ryuk | 8ab5e286c2970c225118f01223f4f0017b9b8565059f88b32024554203c771c6

Analysis

max time kernel
150s
max time network
69s
platform
windows7_x64
resource
win7v20201028
submitted
30-03-2021 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
Size

115KB
MD5

d736f4a3fc844b4a7e970b562fbeac85
SHA1

fdd13c9b9e6c0e07f1215780c4ab742627e57917
SHA256

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327
SHA512

7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Score

10^/10

ryuk discovery persistence ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in Drivers directory 4 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Executes dropped EXE 2 IoCs

Processes:

EsESICXSElan.exeLVeXyXYmtlan.exe

pid process

1300 EsESICXSElan.exe
316 LVeXyXYmtlan.exe

pid	process
1300	EsESICXSElan.exe
316	LVeXyXYmtlan.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ConnectUninstall.tif.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\MergeEnable.raw.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\UnlockResolve.tif.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\ReceiveRedo.tif.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\RequestGet.raw.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\StartReset.crw.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\DebugTest.tiff.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveMount.png.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Users\Admin\Pictures\HideNew.png.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Drops startup file 1 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Loads dropped DLL 4 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

pid	process
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1392 icacls.exe
1856 icacls.exe

pid	process
1392	icacls.exe
1856	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe"	reg.exe

Drops file in System32 directory 64 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\bthprint.inf_amd64_neutral_3c11362fa327f5a4\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00x.inf_amd64_neutral_eb0842aa932d01ee\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0012\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\Speech\Engines\SR\en-US\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Starter\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-Bluetooth-Config\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_neutral_db76873d4261eb11\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\IME\shared\res\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiabr00a.inf_amd64_neutral_6033065925bcc882\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wiaky002.inf_amd64_neutral_b898f5982403f3cb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\microsoft-windows-ndis\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_neutral_dd07287cee791f3c\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\restore\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\ProfessionalN\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.WSMan.Management\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasicN\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\000a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\0024\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\Dism\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\atiilhag.inf_amd64_neutral_0a660e899f5038a2\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmracal.inf_amd64_neutral_857b8ff74e5a7073\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnbr005.inf_amd64_neutral_9e4cc05e0d4bcb33\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00b.inf_amd64_neutral_3338d41663aad5fa\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averhbh826_noaverir_x64.inf_amd64_neutral_2fe3b14136d6e46d\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dc21x4vm.inf_amd64_neutral_8887242a56ee027e\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00y.inf_amd64_neutral_64560c72e81f6ad7\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx004.inf_amd64_neutral_2cf95f307381e481\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgcs.inf_amd64_neutral_aafcd45e4e890862\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\ProfessionalN\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\Speech\SpeechUX\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmfj2.inf_amd64_neutral_9c9eb67d406a1632\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl002.inf_amd64_neutral_e204d4267d752eb7\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28x.inf_amd64_neutral_c86d6d5c3810fc04\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm005.inf_amd64_neutral_c03c9e328608873e\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00a.inf_amd64_neutral_565c5d04cc520c48\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcrtix.inf_amd64_neutral_e91a5dc0655e200a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_neutral_cadd97421d121ebb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsii64.inf_amd64_neutral_d7409fccc5ef4078\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnca00a.inf_amd64_neutral_d64d696193e69d7b\Amd64\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ipmidrv.inf_amd64_neutral_1cb648411f252d13\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\dlmanifests\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-OfflineFiles-DL\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc12.inf_amd64_neutral_ff7295ba5a46d63f\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SysWOW64\spp\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmboca.inf_amd64_neutral_cc532ed7b3b5b5a9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc6.inf_amd64_neutral_2818f7b3b62bdd39\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Drops file in Program Files directory 64 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Buenos_Aires.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01044_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\org.eclipse.equinox.p2.artifact.repository.prefs	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.servlet_1.1.500.v20140318-1755.jar	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\VisioCustom.propdesc	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\stop_collection_data.gif	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Rome.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00132_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck.css.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\sysinfo.bat	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152430.WMF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_COL.HXC	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Author2String.XSL	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Bangkok.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-j2se-1.0.2.jar.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00402_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD10890_.GIF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS01635_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Scoresbysund	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00305_.WMF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\jquery-ui-1.8.13.custom.css.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\vlc.mo	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.jpg	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chatham.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_ja_4.4.0.v20140623020002.jar.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.ICO	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR5F.GIF.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-changjei.xml	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Rankin_Inlet	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\J0115875.GIF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\Vostok	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02417_.WMF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15072_.GIF	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\ADO210.CHM.RYK	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Drops file in Windows directory 64 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-e..mogrifier.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ebb35842936229cb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_server-help-chm.qos.resources_31bf3856ad364e35_6.1.7600.16385_en-us_860b81a6366e79c8\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..odepage-57002-57011_31bf3856ad364e35_6.1.7601.17514_none_3b7302d236956600\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-mobilepc-sensors-api_31bf3856ad364e35_6.1.7600.16385_none_68b9778d5cdfa6d6\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-i..onal-codepage-20423_31bf3856ad364e35_6.1.7600.16385_none_523c76f347672048\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack.Resources\6.1.0.0_en_31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.dc83ace6#\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationBuildTasks\v4.0_4.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..umservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c8200175fb5e14f2\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-robocopy.resources_31bf3856ad364e35_6.1.7600.16385_en-us_10bfb0af0a1f880f\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_net8187bv64.inf_31bf3856ad364e35_6.1.7600.16385_none_1b33cf68c32072a3\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\msil_system.web.mobile_b03f5f7f11d50a3a_6.1.7601.17514_none_ac4cc83a8cbcb7cf\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-ie-setup.resources_31bf3856ad364e35_11.2.9600.16428_en-us_d76622cf2d13e543\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security.Resources\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\office\14.0.0.0__71e9bce111e9429c\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio1c968d57#\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\6c3e7934e9e70d0fb2dfeb3af2325793\cbshandler\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-l..mepremium.resources_31bf3856ad364e35_6.1.7601.17514_en-us_209b3b2d083840d2\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\XamlBuildTask\42d791a24a46d268377418a5c39a5390\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_acpipmi.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ac73b2c5fc356f15\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.web.ftpserver_31bf3856ad364e35_6.1.7600.16385_none_bef417eef572c292\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-mediafoundation_31bf3856ad364e35_6.1.7601.17514_none_04d9defd57c1f6bf\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Hosting.v10.0\10.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management.Resources\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SMSvcHost\3.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-taskscheduler-proxy_31bf3856ad364e35_6.1.7600.16385_none_7d942f7b1c9be29c\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tools\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmcxpv6.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_d07101ecaa44c4af\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmminij.inf_31bf3856ad364e35_6.1.7600.16385_none_45ce09cc47709c2b\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-a..wdm-audio.resources_31bf3856ad364e35_6.1.7600.16385_en-us_708a2f68632e24fb\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-es-shellextension_31bf3856ad364e35_6.1.7600.16385_none_f8d4a87b5706f2d9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\4aea15334e123949e180d21d22095b1d\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.System.Management.Automation\v4.0_1.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..t-tolerant-heap-adm_31bf3856ad364e35_6.1.7600.16385_none_079fe3c6d593e57b\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-irisupc_31bf3856ad364e35_6.1.7600.16385_none_2449677664faf8df\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-intl_31bf3856ad364e35_6.1.7601.17514_none_0b13ca622f588726\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.7600.16385_bg-bg_cbf67fdab01d5b33\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-security-kerberos_31bf3856ad364e35_6.1.7601.17514_none_4f518cecfbcddc34\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-ntshrui.resources_31bf3856ad364e35_6.1.7600.16385_en-us_5e99205161cab09a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MMCFxCommon\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio49d6fefe#\f52bfe40c54917622ed3abb98db8f90a\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.5\1033\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..resources.resources_31bf3856ad364e35_6.1.7600.16385_en-us_05d947b02549e0df\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-indeo5-codecs_31bf3856ad364e35_6.1.7600.16385_none_24d6d974d24f7d95\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_fdrespub.resources_31bf3856ad364e35_6.1.7600.16385_en-us_b4ee55ea213abf40\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-directwrite.resources_31bf3856ad364e35_7.1.7601.16492_da-dk_3aa3f3127f512dca\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wdi-adm_31bf3856ad364e35_6.1.7600.16385_none_ceb5d594e10b1c54\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.security...ulegenerationwizard_31bf3856ad364e35_6.1.7601.17514_none_f3fddcdbc2847328\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-tapicore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6031bf2baa1a18bc\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wmvdecod_31bf3856ad364e35_6.1.7601.17514_none_c491ee3d3e923b78\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000C\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms.DataVisualization.Design\v4.0_4.0.0.0__31bf3856ad364e35\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-i..l-keyboard-00000440_31bf3856ad364e35_6.1.7600.16385_none_42c533a47e32222e\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-m..vider-rll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_900ad78ec8d47fd9\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-panmap_31bf3856ad364e35_6.1.7600.16385_none_6932aa5f8078bf12\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft.web.management-nonmsil_31bf3856ad364e35_6.1.7601.17514_none_296962b9798b3494\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\inf\ASP.NET\0816\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-t..ventextservice-core_31bf3856ad364e35_6.1.7600.16385_none_8049c66281fe73bd\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_7551b4792ac9630d\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..etwork-setup-wizard_31bf3856ad364e35_6.1.7600.16385_none_f0d21d0b5e184994\RyukReadMe.html	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

780 vssadmin.exe
Runs net.exe

pid	process
780	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

pid	process
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exeWMIC.exevssvc.exeEsESICXSElan.exeLVeXyXYmtlan.exe

description	pid	process
Token: SeBackupPrivilege	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: SeBackupPrivilege	1612	vssvc.exe
Token: SeRestorePrivilege	1612	vssvc.exe
Token: SeAuditPrivilege	1612	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: SeBackupPrivilege	1300	EsESICXSElan.exe
Token: SeBackupPrivilege	316	LVeXyXYmtlan.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exenet.exenet.execmd.execmd.exe

description	pid	process	target process
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	EsESICXSElan.exe
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	EsESICXSElan.exe
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	EsESICXSElan.exe
PID 844 wrote to memory of 1300	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	EsESICXSElan.exe
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	LVeXyXYmtlan.exe
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	LVeXyXYmtlan.exe
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	LVeXyXYmtlan.exe
PID 844 wrote to memory of 316	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	LVeXyXYmtlan.exe
PID 844 wrote to memory of 1144	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	taskhost.exe
PID 844 wrote to memory of 1196	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	Dwm.exe
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 1748	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 1748 wrote to memory of 572	1748	net.exe	net1.exe
PID 1748 wrote to memory of 572	1748	net.exe	net1.exe
PID 1748 wrote to memory of 572	1748	net.exe	net1.exe
PID 1748 wrote to memory of 572	1748	net.exe	net1.exe
PID 268 wrote to memory of 1928	268	net.exe	net1.exe
PID 268 wrote to memory of 1928	268	net.exe	net1.exe
PID 268 wrote to memory of 1928	268	net.exe	net1.exe
PID 268 wrote to memory of 1928	268	net.exe	net1.exe
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 940	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 784	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 940 wrote to memory of 1520	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1520	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1520	940	cmd.exe	WMIC.exe
PID 940 wrote to memory of 1520	940	cmd.exe	WMIC.exe
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 612	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 784 wrote to memory of 780	784	cmd.exe	vssadmin.exe
PID 784 wrote to memory of 780	784	cmd.exe	vssadmin.exe
PID 784 wrote to memory of 780	784	cmd.exe	vssadmin.exe
PID 784 wrote to memory of 780	784	cmd.exe	vssadmin.exe
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1268	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1392	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1856	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	icacls.exe
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1904	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	cmd.exe
PID 844 wrote to memory of 1304	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe
PID 844 wrote to memory of 1304	844	b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe	net.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe
"C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe
"C:\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe
"C:\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:316

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:572

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "WMIC.exe shadowcopy delete"
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\Wbem\WMIC.exe
WMIC.exe shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "vssadmin.exe Delete Shadows /all /quiet"
2⤵
- Suspicious use of WriteProcessMemory
PID:784

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"
2⤵
PID:612

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "bootstatuspolicy ignoreallfailures"
2⤵
PID:1268

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Qÿ
2⤵
- Modifies file permissions
PID:1392

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Qÿ
2⤵
- Modifies file permissions
PID:1856

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe" /f /reg:64
2⤵
PID:1904

C:\Windows\SysWOW64\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327.exe" /f /reg:64
3⤵
- Adds Run key to start application
PID:2480

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2244

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:46888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:47088

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:55612

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:55656

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:108900

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:109408

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:134932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:134960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
b9593ec0f32e196b40c30910a4cfdfb6

SHA1
6bcc416dfb43d467f63c53ac36abccd048448ce1

SHA256
8bceb1ee8cb50d7de722426e87a57aac98a77a0010143c7f198a6a73f2386a0d

SHA512
37d3d9e94a817339090a1a18b29115d6d2dfab877b722177217f739877727e51225979b9d38458b93f08cb3ca2246a76efb1bbd6051f49dbf86511d13b410219

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_fc0e0041-a258-4d5d-ad46-ed56e156a8eb

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe

MD5
d736f4a3fc844b4a7e970b562fbeac85

SHA1
fdd13c9b9e6c0e07f1215780c4ab742627e57917

SHA256
b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327

SHA512
7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe

MD5
d736f4a3fc844b4a7e970b562fbeac85

SHA1
fdd13c9b9e6c0e07f1215780c4ab742627e57917

SHA256
b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327

SHA512
7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Download Submit
C:\users\Public\RyukReadMe.html

MD5
6c154a713bb0eb5d4440ea5cc938815a

SHA1
32c21281d2fca4e1c74c34b2878e48dd7b84af80

SHA256
3e03b395099d834a1a9c56c57d075a00a456b6e20074a5214c9651605e9ff312

SHA512
77fcea96c07f2d6786f5e8c17eb407f8456fa6e649174ddfc88dbab3f6aed51ccd5fb077831f42b040ff87c2637b97ff3c9ae830b1196aab6616d184917ddf60

Download Submit
\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe

MD5
d736f4a3fc844b4a7e970b562fbeac85

SHA1
fdd13c9b9e6c0e07f1215780c4ab742627e57917

SHA256
b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327

SHA512
7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Download Submit
\Users\Admin\AppData\Local\Temp\EsESICXSElan.exe

MD5
d736f4a3fc844b4a7e970b562fbeac85

SHA1
fdd13c9b9e6c0e07f1215780c4ab742627e57917

SHA256
b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327

SHA512
7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Download Submit
\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe

MD5
d736f4a3fc844b4a7e970b562fbeac85

SHA1
fdd13c9b9e6c0e07f1215780c4ab742627e57917

SHA256
b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327

SHA512
7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Download Submit
\Users\Admin\AppData\Local\Temp\LVeXyXYmtlan.exe

MD5
d736f4a3fc844b4a7e970b562fbeac85

SHA1
fdd13c9b9e6c0e07f1215780c4ab742627e57917

SHA256
b3846bc61ca63d9c10d6f559688e366061ae98fcbe82076b9e557b0beec6f327

SHA512
7ee0ba7a2df6cc294b9955279bbfbfe7f3e167dc208b7d9290ba67bb0c516b228d1b75c7eeebcdb9090b85e8267d239889c3ad12718a281978a1aa00ad8509fe

Download Submit
memory/268-15-0x0000000000000000-mapping.dmp

Download
memory/316-9-0x0000000000000000-mapping.dmp

Download
memory/572-16-0x0000000000000000-mapping.dmp

Download
memory/612-22-0x0000000000000000-mapping.dmp

Download
memory/780-23-0x0000000000000000-mapping.dmp

Download
memory/784-20-0x0000000000000000-mapping.dmp

Download
memory/844-10-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/844-12-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/844-14-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/844-2-0x0000000076881000-0x0000000076883000-memory.dmp

Filesize
8KB

Download
memory/940-19-0x0000000000000000-mapping.dmp

Download
memory/1268-24-0x0000000000000000-mapping.dmp

Download
memory/1300-5-0x0000000000000000-mapping.dmp

Download
memory/1304-28-0x0000000000000000-mapping.dmp

Download
memory/1392-25-0x0000000000000000-mapping.dmp

Download
memory/1520-21-0x0000000000000000-mapping.dmp

Download
memory/1748-13-0x0000000000000000-mapping.dmp

Download
memory/1856-26-0x0000000000000000-mapping.dmp

Download
memory/1904-27-0x0000000000000000-mapping.dmp

Download
memory/1928-18-0x0000000000000000-mapping.dmp

Download
memory/2244-30-0x0000000000000000-mapping.dmp

Download
memory/2480-31-0x0000000000000000-mapping.dmp

Download
memory/46888-35-0x0000000000000000-mapping.dmp

Download
memory/47088-36-0x0000000000000000-mapping.dmp

Download
memory/55612-37-0x0000000000000000-mapping.dmp

Download
memory/55656-38-0x0000000000000000-mapping.dmp

Download
memory/108900-40-0x0000000000000000-mapping.dmp

Download
memory/109408-41-0x0000000000000000-mapping.dmp

Download
memory/134932-42-0x0000000000000000-mapping.dmp

Download
memory/134960-43-0x0000000000000000-mapping.dmp

Download