5 66cb0ac07619db08d485a753b537d2b5
SHA1 9811b2bd253870884a2674c67750ce70d694b0f6
SHA256 ebe9b06ecd6e9af4d14b53b22df1de95679729d9d58f3bad066a7c61c6a5fb10
SHA512 0141feb8afd1ffa191e4caec77113f96479919510f44add3acf17310911682afe652138731463aab4c4f6888a927e571b06e5a4fafedb92b3d0c7a640ea8759f

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeLR.cab.RYK

MD5 1ea58356107195c35686bae22d775bdd
SHA1 65957459dbbb9f6495bb655dd3fe16e71a5e58bb
SHA256 029a5c8e64f03f2b6cd2c7d4784634ffe361fa3a33e9e7a630ca3d315051a017
SHA512 2ab326e99036b99d79f0c935131817aaad01ce1a149a7491f1f7a38636a802a32c33c213e9b220b71572c0b4e9cd14cbf5732ddd2f5c69de2e8d8f3373c39e51

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest.RYK

MD5 d46ad90198a1fe3e6ae84a1759822d14
SHA1 3f9ec8e6b41ecd91b9c357ea6f17aa5ec38785c1
SHA256 f9edf8a5e0131b3d26ea1dde7e2fe2d98e206c67c92cfa76aaf4575cfc950262
SHA512 581770339a9bd8a4560f7d3a7e206fb845e7f4c1c549ac4a284be3a8cc85a93041b332596fa443214a9f83a7e233f9a6149e195929edad6f695ba668a57d0af9

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab.RYK

MD5 e3a5043b351e0eb6c704d0ccd3b7295b
SHA1 292074392dca3a6acb892900ae4f632c4c071a2a
SHA256 898efb0590182e8591ff4ab88dc7000758d0ff8ef67189aa8f63f3d0be547d96
SHA512 0086cfa9bc91226da7f518998b1d40d747a9c61344222d0b4b4f544d3d690294af6e978be9924fa5ee29095141d91d0b02750e5ca0406555b610cd8eabbffa85

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml.RYK

MD5 5c1b91c2791db21464d7cf64774f0979
SHA1 2e4d5bb94979056a9bb886ddc14ec13b6e6131d0
SHA256 4821527fee83093585b20e525c8a3e519c220fea6561bda27c952523325c629b
SHA512 df11a3e75363104d2d10cb9494a6dd25d1f20ec120c3cad064f4f9502b2e81b8eddcd4f5a10a885621fab1a21d959a4f3c0e413e1320450f4b1e755a5c4ef7ce

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi.RYK

MD5 415d690dad58b60d73b75a9eb2dad311
SHA1 cfa03f6c1053333357f87812f71803a3d8a0cf86
SHA256 4b97b7de28d4f22dc0d54df503439fb5937703cc65989019ca24430c06ef1dac
SHA512 d6933628571d9d4dd663dfeda4631558b9e621edec77dd82ebb643b1894deaeac7e9d412f2c97ca9c8716dab2a9b290bcb83fac7d3f6418462d713dd536d94c7

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml.RYK

MD5 2a684ba51a2e4135ee2ae4b69837a2f3
SHA1 90bf1367790b2a3b7bca3ea2be4e4aa340a18893
SHA256 48f5c3fd6f70ed23cc150d8aad34a4e5a1853ea6f219479991af12d8cc325d33
SHA512 b782a6cd9c27d95f8c14066b345a79eec6a6dd14ad6805d89223a0be42d416808028556caf16eaed4a04392284e880535223088c4eaab259abb887176d201648

C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi.RYK

MD5 f732abed809d1ce7f39024577b72c196
SHA1 d5c63033534a104fca8fb72825cca9e8b398daaa
SHA256 5e8e11bd8b41ede3ca02f38f02a78368d1171a627f67a10ead964f1c3388a9e2
SHA512 7bdd5e1fde52cb85e7af4b373d57d706f5896dcc9f055d9f920552168a15581bf27159a04582dd555bbbbf02ed0a5bccd4e35815561934dc5702de5bffb9c3da

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST.RYK

MD5 626f07d27cde2f60748fa951cfbc09c3
SHA1 c72f5a2c493292dbbd549bb0f96513c32dbb8c33
SHA256 02624eca4a7facbf5fd8742d83dd710daebea427452e32e89a86af4546284d34
SHA512 70545d8d207ed641cc531341f61661194951d6a469f1766b0453ab687c3deb58f4d07d7ae5af68f0afb8890d6559cd5296f71301777b8888dc41c9dc1df5bf47

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5 54cf60bf16673b350f00254b35afe0ea
SHA1 52ef42e96b2859c68551c212fa6f8615d7a7b69b
SHA256 649ed26554d9b758246bd056382d859f54886893c2fbc942e4bd95dabb30b437
SHA512 22b5c87966fcdf889a48154cc49076387088c72e69f266a75fc9d515d39c949a1d3ae25acefbc01a405cc5e66ed438bd6ca8c971615cbf83f0288f3cf280bb73

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm.RYK

MD5 5d24b67e3234cc54d71033fae3714b63
SHA1 76cd4ecdf8b1041291348b60f3868df046b622a9
SHA256 04a75ea186fbd9ea42d39208a0f422361b4439d275938c7413f095fdf506c1ae
SHA512 e69b13f3f7c5fd08d393f032d2a0bd1e90234d1988ad6cbd1d1c4a1299bd47f874e7f88c046bf5ab7308e30ef59c060c65c57cf862a78f695daaed33b7059240

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm.RYK

MD5 fa48789cb9ea5fb9a10d76c0616b13df
SHA1 99e37522083d6420238d3b80c70517592fc51e59
SHA256 b4e1f601e6461684f34669a55f6b1cf5286795df00fb0fea2af2e6b45c6a1224
SHA512 14ff01ae169a5226efba809eef0084cdf6760d2bad820d5a896035ce39e12b0fd464a1170ec39acf5234839ea03a15ec65361dcea88ccc3e9c23b38adc6e029b

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml.RYK

MD5 641ca771a6bdf395da32680f8f77f5b8
SHA1 da57b0353230eb65e64630e4ce1dbde3d55a4dce
SHA256 d14ebc3a10f926f9b5b14e1537f48c163477e10d3d5d282c9359d1c5f8ed05a9
SHA512 ed3dcb4b3503fbae58f4b64c28cd1fc4cfefdcfcafc5c609cad25b954f21fa309528b2e7db7907c1979e87c545440590404aaabd5c283617b9cc85ae428d50c2

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-25 09:33

Reported

2022-11-25 15:37

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

187s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe"

Signatures

Ryuk

ransomware ryuk

Dave packer

dave
Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.LEX C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\ffjcext.zip C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\LucidaBrightDemiBold.ttf C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\SIST02.XSL C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\System\de-DE\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_COL.HXT C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-openide-execution_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\updater_ja.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RInt.16.msi C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\System\ado\msado21.tlb C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\LICENSE C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\PREVIEWTEMPLATE.POTX C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.jdp.zh_CN_5.5.0.165303.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-phn.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Trial-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-core-kit_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-pl.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\index.gif C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Retail-ul-oob.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2212 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 2212 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 2212 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 2212 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 2212 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe
PID 2212 wrote to memory of 4396 N/A C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe C:\Windows\SysWOW64\icacls.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe

"C:\Users\Admin\AppData\Local\Temp\0de55e3b9cb7955e3ca059eb2d0496adf65303695cf50018a9ca24cb0dadef87.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 52.109.8.45:443 tcp
N/A 87.248.202.1:80 tcp
N/A 52.182.141.63:443 tcp
N/A 93.184.221.240:80 tcp
N/A 52.242.101.226:443 tcp
N/A 93.184.221.240:80 tcp
N/A 52.242.101.226:443 tcp
N/A 52.242.101.226:443 tcp

Files

memory/2212-132-0x0000000002320000-0x0000000002343000-memory.dmp

memory/2212-136-0x0000000035000000-0x0000000035027000-memory.dmp

memory/2212-140-0x00000000022F0000-0x0000000002310000-memory.dmp

memory/4412-141-0x0000000000000000-mapping.dmp

memory/4396-142-0x0000000000000000-mapping.dmp

C:\$Recycle.Bin\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\DumpStack.log.tmp.RYK

MD5 77e4cf0a822b25647033c3c888ac16bf
SHA1 c23f304b73ea2ef8ddab0174e60f03eafd57aafa
SHA256 6d41014051cbe8ef992fd8e49091f5fd025417bc90c1fca66e08d50df18fb04b
SHA512 04740032e3e94276d799cd988b2ee452494c32a3634d37cb8d68c2f4397e485648937158aa2d654f87d010df55756c37e57c863a2ae5942d6ea4a0ab7eb41e44

C:\PerfLogs\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\odt\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\odt\config.xml.RYK

MD5 cfd3315a905529f4912ea49d4c520a83
SHA1 4be01c42f715e3b6af142cd3f030af36d5995061
SHA256 9c457de476a721137adac8d73c8cf419e1e90bf4f9669cd88e3eefa8f3c37c27
SHA512 edfc1b61e5e61e63f1687f2e6396c1efd22cd6810d652c4cc9a9d750e59e26e6a36e4aa1ad03913a2bebad036db41584a15aa7e3e3fb643a1533f3fa0d88e9aa

C:\Users\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\$Recycle.Bin\S-1-5-21-2629973501-4017243118-3254762364-1000\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\0f5007522459c86e95ffcc62f32308f1_e32e1c79-b88e-4709-94fb-81034ca3398e

MD5 42ee8ffb094448e578b6dd89c0adb387
SHA1 0249c53aa376de69b96b9e447c59fdf6f7f4809c
SHA256 9042e848423d7e6e02492ec91462a6f6d60e3925315be9d031ca3bd28c6db2bd
SHA512 0f81556531e976931a77b0cc6ff86f9341d4f398460d98d80d2c541f9b6741aef2d2e7cec6db969b4f6270fdcda1bca3917c4dec141a354740c46899f0df8896

C:\Users\Public\RyukReadMe.html

MD5 11b99d04340f1787b622f2bf871e3f7d
SHA1 ecae22838d8a43f0ec3bc99fc08e42df4301ebfe
SHA256 44e4c998f2fa1e1771a28098e5590750802680e9f16057d9ab36e0cbd7c1d334
SHA512 f917ef34e7fcbe7cb1f0da03862d43ab514c56a4886515d8363bceeda0c7c610244e4440888355ddf9f8c2182b6dae447ed3efd78dd39e421def8289230e8288