ryuk | 501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9

Analysis

max time kernel
149s
max time network
219s
platform
windows7_x64
resource
win7v20210410
submitted
27-04-2021 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

unequal-oven.exe
Size

152KB
MD5

7a7b1300e8b5a10424e08958a6fc15c1
SHA1

9db96b1a4bff1ffc6b945360cc5cc363642ffc94
SHA256

501e925e5de6c824b5eeccb3ccc5111cf6e312258c0877634935df06b9d0f8b9
SHA512

ce80e5313fad830387fb758ebfbe5c77976532acfece81fc57978399261a5b6ffb3a89f0ded288483ce38f21bf9fa8f6052e4afeeec1ab202a809ecb7722eb30

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\drivers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\drivers\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	unequal-oven.exe

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ConvertResolve.crw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\InstallComplete.png.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRename.png.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\CloseWatch.crw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SaveOptimize.crw.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\WriteRename.png.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\InstallComplete.png.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SaveOptimize.crw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\CloseWatch.crw.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.raw.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\ExportUnpublish.raw.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\ExportUnpublish.raw.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertResolve.crw.RYK	unequal-oven.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRename.raw.RYK	taskhost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	taskhost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	unequal-oven.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\93PHUZFG\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Recorded TV\Sample Media\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Recorded TV\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	unequal-oven.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\2MTLR0RV\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	unequal-oven.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\SLC8MVWU\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AJ1NIV9I\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Downloads\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Searches\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IME\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnis3t.inf_amd64_neutral_857ff0fa9c73850a\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\HomeBasicE\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00x.inf_amd64_neutral_808baf4e08594a59\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-COM-DTC-Setup-DL\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl007.inf_amd64_neutral_935cd017fcb965ee\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhandy.inf_amd64_neutral_386661b46df6da3f\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmsun2.inf_amd64_neutral_242c76ad2e288fb4\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgen.inf_amd64_neutral_7a967d06d569b1e4\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnle004.inf_amd64_neutral_beb9bf23b7202bff\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\microsoft-windows-iis-rm\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\spool\drivers\x64\3\mui\0409\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\Windows Media Sharing\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\amdsata.inf_amd64_neutral_67db50590108ebd9\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmke.inf_amd64_neutral_3e4daa83122b1559\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx009.inf_amd64_neutral_d4b76afd08f308fb\Amd64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\HomePremiumN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasConnectionManager\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\fi-FI\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\SysWOW64\IME\imekr8\applets\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky009.inf_amd64_neutral_8e54c9ff272b72f1\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WCN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ISE\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\GroupPolicyUsers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adpu320.inf_amd64_neutral_4ea3d42a9839982a\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr003.inf_amd64_neutral_c07c33bfb5764bdb\Amd64\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\wbem\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmati.inf_amd64_neutral_ded8f26cdee953c3\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-MediaPlayer-DRM-DL\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-shmig-DL\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\RAC\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wudfusbcciddriver.inf_amd64_neutral_adc3e4acb1046b4b\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvm64.inf_amd64_neutral_59c2a018fe2cf0b4\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netxex64.inf_amd64_neutral_77b02fd738dca150\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnrc00c.inf_amd64_neutral_53a58f4fd7d88575\Amd64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Ultimate\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv004.inf_amd64_neutral_fc4526bbfbd5feb1\Amd64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\eval\Starter\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\spp\plugin-manifests-signed\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl010.inf_amd64_neutral_46f466c9e68abb4a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\EnterpriseE\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\spool\drivers\x64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\Amd64\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Schemas\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\IME\IMETC10\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mf.inf_amd64_neutral_b263d46928b97a9b\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnep00a.inf_amd64_neutral_92a4c727cdf4c2f7\Amd64\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-COM-ComPlus-Setup-DL\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\lt-LT\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\zh-TW\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migration\WSMT\rras\replacementmanifests\Microsoft-Windows-RasApi-MigPlugin\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\LogFiles\Fax\Incoming\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\spool\drivers\IA64\RyukReadMe.txt	taskhost.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_COL.HXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAME.DLL	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	unequal-oven.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00135_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GRAPH_COL.HXT	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\RSSFeeds.html	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	unequal-oven.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_down.png	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Kiritimati.RYK	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0086384.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GREETING.XML	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\MANIFEST.MF.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\BAN98.POC	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Informix.xsl	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0197983.WMF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00683_.WMF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NL7Models0011.DLL	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML.RYK	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\tipresx.dll.mui	taskhost.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\STINTL.DLL	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\spacer_highlights.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jli.dll	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\square_dot.png	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01660_.WMF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00943_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\TAB_ON.GIF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00505_.WMF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00882_.WMF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\RSSFeeds.js	unequal-oven.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-loaders.jar	unequal-oven.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Journal\en-US\jnwdui.dll.mui	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD02161_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21435_.GIF	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX	unequal-oven.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\messages_es.properties	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Antigua	unequal-oven.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_ja.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7FR.LEX	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105328.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\CAGCAT10.DLL	unequal-oven.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter_partly-cloudy.png	unequal-oven.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-first-quarter.png	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATHEDITOR_COL.HXT	unequal-oven.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\sr-Latn-CS\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\OLKFSTUB.DLL.RYK	unequal-oven.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_srt_plugin.dll	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\+Connect to New Data Source.odc.RYK	unequal-oven.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dhaka	unequal-oven.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Madeira.RYK	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG	unequal-oven.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\RyukReadMe.txt	unequal-oven.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\usbhub\0000\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Diagnostics.Activities\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation.resources\v4.0_3.0.0.0_en_31bf3856ad364e35\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\fac6392e83ef7e777b78933e057c9546\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Boot\DVD\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Boot\EFI\pl-PL\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\servicing\Sessions\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SrpUxSnapIn\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MMCEx\b46af15d2e2ae2782f384bfc4a4c2c03\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXmlLinq\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\IME\imekr8\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\AppPatch\en-US\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Draw0a54d252#\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Boot\EFI\da-DK\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic.Runtime\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.iTv.Hosting\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\3.5.0.0__b77a5c561934e089\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\4bfa36696bef033cf7e33b1a092c8a0f\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\SMSvcHost\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\UIAutomationClient\eca4310274a7a6ce651b33cd4278610c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9206dc8156588e608d405729c833edc5\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Policy.12.0.Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Parallel\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\ehExtHost32\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\7a9c26f21641112fcacd6f087b42133a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\diagnostics\system\Networking\en-US\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0009\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\1033\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\AuditPolicyGPManage#\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\diagnostics\system\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\inf\ASP.NET\0008\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\SrpUxSnapIn\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.CompilerServices.VisualC\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\Documents\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Transactions\051655963f24f9ade08486084c570086\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Serv43e0ae6e#\155f8a911bfaadd919c85d61838cdd1e\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.TypeConverter\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Resources\Themes\Aero\Shell\NormalColor\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.GraphicalHost.Resources\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCore\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio84a7b877#\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections.Specialized\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_32\Policy.1.0.Microsoft.Interop.Security.AzRoles\6.1.7600.16385__31bf3856ad364e35\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.CSharp\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\PresentationCFFRasterizer\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\LoadMxf\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runt73a1fc9d#\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Servb00a6512#\RyukReadMe.txt	unequal-oven.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.Powershell.ConsoleHost\v4.0_1.0.0.0__31bf3856ad364e35\RyukReadMe.txt	unequal-oven.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1872	unequal-oven.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	unequal-oven.exe
Token: SeBackupPrivilege	1120	taskhost.exe
Token: SeBackupPrivilege	1872	unequal-oven.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 1120	1872	unequal-oven.exe	13
PID 1872 wrote to memory of 1164	1872	unequal-oven.exe	12

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Users\Admin\AppData\Local\Temp\unequal-oven.exe
"C:\Users\Admin\AppData\Local\Temp\unequal-oven.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-60-0x000000013FB10000-0x000000013FE99000-memory.dmp

Filesize
3.5MB

Download