Analysis Overview
SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
Threat Level: Known bad
The file 91736.exe was found to be: Known bad.
Malicious Activity Summary
Ryuk
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-05-23 16:53
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-05-23 16:53
Reported
2023-05-23 16:56
Platform
win7-20230220-en
Max time kernel
89s
Max time network
148s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1324 wrote to memory of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe |
| PID 1324 wrote to memory of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe |
| PID 1324 wrote to memory of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe |
| PID 1324 wrote to memory of 768 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\91736.exe
"C:\Users\Admin\AppData\Local\Temp\91736.exe"
C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe
"C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\WZJMKuhiElan.exe
"C:\Users\Admin\AppData\Local\Temp\WZJMKuhiElan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\DQwEWgryglan.exe
"C:\Users\Admin\AppData\Local\Temp\DQwEWgryglan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp |
Files
\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\iwupXoMzelan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\WZJMKuhiElan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
\Users\Admin\AppData\Local\Temp\WZJMKuhiElan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
\Users\Admin\AppData\Local\Temp\WZJMKuhiElan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\DQwEWgryglan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
\Users\Admin\AppData\Local\Temp\DQwEWgryglan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
\Users\Admin\AppData\Local\Temp\DQwEWgryglan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\$Recycle.Bin\S-1-5-21-2961826002-3968192592-354541192-1000\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\users\Public\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
| MD5 | c95b7bd3bdd730365d25c48212c87e4a |
| SHA1 | 6d87929a43ce047bc80aa8211c65026063a9d069 |
| SHA256 | 0ad5d140a93fc3184b1b9a3eb3aca032c9ee9ec1f357b639f4a8efd4f3e18d2b |
| SHA512 | 24baedd384946b7d22b8ff84250e04765cda21d2d8dd7c86cb7e05d8a7c13517cd92481937764679a9f07d5717f31e17130b86114d19f009df236a1d83a18b85 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
| MD5 | 46aa87d5c6af78c4169e821932c67a7e |
| SHA1 | 362c3a6498edc8857666292d5a40cbc1bc4ccf2e |
| SHA256 | 646d1b2d3828f34ff062cbb3aa76cc6d0e011a5be9cf96296ada2093f44d16d1 |
| SHA512 | dd94bb407697d226f8ae87ac2972443490393635b2afd4e387e1e826d60b0c441c37af02f64db6c76e8a9b10b03abcf218087d4066b3139602a25f10126ec20b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
| MD5 | 1b871b636ecad2ac6a9c0aa6a8f51981 |
| SHA1 | 0da809f4b489afa91aeecbeca3d5ced37bc50920 |
| SHA256 | 3a54d16f56b1a8bd657c37c69e4aa7a86a0914c460c8b85b26e692b6c8249c5d |
| SHA512 | f3bc41a0cef2a02f8be09002d59211691509ef1aacc9584c265e7951c327f669242f298ab7252bb6148d650298cf3763f6ca172f304e6b90890a77f21756da74 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
| MD5 | 29d39813307b907ad4ffbdfc3e01158b |
| SHA1 | aca45aa07095d589809266d177a6a6403dbd7798 |
| SHA256 | a029e45524932a2a2fa1594f36da51a0841ca417bae98ffa535990e84f7fd8aa |
| SHA512 | 62a4f3f7cffd1444d4d1d2fd4d2edc5b0b12e115524259b37cfc58cec086f7e48e6716d78346a2a8c6ed9c81c8744e76185f0530be72869738faa57ededa260f |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
| MD5 | 4fcf9033c8b97ae561ccc3bc9d8696e2 |
| SHA1 | a7a6b3fa918231779ff96919baf0f647d4e681e0 |
| SHA256 | f1e19fb7b2501da5b921b815a12ca3ed31a7532e9caf3a63d8063e86f95109c9 |
| SHA512 | 660aa32779edc847a12afb36cbf8d0354c943187d03d84b01bc5403cae1cb3c96419bb65cb4b443511616de10fccab3b4cf6d2c8040b45dab07b685edc506058 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
| MD5 | 5e60ed9b2ee59d6006ab43c5d53596a8 |
| SHA1 | e3652f6cfd1888733598f22819c48e3bd0da1ba1 |
| SHA256 | 8032515b105e1ab346a867b796dc269e8ba4994a811de3ddc143da43e8e281e3 |
| SHA512 | 2c17d3ff066832998e3a81e573052de39af5d76ca389917db7268f32789071825441233019777d8253e379592b91bb03a39ad2294f3f265b0bfc9ba555b8971b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
| MD5 | 9b641bde5f3cde324e6abc56022d9115 |
| SHA1 | df98151fee9841fb59bcc1c1304bfdfcd11b0181 |
| SHA256 | bdfbc58888cdb77bc22ca6fa640e31ae56d8ff86cfd1d7dd472dc7082daadfdb |
| SHA512 | 52033a17bac3bddf18a2fa4c922b4cbdf80f322b82cccc92a67e532ec7e2ad984169d2af221de446ee53731c5e90d381750f50c4121c43636735346a5e340fa3 |
C:\MSOCache\All Users\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK
| MD5 | a60382cec55c771c66d9c8e8b5f07a2a |
| SHA1 | 9d890402316bba300bf47aa61883abf557454839 |
| SHA256 | d48e0b0f45b9db335c5da852448f5166392edf367cda41be09c6992b0d9e75df |
| SHA512 | 818bb74c1aa0a758258789a145c0c61b43bfa25c141cd2211230ae0169bb13b7d238566b3ddc7a792ce74b97962770d0979cd613a979961502914917d70c1b67 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab
| MD5 | d34f1cd7a536b3932389538219113b91 |
| SHA1 | 2bddbc6c29f8f01693c0155ac2f13d44736c47db |
| SHA256 | 6afd259643e4ebc0b0c4ae2a940de65c5f2d419be695b846b5382da87f44c3ff |
| SHA512 | 261181f8a41bc695a0aa6b1d7385430f0fd86136dc96459cfeda468a9c8b3272f5bd8e0e62e5582dfa4a4d3e9becc40d0579cf302c9cfc19c958339342510fd7 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | f821404270119f46a0ac596666897842 |
| SHA1 | 59aebcbe48dc38ccbd7d13c764a574bad70bc5d5 |
| SHA256 | a3ca1bfc7201f957d2ccb6fb9444cf9e13b1b2054e19a9c99d4bd1ed5b313200 |
| SHA512 | a7cc2ef9f4fd82ced7aab503a72fbb7e69c3d45887ad335fbf1441bf9de42172e9b12ca55289a46144d42e71aaf87c5dc36109e6d9ec935483d97069db03340c |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK
| MD5 | 213b1a0c8387e5cd51e08b6674f8a0d8 |
| SHA1 | 54e79f3c35240ecce1122f99b6ecb0b0d722b683 |
| SHA256 | 802854091d739070c8238d463551de2ca17f0c06668ebddf4be13df42dae0731 |
| SHA512 | 62a68759a12aa4ccd23bb781b6ecfc5dce1caa418cd922987a5214d02a99e3babda58407f3ac4221647b31d6c01643579ea40891f05d7e2c25c5be6ceeafa7ac |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK
| MD5 | 9109c108c219b87cc49772d5a74da025 |
| SHA1 | f313284b3fed8c605e978ea7837ae20ba471159d |
| SHA256 | 6d471ea183a9ebf13bcd187cab6cc28f8efb5bd1be656133e58c941e58ee21db |
| SHA512 | feeef64da57ad059eac1c40eeffebaf3c90f77f1fa5d965fb3bbc9d972f1e3f7c36dc6425ad37ecf35959097d0c77c9db90afded2a4ec8c62294bf3b0d090002 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
| MD5 | fdbac087dcb488b57608568e7c3529a9 |
| SHA1 | 6f92679f4ce6331844800d36160f8d233209ba84 |
| SHA256 | 7246fba94a8b696468a366a928dbab10257f6b782feffcaea9f787088cd32c81 |
| SHA512 | 3628f63ad2ac5a9b4715d6be94eff1f0d4427572069311deb806f7cc2628322f6bc03a96c614af41f9abcb0dbc7a579ee9a07e62571579729df6cd79e03cf9bd |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
| MD5 | f089fc36c6b71aea6574f248ffb41b49 |
| SHA1 | f534b76f04ac6211e4afd9082cc739486c4537b0 |
| SHA256 | de465a0666fa9d22b844e9ee1664e6f485162003fb88ccd84dfe9c455cb4ab0d |
| SHA512 | f4cc438de17548ea5a3acbce9e4bcaa7eeea71eb4ce0552cb3f7440cb11ec563c6af34e3cc5c5bb5e13a9f8bdb13e2cf98bef2eb2487ba58fd7b22d4d8221aa3 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
| MD5 | b766288b5509df690a2a989070edcf70 |
| SHA1 | b65791093a77783386673dc847c0311c772377d1 |
| SHA256 | bfc2cadf13be87a31da5f5fac5b1d24e211b806f6fc6aa536c8e262366759639 |
| SHA512 | 09bf5ca643a10802f33b5f306c5649d4d85b9df8921c1624b489608a4bfb6ef7c5e38ef866dfaa1c3343c20de6b7ff3cb66d5d6cd6f41c1fa925e6b6af250b57 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
| MD5 | 555efeb311df9fe9fe486077b31ae2fa |
| SHA1 | 7d2a2163c11330f58b658edbc034b13ab17036bc |
| SHA256 | 9c68891ce4498aa88ac896e13b226e2818f9b76b12f5ab62799dee832107d9e8 |
| SHA512 | 70288252394278d7d6973f66d17b7f95bf9e0d20d8c1211173f41190f621cdd064ab55376d304eae129ae3ecff5f1004e2be6cfa1ffa87fb6afdd74cb4310c48 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
| MD5 | 6bec4ecbe78e7d4839f22c8472199d3c |
| SHA1 | 7c01d1d59f892c51f7e9a8f2b9b62eeb59a04f15 |
| SHA256 | bb68271cd2e7f9fa08ac16b09af94fe49e6536a107e7558609feb2c21ed2c68b |
| SHA512 | ba306a76a4c6e80735cf39b86e1df329e0de2879561da705245d6ab498a00d6b230555786e4e7fa9a9f2cf655a1ed7ff1a278bd5090a88f4a4f12703eacaec86 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK
| MD5 | 122fa1c0c7f659ea5edfe354c4bed394 |
| SHA1 | e32704686f2d15c33c1b6fc7fd1e472a6f119320 |
| SHA256 | f821f653ef361e0e260c984213f0226bb7e91fb3796f11eb4c1d36a64134358e |
| SHA512 | e02268f9a82907e6e81785f177285148dece13c1501fe5e3fc1d717760456622186591275751480fc50a35cd96a14b7a1da2af051bc6b8cdb3020aa98ea782eb |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
| MD5 | 22c704dbb6058dcc57493c2ac7ebee85 |
| SHA1 | a17dbb8e7f75db1f550424e1e437b06baef2685e |
| SHA256 | c640376390f1155853dc3a3b5fbf42453c1a6eb889220af4bf6e30c2d3026102 |
| SHA512 | 43b451843a5e2c13229d237971812656a4c1bdf8a4f2631bbe782826250083f38a73944035f98d1ed98009131fc952148d0eb783c6c1e38ad8667c053d4f9be1 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
| MD5 | 416b3738e0253ef6906f056e4aefd6bf |
| SHA1 | e2ba02fefa9178a951326f52a4c29d4845487b8d |
| SHA256 | b2f8972a7327c316b4e9655bd05388172aa2ecb544336df41d13136d8b361301 |
| SHA512 | 9b5a727c862b4998b1ccb1c55f828e246fa4ecfa1c38724c5214bdcbca58f9e1bb6259b38d28d7108a32039dd486028a7d35fb548e7673edcf6f1f6614725caa |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
| MD5 | 9f89548512a7406f0d64f44de86a55d2 |
| SHA1 | a38224ba04239ccd160fa111372c9be3062ff637 |
| SHA256 | 8e62d3dc2b8917054ffa0477193ed316a1c3fd4a5d37777ebaa242b4ea28ec22 |
| SHA512 | fa810addb5ab07754991634148c29d9b223e4a020a15d10bf0a3ea07d8264fd227b43aeff982ba66323b03114c1368a81ea4e0ff54da83d1659a1b6101e34215 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
| MD5 | 5b4199496c384b6596e793aa10b0c570 |
| SHA1 | 13dd8dc24a8e4a2140ada6d0ec312ef5329a9934 |
| SHA256 | c5e3dd92b1e77129dc7265f9f9da04107a345b7a10834fcd6f237c0d8d56a5c1 |
| SHA512 | b2fc972db49b56596a1833fc83216ba0bf5871c7e841f1af29b996dea8671315b7f29d7f2a7e0c72cea9e10239261c36bbf326263dbda17607296e1a1c7e11a0 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
| MD5 | c610162ebb6c0ad39c6441750204424f |
| SHA1 | 5211ae7c04f7affc306b340cc9d2231156be7f8d |
| SHA256 | 29d5adf90b4a0c720c57dae06e83856ada8a402c34fbd5e70e4d3afa898c0eed |
| SHA512 | bf138274f9cb8e9462158addea2c327b305608c8b84dca29c6f63459cb30f17c438273e4bc4ca3308c1928fad8a5d6c19dd46ee51c1f1cdb242be1abaf182008 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab
| MD5 | b817cb1f889ef6536eb952315753f079 |
| SHA1 | dc5f5b1a405ece7ad384afdb05c2457e03ef2d71 |
| SHA256 | 5117f3ea7386ea07f03432c4732bc7a54b7d159e72198117a4bbfa1220bcc92d |
| SHA512 | 25be9acf160c281a8c9c1386ce0f7fd22c76e6d10f213bc8b7a4f0cfa09fb0fa4c3f7cf4034b1129560e35fdf1876f77cd6fbcf3100fc06ac45555471f087aef |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 075af3ca4b84bcfbc1ba153a8f56dfaf |
| SHA1 | 7a5ef833eb327c9cc92e1fb3818fada81174c94a |
| SHA256 | d9fae422fc01aadf43ad7f1b180c8a7e554ea68b4b8c1ace51c3cd1bc61a747d |
| SHA512 | 5d812e1751a7ef167be52146dabeebee58a3de7cb9f22b30a79c0d96e32a74fccc4ad7d779e133dfa6debb300d3beba5e6e839f6c35f2b13ca079286e7d9df33 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 4e705fc518b8e588ef3f0e6bbde94565 |
| SHA1 | 655b344dec5d307b63bae219aeddd8afa73b4db4 |
| SHA256 | 2eb743ed35c4fd2bf34587955515cf4665c9b5b7601c13a58b31c60788047ebb |
| SHA512 | a8dcb5f1d203624eb451b3ebb5efe4e331f86b9e98c52eaf49a66e39c2c06bfa4d68cc2504522322761b1bb8ef6e3913deb0121b523498519a614f31abb7642f |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
| MD5 | 829fc6c46f7046a26468740090862b9c |
| SHA1 | 02e511afbe005f77832fb863bddfdb229d30bc1f |
| SHA256 | 7219e220fa25e45e32ee559c4ff1eb75e595f0909222a7ba6d7538083f730c2a |
| SHA512 | bee2d2de8dc7e23a3642703438784933332e7b1f4765bd8e27e039c935eef09d792ddedfc3e6d26bc00b98814f2e65e49dbb9bbffee9e7c82f96aa8a091c4664 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
| MD5 | 8c84e81d588fc3faef153fb849b7e73f |
| SHA1 | adff967abc2db1a86abf1f0c0e578ff07658696d |
| SHA256 | be272aa45fc9e964357901dfe096100a0c365853d5c95787f51c463da3f9c53c |
| SHA512 | 47d479aea2950efa44b5672b1a88b01e4c65e30e450f888ac9166c85a0e4648ea89e3d96e756d16afda2d18013354b7022d3db0f5d4eb46731fa56cfdbbd5152 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
| MD5 | b46a81ab3e25ca1776d9cf833989dbe6 |
| SHA1 | a38051c03803c8ca21bfe3d5833630309dbfbc3a |
| SHA256 | fa31abf6f04d8134caf0ec15a34f0bf79724aa6d4b2a2ff2b0f8857cef4c0a0a |
| SHA512 | 7202b5d23c26b053d7ea52bb338dad99a505ac58155a5d2c7658b452cafd25946891d7d7914eba9b76023572a8d242e349c293c480659fe1339a3923f20243a0 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | e9271fa9e502a94c65724e527c6e3736 |
| SHA1 | 1c2470a7136bbceb840da9fff4f85ccd01d7425c |
| SHA256 | a409d988d461ad5bd1c69f185fa84108875a346d5328e1bdaa6803ffbbac00c2 |
| SHA512 | f6f6b5420afbd84e6c4456fa7afd44b1f9111ac40ed2c145b6bf9a0ec5b57cef2006bbca65e1ff4af4f0fc16dbc490f13442da50572d267e89386a3b3292eed3 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
| MD5 | 4fad5297a42e6b9c08a8e282534c79d8 |
| SHA1 | 60de6e6a0fbb91002ba656bd904ab2fa43a429af |
| SHA256 | 25b2d7bd61d629aff95072b36cb810c04ad1ae9cf9101d1bab3d768a3d62c542 |
| SHA512 | 6d199fbdb21913e03a5fa3cc3d9791f68148526c1908966f3e3ae18a7905649865b1f2870991ff85e0a1836baf0876bc15e55fccebe238627eb68842f9d2714e |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
| MD5 | 2ef05ebc9a6a6ded0a0836ee496a82de |
| SHA1 | 851500faa267714a0f0f3a2bfa10959d3d611230 |
| SHA256 | 39b5004f11204758af94c507907cddd50d668405d3da9a74b23af72b8cf14d60 |
| SHA512 | 697065460e6deb9bb80a2ee9ac88728040904e5cb6ec421ef11d52696d1c46308a5bd8f4eb5c1b0a414e9f1eff5bc00966e9cea3e4ee435da926ad8b6a643baf |
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
| MD5 | 529d6c4b5c022c3e5b982e6ae53765d0 |
| SHA1 | 569bbc8447f50139621586e2b1d2f46a19e69335 |
| SHA256 | 05d80ceaf5ef09abb164cf551c205febad670ef685e4a7d2aa30dad568e8bb29 |
| SHA512 | 7b36d2a5f09a4557b954e14be126fb940095f327e73db429493a1939d982ae4a4b11b710fd6f26182bfc2b4a1411620ec8fe61f62ba98739b8b7a8710150138b |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 873ff9db498fcda31224391c6dc4862b |
| SHA1 | ef367f7fa18a52818478fe3639a2a0ed3d1476e7 |
| SHA256 | 6540e953be7337a85a503baa82cf2fb5013d3af114e2747951f25b4d6320d5be |
| SHA512 | 025768d8615f0112820b3c19f7c6e690c06f5d5cda0778a9658da9d73897a65e9b43590cab842ca6615d81cc31e71d235742f0f684863c246a98940d741dbf40 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK
| MD5 | 6fa13a662b5ffca3b6b4560b9c764d71 |
| SHA1 | 630086fae9a3e13cf0dc3fed7ea47664c20ff74c |
| SHA256 | 407cd03bd23d12247e70acc5b0c4ec17a45ff7f4118bca21cde08e8bb2c12429 |
| SHA512 | cf22bac9a2516acba421b6e53a9bd9033900668437c803f1584b85de59032053521209543d445b72d0074ebf79850748950b86b2f043e2ef8baf3a9c9f0d82b5 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
| MD5 | 45fadf20065432b71cc07517bf1c5903 |
| SHA1 | 3857fb4670fc1c28eb27775699f552e0ce9a29e3 |
| SHA256 | 2a23458e7bb19c42810d0e8bcb0cbb2376673bd598e12f58e12c553e5c6b3c3b |
| SHA512 | 0197b1f328c352d20996923511bf40a353149ea9963a235f05f07a41f3007f482124ad210165b91b113874c4fe42776560055f01c49ef43188ff0b420a138c8c |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
| MD5 | 70d7aa55ca4d27639a81b4a868a347e5 |
| SHA1 | 463e23fcbaea68c345180d2e442c4bbd9cdca2d8 |
| SHA256 | 53cb5e7943c0177ef0eb88204a801a877d74268ba5356d813826879fb5808e0d |
| SHA512 | b55dd4f4c3c782f43a40f401e75d75f3ae0c4dc82c8280d3a5de3c30d1ee2dea7f8465f497976b25b23724365ef4c2cbe998eedf7ea02beb957dcdfbe0bd7228 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 5f89916953f6633afaedfff913e37245 |
| SHA1 | 16265c7badce9fb5656dcdc66be8af72efdf5df8 |
| SHA256 | cba8977c4219bf1d55d2af8fbcb4ce104c31499ef2098f1da7aa232f3eb3ce38 |
| SHA512 | 96624f722d24bfd60fea10c9361ee1fb9280d9e10fb314601ad0c37dd78a76669da8eff1a5e195f7c451280adcc7e58262fe4d40c3de7a149427142b37f040b2 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
| MD5 | df1682ae00018225d415acb294afb704 |
| SHA1 | db8b5a942aae17356a460a9873c6d52a9b970822 |
| SHA256 | 7a1569154883fc63dade854c42712124c31aca4286b6bc3ba494e260c60337be |
| SHA512 | 0048e3dd84b8e0b90e5fd3214d93f5b82a9544fc68c73a66a2888345e33abdb891519bc9ee5b07d6e3aa02766c606d7a48da9d73feaf6fa4c70c08de761624ce |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
| MD5 | 189b784c4d9174eb8f23ba906f2389b8 |
| SHA1 | 71ad750541a76ae2c909b9263eab7c0337dae7c9 |
| SHA256 | dc6e6dc541082fdcec7e397b45bb12f9fad52900c42e750e328b1ea50008463e |
| SHA512 | 75a07fd9f3fe47e53596b86371fa990d2073cb4c72a53842168af7e49316a0a47f53a38c33dee06463781b167fc6ce1ea61d945f4652e9d06c03c0b38b60a40f |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
| MD5 | 9ea04308f0ef4b756e4c773d3a644459 |
| SHA1 | 45e1ca3f5a6bd4368d228df7a666f2e0797a4079 |
| SHA256 | d63a1aba1942d7a460ae31b8ecf9ecd3c372245965d92bac3cb3daeb16758941 |
| SHA512 | 2ba30fd4901110aa413e0027eb6cf5bc65f7ec99092643672ce2f083bd8f6fa9a7480e75c80a7a56102556251ec2fe155bd4a045ad4ae0baffdff68c51ae986b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
| MD5 | 413ed5640e4dea449c0ec99b85c14a36 |
| SHA1 | a1c57367fb4f1c99c6ac713aa71354ec01dc3175 |
| SHA256 | 5c32f42ebc0ebbc65be956fd05f80baad391e05d0be3e37fd8d1919b42106275 |
| SHA512 | 53bb96252d0a9b9c0f5111e675b44369c996c5fda926cbe20fe160535bd08ae252fdda859a666cec0d11fb199a3cecfb729f1ad4d6a3c279ed2c9159d44298e6 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-05-23 16:53
Reported
2023-05-23 16:56
Platform
win10v2004-20230220-en
Max time kernel
120s
Max time network
151s
Command Line
Signatures
Ryuk
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\91736.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1264 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe |
| PID 1264 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe |
| PID 1264 wrote to memory of 2804 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe |
| PID 1264 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe |
| PID 1264 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe |
| PID 1264 wrote to memory of 1520 | N/A | C:\Users\Admin\AppData\Local\Temp\91736.exe | C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\91736.exe
"C:\Users\Admin\AppData\Local\Temp\91736.exe"
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe
"C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe
"C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe" 8 LAN
C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe
"C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe" 8 LAN
C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
Network
| Country | Destination | Domain | Proto |
| US | 40.77.2.164:443 | tcp | |
| US | 8.8.8.8:53 | 164.2.77.40.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 164.113.223.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| NL | 8.238.21.126:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.130.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.105.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.25.24.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| NL | 20.50.201.200:443 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.220.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 93.184.220.29:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| NL | 8.238.21.126:80 | tcp | |
| N/A | 10.127.0.1:7 | udp | |
| DE | 167.235.102.183:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.251:7 | udp | |
| US | 8.8.8.8:53 | 183.102.235.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.0.0.224.in-addr.arpa | udp |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp | |
| US | 8.8.8.8:53 | 250.255.255.239.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\aBasDiheflan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\gLvFRYaJplan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\Users\Admin\AppData\Local\Temp\rorGCcCOmlan.exe
| MD5 | e8673c8a299d1647ead6f3da4565ac54 |
| SHA1 | 71015f9c281038d63bf7cd45894550c1a26c6b53 |
| SHA256 | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe |
| SHA512 | 90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc |
C:\$Recycle.Bin\S-1-5-21-1529757233-3489015626-3409890339-1000\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\users\Public\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\PerfLogs\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\odt\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\odt\config.xml.RYK
| MD5 | 20fa81c3a561a9e642e350fdc0e694c7 |
| SHA1 | 052cb273e3a55be73348f90289a67f80cc1eed51 |
| SHA256 | 4054e7f64df7f9a4022a65ee801229c221673e9ef9bfc1519a2cc8a818d8c637 |
| SHA512 | 105987525461e61baf86e464ec63d0c0b4a01c30df1be132c189fb0ca4b695414a406bdbfa2878b3ae33c04763720549581aae82a6d4378742c4761d710f1d0b |
C:\DumpStack.log.tmp.RYK
| MD5 | 95cdf2269bdbf6ccdc336d698fe7e61c |
| SHA1 | 267506c0edb3f74a418263d87b12306cda600275 |
| SHA256 | 5d924eb8b526e99d9c2685832807bfc35537d5724184e073d6dde13c4c1bc7fe |
| SHA512 | dc42c959725c030767398cb280ba3289fb141e1046e977581744ca773188a3007807d9a948830e082249b34b0581868aeb279f7a4ffdc22e43ad78d63aa26058 |
C:\$Recycle.Bin\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |
C:\Users\RyukReadMe.html
| MD5 | aad27a2b7aafd7847fa58ddbf07a2d25 |
| SHA1 | 5a367ec3a44b5c079d80e414555675e316947d28 |
| SHA256 | 317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d |
| SHA512 | 52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3 |