ryuk | 795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f

Analysis

max time kernel
141s
max time network
159s
platform
windows7_x64
resource
win7v20210408
submitted
10-08-2021 10:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goBnh.exe
Size

152KB
MD5

32cbc69f85cc47d8e35dc20dfbda6948
SHA1

35dd5239977c2922a06389061cca846ec09453bb
SHA256

795db7bdad1befdd3ad942be79715f6b0c5083d859901b81657b590c9628790f
SHA512

f485a56c783dba3c15d691709a6736d5589194ec8f54e8d01342e7d6f4c54b4a56eae0fa49e150e8a13780fcb7e2e50337c8eaa026baf51774527351b365a25c

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 18 IoCs

Processes:

goBnh.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\drivers\etc\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.txt	goBnh.exe

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exegoBnh.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\StartSend.png.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\TraceMove.tiff.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\LimitUnregister.png.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\PingGet.tif.RYK	goBnh.exe
File opened for modification	C:\Users\Admin\Pictures\LimitUnregister.png.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\PingGet.tif.RYK	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\StartSend.png.RYK	taskhost.exe

Drops startup file 2 IoCs

Processes:

goBnh.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt	taskhost.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

taskhost.exegoBnh.exe

description	ioc	process
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\SendTo\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VNYR844D\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\HNHPAZTY\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NU1L7O13\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E9RC2MV6\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H18KNA1T\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Recent\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\desktop.ini	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	taskhost.exe
File opened for modification	C:\Users\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Maintenance\Desktop.ini	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	goBnh.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Default\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Public\Libraries\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Contacts\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Favorites\Links\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Saved Games\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	taskhost.exe
File opened for modification	C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\X8SF34HL\desktop.ini	taskhost.exe

Drops file in System32 directory 64 IoCs

Processes:

goBnh.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-ADFS-DL\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\MemoryDiagnostic\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremium\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2hbh826d_noaverir_x64.inf_amd64_neutral_da2ba9e8a30dad14\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net1yx64.inf_amd64_neutral_ed16756f950857e8\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\net8185.inf_amd64_neutral_4ab014d645098f5f\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ph3xibc5.inf_amd64_neutral_2270382453de2dbb\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\ras\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnge001.inf_amd64_neutral_cfffa4143b3c4592\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-StorageMigration\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IasServer-MigPlugin\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\flpydisk.inf_amd64_neutral_f54222cc59267e1e\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmdgitn.inf_amd64_neutral_09132735f1063a47\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzyp.inf_amd64_neutral_b64bd08009e7444f\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\ppdlic\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\adp94xx.inf_amd64_neutral_4928c8870f6a1577\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnnr004.inf_amd64_neutral_3319ff2548f89fd8\Amd64\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{4933bd21-8338-4e98-a785-1f932a3de0ac}\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\arc.inf_amd64_neutral_11b52dec8e94d9aa\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\NetTrace\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-RasApi\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\000a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\atiriol6.inf_amd64_neutral_bde34ad5722cca75\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-Unimodem-Config\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\EnterpriseN\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\ProfessionalN\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\oobe\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\Speech\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\averfx2swtv_noavin_x64.inf_amd64_neutral_86943dd17860e449\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnis2u.inf_amd64_neutral_de46607a02fe2552\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky007.inf_amd64_neutral_e637699044f367f3\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00y.inf_amd64_neutral_977318f2317f5ddd\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin002.inf_amd64_neutral_977d40799168c216\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx006.inf_amd64_neutral_cc725426972d1293\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00w.inf_amd64_neutral_d4c93bb2fbf75723\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnms002.inf_amd64_neutral_d834e48846616289\Amd64\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\cxraptor_philipstuv1236d_ibv64.inf_amd64_neutral_b6a3e57df5bad299\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmcomp.inf_amd64_neutral_e5ca2f01ca47bddb\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmgl005.inf_amd64_neutral_8b56291bfd2a4061\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nv_lh.inf_amd64_neutral_bc69f20e3115af59\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdmtp.inf_amd64_neutral_28f06ca2e38e8979\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\migwiz\replacementmanifests\WindowsSearchEngine\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\en-US\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netvg62a.inf_amd64_neutral_5817ae5135655364\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\en-US\Licenses\_Default\HomePremium\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\migwiz\dlmanifests\Microsoft-Windows-RasApi\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\PerfTrack\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm004.inf_amd64_neutral_d2aee42dc9c393ea\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\PLA\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppLocker\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ehstorpwddrv.inf_amd64_neutral_ecd233d7cabbdebf\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmetech.inf_amd64_neutral_230358eeb58f0b3b\RyukReadMe.txt	goBnh.exe

Drops file in Program Files directory 64 IoCs

Processes:

taskhost.exegoBnh.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\FeedSync.dll.RYK	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\photoedge_videoinset.png	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\LICENSE	goBnh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\vlc.mo	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libpostproc_plugin.dll	goBnh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_partly-cloudy.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-H	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18228_.WMF.RYK	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDREST.CFG	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tokyo.RYK	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Jayapura	goBnh.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\THMBNAIL.PNG.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0304371.WMF	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans_1.2.200.v20140214-0004.jar	goBnh.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jawt.dll	taskhost.exe
File opened for modification	C:\Program Files\Java\jre7\lib\tzmappings	goBnh.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png	taskhost.exe
File opened for modification	C:\Program Files\Windows Mail\wabfind.dll	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css	goBnh.exe
File opened for modification	C:\Program Files\Java\jre7\lib\psfont.properties.ja	goBnh.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Noumea	taskhost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\SendMail.api	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.Infopath.dll.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98.POC	taskhost.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\TravelIntroToMain_PAL.wmv	goBnh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double_bkg.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART13.BDR.RYK	goBnh.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\flower_trans_matte.wmv	goBnh.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck.css	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML	goBnh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Connectivity.gif	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll	goBnh.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01294_.GIF	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\TWCUTLIN.DLL.RYK	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02262_.WMF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml.RYK	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp	taskhost.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-disable.png	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\custom.lua	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG	goBnh.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.RYK	goBnh.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\CASHREG.WAV.RYK	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Issues.accdt	goBnh.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\PREVIEW.GIF	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107744.WMF	goBnh.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG	taskhost.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml	taskhost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml	taskhost.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\AddIns.store	taskhost.exe

Drops file in Windows directory 64 IoCs

Processes:

goBnh.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\WindowsBase\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-detectionandsharingapi_31bf3856ad364e35_6.1.7600.16385_none_95980881f7dcdc33\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiBmlDataCarousel\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Boot\EFI\pt-PT\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml.Linq\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmgl010.inf_31bf3856ad364e35_6.1.7600.16385_none_f9997b85348f7f3e\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..assistant.resources_31bf3856ad364e35_6.1.7600.16385_en-us_65c4a0f680163fd6\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Access.Dao\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationClient\3.0.0.0__31bf3856ad364e35\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-truetype-simkai_31bf3856ad364e35_6.1.7600.16385_none_4e5646f58eea24c2\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Office.In#\0af51d481e7c0a48e0fb5164e38e9465\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..ype-microsoftuighur_31bf3856ad364e35_6.1.7600.16385_none_1312b5e22558207e\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MUI\0409\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cryptsvc-dll.resources_31bf3856ad364e35_6.1.7600.16385_en-us_00bbc5aa103d49e7\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\diagnostics\system\Device\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_mdm5674a.inf_31bf3856ad364e35_6.1.7600.16385_none_42fd2975a010a30b\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-management_31bf3856ad364e35_6.1.7600.16385_none_a5c314057d8c6608\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\ReachFramework\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Idena7b556ff#\0723ea64eb28deb30a0df931a69feba6\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security.Cryptography.Csp\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\1033\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-cryptui-dll_31bf3856ad364e35_6.1.7601.17514_none_e41460cdaec2dd58\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-fax-service_31bf3856ad364e35_6.1.7601.17514_none_0b499f2c96e8f6b2\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-medctr.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ea353a7953b05e87\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Managemen#\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dot3svc.resources_31bf3856ad364e35_6.1.7600.16385_en-us_630d9bc151625afa\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-forfiles.resources_31bf3856ad364e35_6.1.7600.16385_en-us_34a3bba803e202dc\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-legapp2.resources_31bf3856ad364e35_6.1.7600.16385_en-us_ad16d8361ba89373\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Presentatio53a7a42c#\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-comdlg32.resources_31bf3856ad364e35_6.1.7601.17514_hr-hr_31db610f5ea8e8d8\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Wind5cb9c182#\df5d78a6328636a4ff7bc7992531d6d0\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..fontcache.resources_31bf3856ad364e35_7.1.7601.16492_sv-se_0537cdaf7b3218a3\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-f..lientcore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_3bc90958b7426f93\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-auxdisp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_cb99a9bd511994f2\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-sync.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0f1e8d7c089d2d35\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\mcplayerinterop\6.1.0.0__31bf3856ad364e35\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatiob3047ded#\db7f29ce66da5498e9ae3b5eb88e40a6\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-crashdump_31bf3856ad364e35_6.1.7600.16385_none_01824f663087096a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.DurableInstancing\v4.0_4.0.0.0__31bf3856ad364e35\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.OutlookViewCtl\14.0.0.0__71e9bce111e9429c\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-a..in-native.resources_31bf3856ad364e35_6.1.7600.16385_en-us_7ac5804315806903\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Globalization\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Core\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Te49ad7d9#\9620e555dd2477358732a139f1724c57\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_lsi_sas2.inf_31bf3856ad364e35_6.1.7600.16385_none_94aaac30f0f50f7c\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_mcstoredb_31bf3856ad364e35_6.1.7601.17514_none_aaca59b1f8f20129\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_megasas.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c81ca7fcade09f13\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-dssec_31bf3856ad364e35_6.1.7600.16385_none_b65ac92a1638d945\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.VisualStudio.Tools.Applications.Blueprints\8.0.0.0__b03f5f7f11d50a3a\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\SonicMCEBurnEngine\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-instmes.resources_31bf3856ad364e35_6.1.7600.16385_en-us_187b610e0e5d12af\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-font-fms.resources_31bf3856ad364e35_6.1.7600.16385_nl-nl_fbee625cd8833528\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..ragelayer.resources_31bf3856ad364e35_6.1.7600.16385_en-us_fe35fb7998e36ab4\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0007\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\RyukReadMe.txt	goBnh.exe
File opened for modification	C:\Windows\winsxs\amd64_keyboard.inf.resources_31bf3856ad364e35_6.1.7601.17514_en-us_8cced6f882fdbee9\RyukReadMe.txt	goBnh.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

94212 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

goBnh.exe

pid process

1840 goBnh.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

goBnh.exetaskhost.exe

description pid process

Token: SeDebugPrivilege 1840 goBnh.exe
Token: SeBackupPrivilege 1136 taskhost.exe
Token: SeBackupPrivilege 1840 goBnh.exe
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

goBnh.exe

description pid process target process

PID 1840 wrote to memory of 1136 1840 goBnh.exe taskhost.exe
PID 1840 wrote to memory of 1192 1840 goBnh.exe Dwm.exe

pid	process
94212	NOTEPAD.EXE

pid	process
1840	goBnh.exe

description	pid	process
Token: SeDebugPrivilege	1840	goBnh.exe
Token: SeBackupPrivilege	1136	taskhost.exe
Token: SeBackupPrivilege	1840	goBnh.exe

description	pid	process	target process
PID 1840 wrote to memory of 1136	1840	goBnh.exe	taskhost.exe
PID 1840 wrote to memory of 1192	1840	goBnh.exe	Dwm.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Users\Admin\AppData\Local\Temp\goBnh.exe
"C:\Users\Admin\AppData\Local\Temp\goBnh.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RyukReadMe.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:94212

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
MD5
8babd9056133d88c50216f3abf1acb9a

SHA1
95ee26596ecbf73820dfb2471d9fe62ef43e3803

SHA256
20159b3fbaec14fd7f3c7d73d8f2073392c5f3e612a6bc0793d615e7c2034f21

SHA512
7b50ff4b3f63a57cbecad4b27b438544630d5660960a8f84fb4b644bb45441cd421e92ca76d51f57504d05ec8fc9cefcb45c6422ee2216206f8dd5c9d714578b

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lstRYK.RYK
MD5
5761688ac1930e411a2877090a329a44

SHA1
181b1b6ba52ce1e7c2fab173e0604bc52591f2e1

SHA256
8f53b677d8bed33c35134465cc079c434b1a8380938017c9ab0c44f23a8171e3

SHA512
80df4a8afbc95c6c2174ad6b6c292b4545e294e3d2a704a59ee877b055e1ee78a24a716d3a2bae5ea5d214c7bc14149a9e5e759c1b1699a40599a7094725e13e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.iccRYK.RYK
MD5
94d072668b3d84cc41858904f6beada2

SHA1
545aaab475b3978a0b6fa785c0fc60b277b76429

SHA256
2708663aeaac33ade6ebd7554336f992b4ee33816392f8859e70ad818fbbf87e

SHA512
baadfdcd885e118146c777177e5b09f7d8c2a666efc5a0a8201f8a58590a247e9e6bb06ddc98d87adac7e79dc7640fe4025ef2787f203944f9be8d9bb9a81dde

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
MD5
338b7e9256d6759348fe3c16c9a1897c

SHA1
52acec52b5fad142370708c2ea852dd8bfef5110

SHA256
7655e1798e55a641f774bb60a20fb02b486cfb4de22dbddf7e920ddb74e2e5a0

SHA512
67a213c12fc0837a76cabcafcb1fd026b1f35334b2acbb4eb54f1b638f4e60b971d1ed3ffe2b4960a426e034fa414fccf261aed87eed7ec51e4ceacffa57f39f

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
MD5
d316bc9b34a3f2954ac2df75f2f30cb9

SHA1
faf3a2dd10f3a048c8c2ef81191fc1ab456d1e10

SHA256
7115cc6eb77d41492343761418bdef7e07ef32a8e7e4a69482f55a078449a4e6

SHA512
6cf76d53aa15060d4b0befce2f9bb851c339cb3834752ddfabd52c22e87370870a28feea739b71937150e36eab7df6f41b6eb1687b1eeb94d0afe5a7dacf540a

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK
MD5
8b54efd2606f2077dec430f122c8f804

SHA1
19274a527d71a4ac4adf7bb8cc81819dceeaeac6

SHA256
d8a3295c6e8d023d69f1ef5e5a56e8e7f712094c20a5e062a7e1c3de8b535480

SHA512
21d2c1baebd283533f982ab513cc6d0a699850f208ac9ba731c671d16d7ca002ecb4ee1a5ebf940349c16ba517bea6252f0d4457a2a1353c08401112e47ab1bf

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK
MD5
c7c3d145f6e008221aae4bc460f2c572

SHA1
8ddc12628be31b8aa6ddf256b4e294b77c58a2e4

SHA256
4cc1d19b4547a23e06700c7807fd7661eb1fa49c61c64c22fa35cd364a97bfbb

SHA512
f411317c74633bea5061301a34eb6645de15a62f0282f890b60cd9f327c6ce483f7ab3280f5c1c29641b651336eaa5ac72e335ac15bbc58b7c092aa32d4adcae

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
MD5
92a4783f0803124f64da1b46ff116b19

SHA1
e89ef47f4cc2ca6983925b5a5507d8dc460a7448

SHA256
80b5967a81863311c8838d439e78d70e6bd93038fce225d6053353cc663d1375

SHA512
9e070a9db16a0af1bec378ccadb6f1bb57495746c27cd07f6ba1e1b654aecf173e3c9a5b5a096441ef9f66867c3f6e3dcab14bd93b0758f4b3bbfeb052b576d9

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI26D3.tmp-tmp.RYK
MD5
032e88afef76d2ba70d2c990e7f139c6

SHA1
019410961c6fe008e307289797d15d2505595bbf

SHA256
94d6d055721092ea4ce642795f17074c7b1a3c7b3c5c5f960ee77a95b1e40461

SHA512
637a18137f4cb15b7ac6e7e1b43c87ad365d41e034cb72a4d680b3f0c1aff8b00f2d6c0ea23a3feaa4466a158bf4248d5defa810b9c2b78c234aafadd10d8ee0

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI26D3.tmp.RYK
MD5
ae710d97173654608b2c24f3dd03efa1

SHA1
1dc80756d6ffa3318a4ffb45a21e64b19ecef8a4

SHA256
202ed53a5cf464a71c91cb671c02ea504d1bc48160d2b12f56badbcdca4a25aa

SHA512
caebdc3dba018699cf99c962424edbb0851331b0ea1d53f46b9acdab6f94eb7b6afad1fbb4f1e9f7e90d6da57263b082c0e91ca49cb9db272e6030d90079f696

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
MD5
67a8eb24b82f28870abe364fc9fdf75a

SHA1
89bbbc7f87a092585a75c5b4e089d8bed6722091

SHA256
90e752209d1d3caf35d17decb6bdcba725377f4fdacd9d9f89063149e9c4af63

SHA512
00a4b9e3f947901a19bd347ef1e2efd9cc400c506bf1eb17eb24e5ae611e850da9e73e1a5aab4ab8f594920b531fcce7811a897b07236bc2f23a4d7efc985733

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
MD5
10ea4bc26e6af50b6de5818440434bb9

SHA1
c55b1e973512a022643320ca11f0df4efd426d25

SHA256
3a4b8cd42d590abae7e3cc7a190bdff3af0d0e303095c7886e8bbe94478c3fea

SHA512
83a3e571c4e7f8ae0eacea14cf73ff13941e0d9e76d6788bbcbde393e48c324518136173f993f82eda8c6b4fe8505fd25b6c758a6dcc904d640fb03ac5e7126c

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
MD5
f44017619764e5b8b9df8f5b6d98a7c1

SHA1
697a25a603e24d5c75c3b7c3263700e31e89ea52

SHA256
f977956d09731067b64ffe5b141e325b3418a65705ff0e00caa9608f001b3287

SHA512
4b0552390b2a54319dd9fa51fd566f2f542892e40678a3fd0e069e2c9c7b26f746ec4fdbf268cdf40bcce5497adb53019dcc136fd00a94f7d70b0b273c3def29

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft Help\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
MD5
a3be9fc9c12edc7adcf5d77e8cf8898d

SHA1
0fade9f3cabed17a573414d9a366e36068cc85c7

SHA256
a2ed22e27ba1f6d4b7c2ac7e34f9c72a2d5f52833161bfd41c1052badf3c4e44

SHA512
c13c98fb54f8fa1c9ca96710b4e75589771094b1a7484f4ae84119e46d46396aac99b6262d323392866cdf512513f1f6efb76e423a6b3bccbc63f4eb3daa8d39

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
MD5
3a057b9dd9ed7522bb2432e768a90ea0

SHA1
33d7195c091abb6d5d7adeabd962b7169bd21b14

SHA256
3d1a1574cf581490c77e46d04f247014ad94f2824d4a920a6d931b6377c973cb

SHA512
6d166a9f506f82e5e6f1cb9c1d9940bb8921c757d8b3997ac3962cb16f84f2ac38b29660819f0d952009306391cc7019d49bf91e554194a13e0de66a5771a231

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
MD5
881d9eca8ed0f938cf81d8877dba56e3

SHA1
bb82b721478e98dc7201deba8715f94b852f006b

SHA256
9165835bc0e6f88ff431a53a6c48e35fad9561af38fc79e92731a7bbaa4dcf22

SHA512
f21ddaebbd9348c8d1a65d314bb477a593ec0afc5026147d6b0a2ff77cfae30f5781c50d1cdf4cc0c299e9b342d3a70e03826f52b4a1dc485fbeabc8ed7b9c6e

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK
MD5
ca386a9c1717fad9d788745b9d00dd3a

SHA1
68dd89d0dfd066b8b2d0e67e4d550827840109e2

SHA256
4acbb79a06315e9a725a69ef7bdfd98f9659d1fe9e58ac75d537f593ab158c21

SHA512
8e87eba2bd1983991eede06d92632b925187019bd474b33832f2c15fcfa4e4b32f5d7f1bb6f6b5ff952aee701e7fbafd9b045b1e55e0c7429524769b9cb4b29d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK
MD5
23b0c36d6a0bb8d0ad74a41685d190e7

SHA1
0b7991428be3cb4568009eabdb0467612c69c737

SHA256
96a569741da953a908a57267088be5901a9e8d043779686f832be8ad05b03689

SHA512
8ee66b4d1a825ced17068331849425dd8d750e02f853bd5c751c5f33ff448186a257f236b9ecb5f31c72a235a9bd23b2b9b65533a7d02f3c4bbb146cf390362d

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK
MD5
a0290822ac208802cec8d744cdb0e56f

SHA1
7a34938dbfd11695a98788b75aece5b44b78cb7e

SHA256
fc58a9a46dff971d3ba65114e3ddfb38c238e0a1eb771f75d9c9c240eec49896

SHA512
d5f3597b37c9120c24c5468f37899ba5f03dcaba27e32b71e62d5459d93667bd7ead3bbe4ca2627cc1cd405836360d1d4f393617242d29c5008b4907069cf6be

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\Settings.ini.RYK
MD5
04cea7251555cb4eeb1f5333cc44d3d0

SHA1
c0c7e974cfaa906cc3bb2862e340036da3b1e81d

SHA256
0522de59a4e472b23e40453aa4650c3993469cafb2e31304f80c23825828933c

SHA512
0d682d08d078b72c3d3b104b0c4a97d4bcd7979a144e40860d59df088b1ea1013e279dc979883f7b9d388a4b04181e62dbb2290902cbf34922afa32a77252a11

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\PowerShell\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\451239123\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.logRYK.RYK
MD5
7080b63d3c8dc8713c340cf377723b25

SHA1
768a6976cdd487ceccc5a0b84ac93ea2dc04a289

SHA256
15be32aecb751b3e2a634620cea248398d16546a04a7ef5098fc0d99ead0af03

SHA512
12c28d453a7f061695e20524fb2659773b193c1cb2dc5d4bb0bbc06f8c51a63882071a2d9042c93b2293c9c2481f3c884ccfd5fdc8176246af8abb359f2dcded

Download Submit
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\Admin\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\Documents and Settings\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_14c10c19-3a0b-4ef0-8928-af871cb14c00
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
f21cd06048e07dd24138bd10b1d2e9a7

SHA1
d131f489f00339a2f3f44ab2f85c65c09247f0cc

SHA256
23d5c8cdc7f19e512415ae1bc3c2bc11ae788425363bf88de873ad10bc0dbec7

SHA512
315a6e481c9e0c97dff92e452c30ec621c427e89c2d42f4a8a2accd75d298ba83b17e07202b17aff5035f40ebe9aabb6557fef09647eb14765642bda5cc47018

Download Submit
memory/1136-59-0x000000013FB10000-0x000000013FE99000-memory.dmp

Filesize
3.5MB

Download
memory/94212-124-0x000007FEFC4A1000-0x000007FEFC4A3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads