Overview
overview
10Static
static
0323b4326b...02.exe
windows7_x64
100323b4326b...02.exe
windows10_x64
100898a80dc2...92.exe
windows7_x64
100898a80dc2...92.exe
windows10_x64
100aaecf7f77...91.exe
windows7_x64
100aaecf7f77...91.exe
windows10_x64
1016af8d85ef...38.exe
windows7_x64
816af8d85ef...38.exe
windows10_x64
4180f82bbed...43.exe
windows7_x64
10180f82bbed...43.exe
windows10_x64
1023e95ba676...7f.exe
windows7_x64
1023e95ba676...7f.exe
windows10_x64
103a6ebac4f8...ca.exe
windows7_x64
103a6ebac4f8...ca.exe
windows10_x64
1041367ad447...00.exe
windows7_x64
1041367ad447...00.exe
windows10_x64
10Analysis
-
max time kernel
152s -
max time network
105s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
29-03-2021 12:47
Static task
static1
Behavioral task
behavioral1
Sample
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
0323b4326bd6674f7d78360bb6544c4b34067066dda31e45edee91dec021e702.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
0898a80dc248a7931f8e2bf76a22a0a8d54b39a815e3fe810a2a190c50017892.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
180f82bbedb03dc29328e32e054069870a1e65078b78b2120a84c96aaed7d843.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral11
Sample
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral12
Sample
23e95ba67603234352ff2864dc7fa54742f501e5922f01f8c182dbefc116f97f.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral13
Sample
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral14
Sample
3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral15
Sample
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral16
Sample
41367ad447e3d86176713af7776c1ab22d5fc7fd0fe9584f14d201b9bf071700.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe
-
Size
168KB
-
MD5
f60db4476317c6d130d6102ef7571958
-
SHA1
d4f41df13bc0f5eec21987f1e412d1d444f86681
-
SHA256
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338
-
SHA512
7bbd954f12915a6867187b96ba62b846627c15a5a3167b72522c4f2bdea95be64782ce1cd65ad89f2edfaba161cb7088866283fddb4c57857cfc2ec795be82ca
Score
8/10
Malware Config
Signatures
-
Drops file in Drivers directory 4 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription ioc process File opened for modification C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\drivers\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Modifies extensions of user files 3 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ImportUnregister.tif.RYK 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Users\Admin\Pictures\MergeApprove.tif.RYK 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Users\Admin\Pictures\SetStep.crw.RYK 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Drops startup file 1 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Drops file in System32 directory 64 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription ioc process File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiabr006.inf_amd64_neutral_0232ca4f23224d01\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\th-TH\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\angel64.inf_amd64_neutral_6bed16c93db1ccf3\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\iirsp2.inf_amd64_neutral_9ed65fe0bab06b1b\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\rawsilo.inf_amd64_neutral_8eb7e6403ddbb7a8\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00c.inf_amd64_neutral_27f4ad26fea72eb1\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-shmig\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hidserv.inf_amd64_neutral_f2223e39f37c69f3\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmsuprv.inf_amd64_neutral_31d10a1a73b4feaa\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr006.inf_amd64_neutral_f156853def526447\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\sk-SK\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hpsamd.inf_amd64_neutral_84ae149ecc9f8033\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netvwifibus.inf_amd64_neutral_9d0740f32ce81d24\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcodex.inf_amd64_neutral_9bb71004e7b8f7ae\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\wbem\en-US\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\el-GR\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomePremium\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0404\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Sxs\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\brmfcumd.inf_amd64_neutral_db43b26810939b3e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmeric2.inf_amd64_neutral_a0575ec9ce5c7de9\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx003.inf_amd64_neutral_d1510a8315a2ea0d\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wstorflt.inf_amd64_neutral_3db956c41708f7f5\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicE\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmcxhv6.inf_amd64_neutral_81ba64c5b6150dd3\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00d.inf_amd64_neutral_dd61103f3a2743d4\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wvmic.inf_amd64_neutral_b94eb92e8150fa35\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\en-US\Licenses\_Default\UltimateN\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\DriverStore\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mcx2.inf_amd64_neutral_8cf9cade8f7bba56\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\LogFiles\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\hidirkbd.inf_amd64_neutral_2b561a02e977e2e3\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_amd64_neutral_aad30bdeec04ea5e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\net8187bv64.inf_amd64_neutral_d9eee378245b3b8b\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\msclmd.inf_amd64_neutral_413d17c790177eef\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\msdri.inf_amd64_neutral_86bb50f34c49ae71\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep002.inf_amd64_neutral_efc4a7485b172c07\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiabr002.inf_amd64_neutral_b4ea26a49ad66560\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\disk.inf_amd64_neutral_10ce25bbc5a9cc43\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0816\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_neutral_8887242a56ee027e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmusrf.inf_amd64_neutral_439e7d1dcac00aca\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\Amd64\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\SysWOW64\InstallShield\setupdir\0804\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Drops file in Program Files directory 64 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ui.zh_CN_5.5.0.165303.jar 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\drag.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-keymap_zh_CN.jar 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\flyout.css 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tashkent 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\epl-v10.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00045_.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299171.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL022.XML 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.console_1.1.0.v20140131-1639.jar 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Inuvik 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Pyongyang 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0300520.GIF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\logo.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\icon.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151061.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01295_.GIF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\EssentialReport.dotx 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\nb-NO\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VC\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\El_Aaiun 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Gibraltar 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Maldives 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR35B.GIF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR1F.GIF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107458.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-util-lookup_zh_CN.jar 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152610.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195248.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296288.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME19.CSS 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\El_Salvador 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PREVIEW.GIF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime.css 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPPT.OLB 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_left.png 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Drops file in Windows directory 64 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription ioc process File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7601.17514_none_ef3338f363c6403c\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-rasmprddm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3503f6f345cf30a6\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_b4d8d57efdc6b4f3\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\ehome\CreateDisc\Components\tables\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-efsadu.resources_31bf3856ad364e35_6.1.7600.16385_en-us_1d10eeafaec88d7e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-ie-vgx_31bf3856ad364e35_11.2.9600.16428_none_cf8e2478fdc92928\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mp43decd_31bf3856ad364e35_6.1.7600.16385_none_10281d340ae2249d\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Te49ad7d9#\c73da2d72e0bbeaf6538615dba2d7143\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_angel64.inf_31bf3856ad364e35_6.1.7600.16385_none_56f2fed0f57bbc5f\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-n..ology-inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_efa27da7ad1b3bd5\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-usbrpm-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c50227b33aed0210\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-powershell-events_31bf3856ad364e35_7.2.7601.23317_none_fb7886e630d67171\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-l2na_31bf3856ad364e35_6.1.7600.16385_none_aa9a36e47b608e1a\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.MediaCent#\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-0000044e_31bf3856ad364e35_6.1.7601.17514_none_5c7743f26c0495bb\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d88520244b8491a6\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-a..-provider.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8b38caf3f778227f\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-lsa-msprivs.resources_31bf3856ad364e35_6.1.7600.16385_he-il_a9f59aa8ec09f3ec\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_prnbr002.inf_31bf3856ad364e35_6.1.7600.16385_none_49c93aa2c4304e9e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-p..shell-mui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a733017dc4416ca6\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-comctl32-v5.resources_31bf3856ad364e35_6.1.7600.16385_ar-sa_ce00766f323410b7\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-s..temclient.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d214d43964ec3fe5\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-terminalservices-theme_31bf3856ad364e35_6.1.7600.16385_none_d5bc65ffdc22ec35\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-consolehost_31bf3856ad364e35_6.1.7601.17514_none_d281ccc018b94ff4\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_6.1.7601.17514_he-il_8bea70024ec7fc32\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..onal-codepage-20001_31bf3856ad364e35_6.1.7600.16385_none_ad8dff130045ea0a\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-w..rastructure-upgrade_31bf3856ad364e35_6.1.7600.16385_none_b096a84b9ca231ac\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-directx-direct3d10_31bf3856ad364e35_6.1.7600.16385_none_ef8ebbc22eff9332\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\0765c6422b48cd504d2fba3765c78c79\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-fmifs_31bf3856ad364e35_6.1.7600.16385_none_b303632c4b483c6c\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-mobilepc-sensors-api_31bf3856ad364e35_6.1.7600.16385_none_5e64cd3b287ee4db\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000428_31bf3856ad364e35_6.1.7601.17514_none_52d758bead3958b9\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_lv-lv_bfeef31b27ea4620\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-iis-metabase_31bf3856ad364e35_6.1.7601.17514_none_a1aca7966cf36de2\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\msil_microsoft.management.infrastructure_31bf3856ad364e35_7.2.7601.16406_none_93b676820a1be225\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..rastructureconsumer_31bf3856ad364e35_6.1.7601.17514_none_1202940e4711971e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-b..bitsadmin.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d3bab85e7fea1448\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_mtconfig.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d6ae81ecde8ff22f\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets.resources\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Web\Wallpaper\Architecture\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000463_31bf3856ad364e35_6.1.7600.16385_none_44199b9e7d576305\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-s..ty-cng-keyisolation_31bf3856ad364e35_6.1.7600.16385_none_2a863865442ba065\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\inf\aspnet_state\0001\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-c..tasp1.res.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6d98c8f79d52bc7d\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-f..ruetype-aharonibold_31bf3856ad364e35_6.1.7600.16385_none_df8bf8e079b63081\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-mlang.resources_31bf3856ad364e35_6.1.7600.16385_ru-ru_cf3a10abc52740f6\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\GAC_32\Policy.6.0.Microsoft.Ink\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.ThreadPool\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-p..-localspl-licensing_31bf3856ad364e35_6.1.7600.16385_none_6fa3721d0492b83d\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\wow64_microsoft-windows-network-security_31bf3856ad364e35_6.1.7601.17514_none_359f1faa758b2445\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-encoderapi_31bf3856ad364e35_6.1.7600.16385_none_3da540704023bf4f\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.Resources\1.0.0.0_en_31bf3856ad364e35\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Serialization.Json\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_netimm.inf_31bf3856ad364e35_6.1.7600.16385_none_60363d1b8a50f87a\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.Microsoft.Office.Interop.Publisher\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatiod51afaa5#\87581a03feafa4075e201c62e402702f\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\amd64_microsoft-windows-naturallanguage6_31bf3856ad364e35_6.1.7601.17514_none_fc00d9a9415b5f6e\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-format_31bf3856ad364e35_6.1.7600.16385_none_265f38d5eb4d284a\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\winsxs\x86_microsoft-windows-sfc_31bf3856ad364e35_6.1.7600.16385_none_a70c196fbd853ae9\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio1da2af67#\RyukReadMe.html 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exepid process 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exedescription pid process Token: SeBackupPrivilege 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exenet.exenet.exenet.exenet.exedescription pid process target process PID 384 wrote to memory of 2124 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2124 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2124 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2124 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2568 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2568 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2568 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 2568 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 2124 wrote to memory of 2976 2124 net.exe net1.exe PID 2124 wrote to memory of 2976 2124 net.exe net1.exe PID 2124 wrote to memory of 2976 2124 net.exe net1.exe PID 2124 wrote to memory of 2976 2124 net.exe net1.exe PID 2568 wrote to memory of 2984 2568 net.exe net1.exe PID 2568 wrote to memory of 2984 2568 net.exe net1.exe PID 2568 wrote to memory of 2984 2568 net.exe net1.exe PID 2568 wrote to memory of 2984 2568 net.exe net1.exe PID 384 wrote to memory of 57592 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 57592 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 57592 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 57592 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 57592 wrote to memory of 61608 57592 net.exe net1.exe PID 57592 wrote to memory of 61608 57592 net.exe net1.exe PID 57592 wrote to memory of 61608 57592 net.exe net1.exe PID 57592 wrote to memory of 61608 57592 net.exe net1.exe PID 384 wrote to memory of 90548 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 90548 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 90548 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 384 wrote to memory of 90548 384 16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe net.exe PID 90548 wrote to memory of 90576 90548 net.exe net1.exe PID 90548 wrote to memory of 90576 90548 net.exe net1.exe PID 90548 wrote to memory of 90576 90548 net.exe net1.exe PID 90548 wrote to memory of 90576 90548 net.exe net1.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe"C:\Users\Admin\AppData\Local\Temp\16af8d85ef82a5a35e0ba0a87577cbe221374c0cc55d58bc326139c6207ef338.exe"1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "audioendpointbuilder" /y3⤵PID:2976
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:2984
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:57592 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:61608
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" stop "samss" /y2⤵
- Suspicious use of WriteProcessMemory
PID:90548 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "samss" /y3⤵PID:90576