ryuk | d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9

General

Target

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
Size

131KB
MD5

2cc630e080bb8de5faf9f5ae87f43f8b
SHA1

5a385b8b4b88b6eb93b771b7fbbe190789ef396a
SHA256

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9
SHA512

901939718692e20a969887e64db581d6fed62c99026709c672edb75ebfa35ce02fa68308d70d463afbcc42a46e52ea9f7bc5ed93e5dbf3772d221064d88e11d7
SSDEEP

3072:j06qm9E8obCg2QdgYdrp23suV+eGg21Yg:j06qHnOg3df9eAJ

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (2557) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

4416 icacls.exe
4424 icacls.exe
2140 icacls.exe

pid	process
4416	icacls.exe
4424	icacls.exe
2140	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened (read-only)	\??\I:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Z:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Y:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\W:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\R:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\O:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\L:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\V:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\T:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\S:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\P:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\H:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\X:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Q:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\N:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\J:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\U:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\M:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\K:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\G:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\E:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Drops file in Program Files directory 64 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management-agent.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessR_Grace-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-phn.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019R_Grace-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_OEM_Perp-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSBARCODE.DLL	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\cryptix.md	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-ul-phn.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT.HXS	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTOCOLHANDLERINTL.DLL	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ul.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\mscss7cm_es.dub	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_Retail-ul-phn.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\mshwLatin.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\ATPVBAEN.XLAM	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\tools.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\dynalink.md	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ul-phn.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Custom.propdesc	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Latn-RS\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeServiceBypassR_PrepidBypass-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\msipc.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONCHART.DLL	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\jaccess.jar	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-ppd.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000009\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\eu\msipc.dll.mui	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription4-pl.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	pid	process	target process
PID 3708 wrote to memory of 4416	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 4416	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 4416	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 4424	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 4424	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 4424	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 2140	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 2140	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 3708 wrote to memory of 2140	3708	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
"C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe"
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4416
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4424
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:4632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

1

T1222

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
1ff60851a6d7d58e5c2e2fed06bdd95e

SHA1
6db9a892cfe2dee2e73a9afb99674b284828eb8f

SHA256
f9413e66009be1319d429457ad53a91674051f78631ba3c8d84145492d0b7040

SHA512
51240011d821d709a65bd73f45b7d2d5d7ec4f1a07989b0ee985569b0eddd5318d8ad35a1043f4b76d4553c8e5099a7b2de6a7e587395da54c697bba0c863ab2

Download Submit
C:\odt\config.xml.RYK

Filesize
930B

MD5
0e6c29ed8738951cd826c5dd51e0c28d

SHA1
a60355312603e48609042db0bde7f5cd5b4365f4

SHA256
fec9b60d1df8d291fccb46242d548257070a4c64c285851de7f4917001f642b2

SHA512
441c1e62771fff7a2ace318e78480c74198fab82b04177b64b8106ed508759c1ad78a12db6ac32cf83505596e00336b15b9054008da158d833f2078d6c8b043f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads