ryuk | 8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6

Analysis

max time kernel
150s
max time network
69s
platform
windows7_x64
resource
win7v20201028
submitted
30/03/2021, 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
Size

115KB
MD5

d736f4a3fc844b4a7e970b562fbeac85
SHA1

fdd13c9b9e6c0e07f1215780c4ab742627e57917
SHA256

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
SHA512

7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Executes dropped EXE 2 IoCs

pid	Process
1300	EsESICXSElan.exe
316	LVeXyXYmtlan.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConnectUninstall.tif.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\MergeEnable.raw.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockResolve.tif.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveRedo.tif.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\RequestGet.raw.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\StartReset.crw.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\DebugTest.tiff.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveMount.png.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\HideNew.png.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Loads dropped DLL 4 IoCs

pid	Process
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1392	icacls.exe
1856	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe"	reg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0012\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\en-US\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bluetooth-Config\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_neutral_db76873d4261eb11\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\IME\shared\res\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_neutral_dd07287cee791f3c\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\restore\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\000a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0024\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\Dism\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_neutral_857b8ff74e5a7073\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_neutral_8887242a56ee027e\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\Speech\SpeechUX\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_neutral_cadd97421d121ebb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsii64.inf_amd64_neutral_d7409fccc5ef4078\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\spp\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc6.inf_amd64_neutral_2818f7b3b62bdd39\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01044_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck.css.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ADO210.CHM.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..mogrifier.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ebb35842936229cb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.qos.resources_31bf3856ad364e35_6.1.7600.16385_en-us_860b81a6366e79c8\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..odepage-57002-57011_31bf3856ad364e35_6.1.7601.17514_none_3b7302d236956600\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-mobilepc-sensors-api_31bf3856ad364e35_6.1.7600.16385_none_68b9778d5cdfa6d6\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20423_31bf3856ad364e35_6.1.7600.16385_none_523c76f347672048\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack.Resources\6.1.0.0_en_31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c8200175fb5e14f2\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_10bfb0af0a1f880f\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_net8187bv64.inf_31bf3856ad364e35_6.1.7600.16385_none_1b33cf68c32072a3\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\msil_system.web.mobile_b03f5f7f11d50a3a_6.1.7601.17514_none_ac4cc83a8cbcb7cf\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.2.9600.16428_en-us_d76622cf2d13e543\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\office\14.0.0.0__71e9bce111e9429c\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_en-us_209b3b2d083840d2\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\XamlBuildTask\42d791a24a46d268377418a5c39a5390\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_acpipmi.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac73b2c5fc356f15\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.web.ftpserver_31bf3856ad364e35_6.1.7600.16385_none_bef417eef572c292\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_04d9defd57c1f6bf\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0\10.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-proxy_31bf3856ad364e35_6.1.7600.16385_none_7d942f7b1c9be29c\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d07101ecaa44c4af\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmminij.inf_31bf3856ad364e35_6.1.7600.16385_none_45ce09cc47709c2b\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_708a2f68632e24fb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-es-shellextension_31bf3856ad364e35_6.1.7600.16385_none_f8d4a87b5706f2d9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\4aea15334e123949e180d21d22095b1d\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.System.Management.Automation\v4.0_1.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..t-tolerant-heap-adm_31bf3856ad364e35_6.1.7600.16385_none_079fe3c6d593e57b\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-irisupc_31bf3856ad364e35_6.1.7600.16385_none_2449677664faf8df\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-intl_31bf3856ad364e35_6.1.7601.17514_none_0b13ca622f588726\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_bg-bg_cbf67fdab01d5b33\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_4f518cecfbcddc34\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5e99205161cab09a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MMCFxCommon\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\f52bfe40c54917622ed3abb98db8f90a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1033\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..resources.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05d947b02549e0df\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-indeo5-codecs_31bf3856ad364e35_6.1.7600.16385_none_24d6d974d24f7d95\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_fdrespub.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b4ee55ea213abf40\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_da-dk_3aa3f3127f512dca\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wdi-adm_31bf3856ad364e35_6.1.7600.16385_none_ceb5d594e10b1c54\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.security...ulegenerationwizard_31bf3856ad364e35_6.1.7601.17514_none_f3fddcdbc2847328\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6031bf2baa1a18bc\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wmvdecod_31bf3856ad364e35_6.1.7601.17514_none_c491ee3d3e923b78\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000C\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000440_31bf3856ad364e35_6.1.7600.16385_none_42c533a47e32222e\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_900ad78ec8d47fd9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-panmap_31bf3856ad364e35_6.1.7600.16385_none_6932aa5f8078bf12\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft.web.management-nonmsil_31bf3856ad364e35_6.1.7601.17514_none_296962b9798b3494\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\inf\ASP.NET\0816\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ventextservice-core_31bf3856ad364e35_6.1.7600.16385_none_8049c66281fe73bd\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_7551b4792ac9630d\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..etwork-setup-wizard_31bf3856ad364e35_6.1.7600.16385_none_f0d21d0b5e184994\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
780	vssadmin.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeBackupPrivilege	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: SeBackupPrivilege	1612	vssvc.exe
Token: SeRestorePrivilege	1612	vssvc.exe
Token: SeAuditPrivilege	1612	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: SeBackupPrivilege	1300	EsESICXSElan.exe
Token: SeBackupPrivilege	316	LVeXyXYmtlan.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	29
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	29
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	29
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	29
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	30
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	30
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	30
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	30
PID 844 wrote to memory of 1144	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	19
PID 844 wrote to memory of 1196	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	21
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	31
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	31
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	31
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	31
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	35
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	35
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	35
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	35
PID 1748 wrote to memory of 572	1748	net.exe	33
PID 1748 wrote to memory of 572	1748	net.exe	33
PID 1748 wrote to memory of 572	1748	net.exe	33
PID 1748 wrote to memory of 572	1748	net.exe	33
PID 268 wrote to memory of 1928	268	net.exe	36
PID 268 wrote to memory of 1928	268	net.exe	36
PID 268 wrote to memory of 1928	268	net.exe	36
PID 268 wrote to memory of 1928	268	net.exe	36
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	37
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	37
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	37
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	37
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	39
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	39
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	39
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	39
PID 940 wrote to memory of 1520	940	cmd.exe	41
PID 940 wrote to memory of 1520	940	cmd.exe	41
PID 940 wrote to memory of 1520	940	cmd.exe	41
PID 940 wrote to memory of 1520	940	cmd.exe	41
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	42
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	42
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	42
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	42
PID 784 wrote to memory of 780	784	cmd.exe	44
PID 784 wrote to memory of 780	784	cmd.exe	44
PID 784 wrote to memory of 780	784	cmd.exe	44
PID 784 wrote to memory of 780	784	cmd.exe	44
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	43
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	43
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	43
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	43
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	48
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	48
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	48
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	48
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	50
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	50
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	50
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	50
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	51
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	51
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	51
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	51
PID 844 wrote to memory of 1304	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	52
PID 844 wrote to memory of 1304	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	52

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
"C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe
  "C:\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe
  "C:\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:316
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:572
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "WMIC.exe shadowcopy delete"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\Wbem\WMIC.exe
    WMIC.exe shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:784
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
  2⤵
  PID:612
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "bootstatuspolicy ignoreallfailures"
  2⤵
  PID:1268
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Qÿ
  2⤵
  - Modifies file permissions
  PID:1392
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Qÿ
  2⤵
  - Modifies file permissions
  PID:1856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe" /f /reg:64
  2⤵
  PID:1904
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    PID:2480
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:2244
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:46888
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:47088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:55612
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:55656
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:108900
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:109408
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:134932
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:134960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-10-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/844-12-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/844-14-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/844-2-0x0000000076881000-0x0000000076883000-memory.dmp

Filesize
8KB

Download