ryuk | 683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb

General

Target

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
Size

190KB
MD5

65865d94596a90b7e6204deb1de53c3d
SHA1

282e3776f86d3b0b2916ed6047ad272fe2f0cf6e
SHA256

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb
SHA512

3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> unumschooler1972@protonmail.com <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

unumschooler1972@protonmail.com

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

unumschooler1972@protonmail.com balance of shadow universe Ryuk

Emails

unumschooler1972@protonmail.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 14 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Executes dropped EXE 1 IoCs

Processes:

AoWpqrX.exe

pid process

960 AoWpqrX.exe

pid	process
960	AoWpqrX.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\ResumeApprove.png.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Users\Admin\Pictures\SaveSplit.png.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Users\Admin\Pictures\SkipDeny.crw.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeDisable.png.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops startup file 1 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Loads dropped DLL 2 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

pid	process
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened (read-only)	\??\A:	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened (read-only)	\??\a:	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops file in System32 directory 64 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\0409\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_neutral_aed2e7a487803437\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\Setup\ja-JP\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\wbem\AutoRecover\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wialx005.inf_amd64_neutral_5304c93e2193f237\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Starter\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\oobe\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_neutral_99bb33c9a5bedaea\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremium\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wave.inf_amd64_neutral_7a0a0b166f55e1aa\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\megasas2.inf_amd64_neutral_599d713507780ed4\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_neutral_dd07287cee791f3c\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\WCN\fr-FR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sffdisk.inf_amd64_neutral_d2425e60845d17d3\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_neutral_7c21481229e1e66c\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\Setup\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops file in Program Files directory 64 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSSPC.ECF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301052.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\LAUNCH.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\APPLAUSE.WAV	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Data1.cab.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02282_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.OPG	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNS.ICO.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops file in Windows directory 64 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

description	ioc	process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_de-de_7b8ba987041ea900\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..-dvdupgrd.resources_31bf3856ad364e35_6.1.7600.16385_es-es_20df9e8e75ab9b4a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-label.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e69e1194057fc6f2\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-syncui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8c8bca194149a5ee\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0804\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..-firewall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d98f37dbc64f612d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-printp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1f68c7fa33fa90bc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00z.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8068bfc4090886e\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_da15326470c85ed1\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_dot4.inf.resources_31bf3856ad364e35_6.1.7601.17514_es-es_856742fa2469f5ca\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_termmou.inf_31bf3856ad364e35_6.1.7601.17514_none_85ea6cb9fe0a4eef\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94492e5609cc02ce\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..cemanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f869838c99403924\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-qedit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a91f5643406b92c8\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MUI\0409\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_megasr.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d2208e5ce638932\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_623c22be01a97b0b\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnso002.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ec6f9ff3cb65d89\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5bad87af8eaabac6\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\3.0.0.0_de_31bf3856ad364e35\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_es-es_79bc59f984efa891\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a28f8c13a106fedc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da811f79b0bb3938\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-webhightrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_2d1353cd39571370\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00g.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf92656ce49f74a0\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-cttune.resources_31bf3856ad364e35_6.1.7600.16385_es-es_33ff0e2c2fbbe7fa\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\5a3b5e8dacb3f7675f8f480243680feb\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..lient-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_936c40cbff4a0ef1\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3cfdaed76b6ce5f9\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx006.inf_31bf3856ad364e35_6.1.7600.16385_none_49c754b42a8fc0a2\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-snmp-evntwin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1d13bc12bc9f10d1\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbtmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3b65196aa6c1f4a0\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ddoiproxy_31bf3856ad364e35_6.1.7600.16385_none_9b5de95c17c5b6ed\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-license.resources_31bf3856ad364e35_6.1.7600.16385_en-us_afe6e4d2af24029d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f23d96c52b159c2d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wow64.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_088c3de7050f2d95\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-storprop_31bf3856ad364e35_6.1.7600.16385_none_8c9c50707efb7dff\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.UI\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_61883.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e90147c1d8688d8b\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-fax-mapi_31bf3856ad364e35_6.1.7600.16385_none_b5e9a074c5f969cd\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_16c89b47657be627\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8f92593333cd19dc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\inf\usbhub\0000\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..admincore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c780a86542568eba\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e93e24da10560bbd\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4b455d8f7c7615ed\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml.Hosting\fd6b42e0bdca1f3ed4dfde2639e39004\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-enhancedstorage-adm_31bf3856ad364e35_6.1.7600.16385_none_32eaeea928525e65\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000449_31bf3856ad364e35_6.1.7601.17514_none_5348b25cacf09082\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-vbs_31bf3856ad364e35_6.1.7600.16385_none_60fa09c2a3ae721a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnrc00c.inf_31bf3856ad364e35_6.1.7600.16385_none_3b11d85d2b1e2536\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_de-de_858dd1788529016f\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_769841aa5f326474\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmviddsp_31bf3856ad364e35_6.1.7600.16385_none_02d8e5538eeeec51\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_sisraid4.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a287bbeaaa72af42\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.windows.d..gprogress.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3070ccf237ac1cb4\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exeAoWpqrX.exe

pid	process
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
960	AoWpqrX.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
960	AoWpqrX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exeAoWpqrX.exe

description	pid	process
Token: SeBackupPrivilege	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
Token: SeBackupPrivilege	960	AoWpqrX.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exenet.exenet.exenet.exeAoWpqrX.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	AoWpqrX.exe
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	AoWpqrX.exe
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	AoWpqrX.exe
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	AoWpqrX.exe
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 576 wrote to memory of 768	576	net.exe	net1.exe
PID 576 wrote to memory of 768	576	net.exe	net1.exe
PID 576 wrote to memory of 768	576	net.exe	net1.exe
PID 576 wrote to memory of 768	576	net.exe	net1.exe
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 632 wrote to memory of 304	632	net.exe	net1.exe
PID 632 wrote to memory of 304	632	net.exe	net1.exe
PID 632 wrote to memory of 304	632	net.exe	net1.exe
PID 632 wrote to memory of 304	632	net.exe	net1.exe
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1000 wrote to memory of 988	1000	net.exe	net1.exe
PID 1000 wrote to memory of 988	1000	net.exe	net1.exe
PID 1000 wrote to memory of 988	1000	net.exe	net1.exe
PID 1000 wrote to memory of 988	1000	net.exe	net1.exe
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	net.exe
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	net.exe
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	net.exe
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	net.exe
PID 9520 wrote to memory of 9580	9520	net.exe	net1.exe
PID 9520 wrote to memory of 9580	9520	net.exe	net1.exe
PID 9520 wrote to memory of 9580	9520	net.exe	net1.exe
PID 9520 wrote to memory of 9580	9520	net.exe	net1.exe
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 56624 wrote to memory of 57080	56624	net.exe	net1.exe
PID 56624 wrote to memory of 57080	56624	net.exe	net1.exe
PID 56624 wrote to memory of 57080	56624	net.exe	net1.exe
PID 56624 wrote to memory of 57080	56624	net.exe	net1.exe
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 60316 wrote to memory of 60348	60316	net.exe	net1.exe
PID 60316 wrote to memory of 60348	60316	net.exe	net1.exe
PID 60316 wrote to memory of 60348	60316	net.exe	net1.exe
PID 60316 wrote to memory of 60348	60316	net.exe	net1.exe
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 113268 wrote to memory of 113292	113268	net.exe	net1.exe
PID 113268 wrote to memory of 113292	113268	net.exe	net1.exe
PID 113268 wrote to memory of 113292	113268	net.exe	net1.exe
PID 113268 wrote to memory of 113292	113268	net.exe	net1.exe
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	net.exe

C:\Users\Admin\AppData\Local\Temp\683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
"C:\Users\Admin\AppData\Local\Temp\683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\AoWpqrX.exe
"C:\Users\Admin\AppData\Local\Temp\AoWpqrX.exe" 8 LAN
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
- Suspicious use of WriteProcessMemory
PID:9520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:9580

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
3⤵
PID:113344

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
4⤵
PID:113368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:768

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:304

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:988

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:56624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:57080

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:60316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:60348

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:113268

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:113292

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:113304

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:113328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_1a933a73-4d03-4b91-8cac-7b66f466e846
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\Local\Temp\AoWpqrX.exe
MD5
65865d94596a90b7e6204deb1de53c3d

SHA1
282e3776f86d3b0b2916ed6047ad272fe2f0cf6e

SHA256
683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb

SHA512
3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
MD5
3b40f517a25611205b0ba7af8ae225f1

SHA1
aa7e89f3d1202b37ff89d629ebe10dae8c4e14db

SHA256
385752904c61abf42b315b172c40b4a50d50cc58c94077cff0815c834e1ac013

SHA512
8d17239868ef33175214e14fc5ad245c9d5505deaf8747c079e6e05bca1c77e62bbacc5af8519dccae63b8d4e959ed32d3748d62de1aa3f7b256c35524af9f52

Download Submit
\Users\Admin\AppData\Local\Temp\AoWpqrX.exe
MD5
65865d94596a90b7e6204deb1de53c3d

SHA1
282e3776f86d3b0b2916ed6047ad272fe2f0cf6e

SHA256
683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb

SHA512
3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5

Download Submit
\Users\Admin\AppData\Local\Temp\AoWpqrX.exe
MD5
65865d94596a90b7e6204deb1de53c3d

SHA1
282e3776f86d3b0b2916ed6047ad272fe2f0cf6e

SHA256
683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb

SHA512
3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5

Download Submit
memory/960-61-0x000000000E270000-0x000000000ED2A000-memory.dmp

Filesize
10.7MB

Download
memory/1568-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads