ryuk | 795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f

Analysis

max time kernel
141s
max time network
159s
platform
windows7_x64
resource
win7v20210408
submitted
10-08-2021 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goBnh.exe
Size

152KB
MD5

32cbc69f85cc47d8e35dc20dfbda6948
SHA1

35dd5239977c2922a06389061cca846ec09453bb
SHA256

795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f
SHA512

f485a56c783dba3c15d691709a6736d5589194ec8f54e8d01342e7d6f4c54b4a56eae0fa49e150e8a13780fcb7e2e50337c8eaa026baf51774527351b365a25c

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.txt	goBnh.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\StartSend.png.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\LimitUnregister.png.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\PingGet.tif.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\LimitUnregister.png.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\PingGet.tif.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\StartSend.png.RYK	taskhost.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	taskhost.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	taskhost.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-ADFS-DL\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_neutral_ed16756f950857e8\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\ras\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-StorageMigration\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_neutral_f54222cc59267e1e\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_neutral_09132735f1063a47\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_neutral_b64bd08009e7444f\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\ppdlic\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adp94xx.inf_amd64_neutral_4928c8870f6a1577\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{4933bd21-8338-4e98-a785-1f932a3de0ac}\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasApi\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\000a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-Unimodem-Config\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\oobe\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\Speech\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_neutral_de46607a02fe2552\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx006.inf_amd64_neutral_cc725426972d1293\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\WindowsSearchEngine\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\HomePremium\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-RasApi\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\PerfTrack\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\PLA\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\RyukReadMe.txt	goBnh.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll.RYK	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	goBnh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll	goBnh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF.RYK	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.RYK	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	goBnh.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	goBnh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\tzmappings	goBnh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Mail\wabfind.dll	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	goBnh.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja	goBnh.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.Infopath.dll.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	goBnh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR.RYK	goBnh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	goBnh.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck.css	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML	goBnh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	goBnh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWCUTLIN.DLL.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.RYK	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.RYK	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Issues.accdt	goBnh.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF	goBnh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store	taskhost.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-detectionandsharingapi_31bf3856ad364e35_6.1.7600.16385_none_95980881f7dcdc33\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiBmlDataCarousel\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Boot\EFI\pt-PT\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmgl010.inf_31bf3856ad364e35_6.1.7600.16385_none_f9997b85348f7f3e\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..assistant.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65c4a0f680163fd6\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-simkai_31bf3856ad364e35_6.1.7600.16385_none_4e5646f58eea24c2\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\0af51d481e7c0a48e0fb5164e38e9465\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..ype-microsoftuighur_31bf3856ad364e35_6.1.7600.16385_none_1312b5e22558207e\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MUI\0409\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00bbc5aa103d49e7\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_mdm5674a.inf_31bf3856ad364e35_6.1.7600.16385_none_42fd2975a010a30b\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-management_31bf3856ad364e35_6.1.7600.16385_none_a5c314057d8c6608\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Idena7b556ff#\0723ea64eb28deb30a0df931a69feba6\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Csp\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.1.7601.17514_none_e41460cdaec2dd58\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-medctr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ea353a7953b05e87\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_630d9bc151625afa\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_en-us_34a3bba803e202dc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-legapp2.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ad16d8361ba89373\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_31db610f5ea8e8d8\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\df5d78a6328636a4ff7bc7992531d6d0\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_sv-se_0537cdaf7b3218a3\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..lientcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3bc90958b7426f93\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-auxdisp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb99a9bd511994f2\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-sync.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f1e8d7c089d2d35\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcplayerinterop\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\db7f29ce66da5498e9ae3b5eb88e40a6\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-crashdump_31bf3856ad364e35_6.1.7600.16385_none_01824f663087096a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ac5804315806903\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\9620e555dd2477358732a139f1724c57\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_lsi_sas2.inf_31bf3856ad364e35_6.1.7600.16385_none_94aaac30f0f50f7c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_mcstoredb_31bf3856ad364e35_6.1.7601.17514_none_aaca59b1f8f20129\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_megasas.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c81ca7fcade09f13\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dssec_31bf3856ad364e35_6.1.7600.16385_none_b65ac92a1638d945\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Blueprints\8.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SonicMCEBurnEngine\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-instmes.resources_31bf3856ad364e35_6.1.7600.16385_en-us_187b610e0e5d12af\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_fbee625cd8833528\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe35fb7998e36ab4\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0007\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_keyboard.inf.resources_31bf3856ad364e35_6.1.7601.17514_en-us_8cced6f882fdbee9\RyukReadMe.txt	goBnh.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
94212	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1840	goBnh.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	goBnh.exe
Token: SeBackupPrivilege	1136	taskhost.exe
Token: SeBackupPrivilege	1840	goBnh.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1136	1840	goBnh.exe	16
PID 1840 wrote to memory of 1192	1840	goBnh.exe	15

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Local\Temp\goBnh.exe
"C:\Users\Admin\AppData\Local\Temp\goBnh.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:94212

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-59-0x000000013FB10000-0x000000013FE99000-memory.dmp

Filesize
3.5MB

Download
memory/94212-124-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download