ryuk | 683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb

Analysis

max time kernel
4294211s
max time network
119s
platform
windows7_x64
resource
win7-20220223-en
submitted
06-03-2022 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
Size

190KB
MD5

65865d94596a90b7e6204deb1de53c3d
SHA1

282e3776f86d3b0b2916ed6047ad272fe2f0cf6e
SHA256

683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb
SHA512

3c148f68856bf284f1775eb67a47ba880d4f69f8d6180a436a860484935c05d95ba5a3ff13e9c4280bb553f49e4f818ffce6e0a6016323d836cabe69bf8be7f5

Score

10^/10

ryuk ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

<html><body><p style="font-weight:bold;font-size:125%;top:0;left:0;"> [email protected] <br> </p><p style="position:absolute;bottom:0;right:1%;font-weight:bold;font-size:170%">balance of shadow universe</p><div style="font-size: 550%;font-weight:bold;width:50%;height:50%;overflow:auto;margin:auto;position:absolute;top:35%;left:40%;">Ryuk</div></body></html��

Emails

[email protected]

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Drops file in Drivers directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\de-DE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\ja-JP\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\fr-FR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Executes dropped EXE 1 IoCs

pid	Process
960	AoWpqrX.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ResumeApprove.png.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Users\Admin\Pictures\SaveSplit.png.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Users\Admin\Pictures\SkipDeny.crw.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeDisable.png.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Loads dropped DLL 2 IoCs

pid	Process
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened (read-only)	\??\a:	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky003.inf_amd64_neutral_fe7ea176f20ab839\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky303.inf_amd64_ja-jp_b054bb0d59e0a3ad\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wpdcomp.inf_amd64_neutral_11bbf54c8508434e\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasicE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\0409\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\Dism\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\acpi.inf_amd64_neutral_aed2e7a487803437\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\Setup\ja-JP\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\InstallShield\setupdir\001d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\ko-KR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\lt-LT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\OEM\HomeBasic\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\wbem\AutoRecover\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_neutral_4616c3de1949be6d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wialx005.inf_amd64_neutral_5304c93e2193f237\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\HomePremiumN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\Starter\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\OEM\HomePremiumE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\migwiz\replacementmanifests\Usb\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\oobe\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsv003.inf_amd64_neutral_1e0c4fbb9b11b015\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\ProfessionalE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\OEM\EnterpriseN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmntt1.inf_amd64_neutral_ecf5cff2236b273a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\netnvma.inf_amd64_neutral_99bb33c9a5bedaea\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\HomeBasicE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomeBasicN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\HomePremium\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\wave.inf_amd64_neutral_7a0a0b166f55e1aa\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\_Default\HomePremiumN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\eval\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\bg-BG\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\megasas2.inf_amd64_neutral_599d713507780ed4\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnkm003.inf_amd64_neutral_48652cda3bb15180\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\eval\HomeBasic\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\Licenses\_Default\Starter\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmnova.inf_amd64_neutral_b52d8db82d8c3be9\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnts003.inf_amd64_neutral_33a68664c7e7ae4b\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\en-US\Licenses\eval\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_neutral_ff250f861d941dd8\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmzoom.inf_amd64_neutral_dd07287cee791f3c\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnin003.inf_amd64_neutral_3a3c6293d0cda862\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\WCN\fr-FR\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\OEM\Professional\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmaiwa.inf_amd64_neutral_560c956da9bcd8f5\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnsh002.inf_amd64_neutral_42b7a64f45c7554c\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\sffdisk.inf_amd64_neutral_d2425e60845d17d3\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\Licenses\_Default\HomeBasicE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\faxca003.inf_amd64_neutral_5b8c7c1dda79bef4\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj7.inf_amd64_neutral_7c21481229e1e66c\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnky305.inf_amd64_ja-jp_4d77cc4802b17ec3\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\Licenses\OEM\StarterN\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\SysWOW64\Setup\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmhayes.inf_amd64_neutral_507db5d34d7acddc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\mdmtdkj2.inf_amd64_neutral_0cf7696e2236ca4e\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\prnlx00v.inf_amd64_neutral_86ff307c66080d00\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21533_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSOUC.HXS.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR26F.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Biscay\TAB_ON.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\vlc.mo.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\picturePuzzle.js	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT_F_COL.HXK.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.jpg	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00795_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01219_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.UK.XML.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSSPC.ECF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\diner.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0301052.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\THMBNAIL.PNG	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\1.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00034_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\settings.js	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\MinionPro-Regular.otf.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00438_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_box_divider_left.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR43B.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\NavigationRight_SelectionSubpicture.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TN00211_.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\LAUNCH.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00139_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0287005.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01130_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\bg_Country.gif	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MEDIA\APPLAUSE.WAV	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21364_.GIF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Americana\TAB_OFF.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME49.CSS	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Data1.cab.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0200611.WMF.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02282_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0183290.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_hail.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSPUB.OPG	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGNAVBAR.DPV	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCDRESNS.ICO.RYK	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02793_.WMF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\CALENDAR.GIF	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\gadget.xml	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-l..-startern.resources_31bf3856ad364e35_6.1.7601.17514_de-de_7b8ba987041ea900\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-d..-dvdupgrd.resources_31bf3856ad364e35_6.1.7600.16385_es-es_20df9e8e75ab9b4a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-label.resources_31bf3856ad364e35_6.1.7600.16385_en-us_e69e1194057fc6f2\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-syncui.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8c8bca194149a5ee\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0804\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-h..-firewall.resources_31bf3856ad364e35_6.1.7600.16385_de-de_d98f37dbc64f612d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-printp.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1f68c7fa33fa90bc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnca00z.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_a8068bfc4090886e\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-grouppolicy-base_31bf3856ad364e35_6.1.7600.16385_none_8e6cfdd835146ea7\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.InfoPath\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-b..nager-efi.resources_31bf3856ad364e35_6.1.7600.16385_pl-pl_da15326470c85ed1\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_dot4.inf.resources_31bf3856ad364e35_6.1.7601.17514_es-es_856742fa2469f5ca\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_termmou.inf_31bf3856ad364e35_6.1.7601.17514_none_85ea6cb9fe0a4eef\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_hid-user.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_94492e5609cc02ce\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-p..cemanager.resources_31bf3856ad364e35_6.1.7600.16385_de-de_f869838c99403924\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-qedit.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a91f5643406b92c8\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\diagnostics\system\AERO\it-IT\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MUI\0409\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_megasr.inf.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d2208e5ce638932\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmpdui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_623c22be01a97b0b\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnso002.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_0ec6f9ff3cb65d89\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-efs-rekeywiz.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_5bad87af8eaabac6\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes.resources\3.0.0.0_de_31bf3856ad364e35\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.7600.16385_es-es_79bc59f984efa891\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Activities\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-w..figwizard.resources_31bf3856ad364e35_6.1.7600.16385_de-de_a28f8c13a106fedc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-p..rpautoreg.resources_31bf3856ad364e35_6.1.7600.16385_en-us_da811f79b0bb3938\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_netfx-webhightrust_config_b03f5f7f11d50a3a_6.1.7600.16385_none_2d1353cd39571370\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnep00g.inf.resources_31bf3856ad364e35_6.1.7600.16385_en-us_bf92656ce49f74a0\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-cttune.resources_31bf3856ad364e35_6.1.7600.16385_es-es_33ff0e2c2fbbe7fa\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.B3325a29b#\5a3b5e8dacb3f7675f8f480243680feb\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-d..lient-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_936c40cbff4a0ef1\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-netprofui.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3cfdaed76b6ce5f9\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnlx006.inf_31bf3856ad364e35_6.1.7600.16385_none_49c754b42a8fc0a2\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-snmp-evntwin.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_1d13bc12bc9f10d1\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_mdmbtmdm.inf.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_3b65196aa6c1f4a0\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-ddoiproxy_31bf3856ad364e35_6.1.7600.16385_none_9b5de95c17c5b6ed\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-help-license.resources_31bf3856ad364e35_6.1.7600.16385_en-us_afe6e4d2af24029d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..subsystem.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_f23d96c52b159c2d\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wow64.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_088c3de7050f2d95\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-storprop_31bf3856ad364e35_6.1.7600.16385_none_8c9c50707efb7dff\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.MediaCenter.UI\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_61883.inf.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e90147c1d8688d8b\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-fax-mapi_31bf3856ad364e35_6.1.7600.16385_none_b5e9a074c5f969cd\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-t..nvservice.resources_31bf3856ad364e35_6.1.7600.16385_en-us_16c89b47657be627\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-userinit.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8f92593333cd19dc\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\inf\usbhub\0000\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-n..admincore.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c780a86542568eba\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-sysdm.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e93e24da10560bbd\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnhp002.inf.resources_31bf3856ad364e35_6.1.7600.16385_it-it_4b455d8f7c7615ed\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xaml.Hosting\fd6b42e0bdca1f3ed4dfde2639e39004\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-enhancedstorage-adm_31bf3856ad364e35_6.1.7600.16385_none_32eaeea928525e65\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\wow64_microsoft-windows-i..l-keyboard-00000449_31bf3856ad364e35_6.1.7601.17514_none_5348b25cacf09082\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-m..nts-mdac-rds-ce-vbs_31bf3856ad364e35_6.1.7600.16385_none_60fa09c2a3ae721a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_prnrc00c.inf_31bf3856ad364e35_6.1.7600.16385_none_3b11d85d2b1e2536\Amd64\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\x86_microsoft-windows-j..buggeride.resources_31bf3856ad364e35_8.0.7600.16385_de-de_858dd1788529016f\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_769841aa5f326474\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-wmviddsp_31bf3856ad364e35_6.1.7600.16385_none_02d8e5538eeeec51\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\amd64_sisraid4.inf.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a287bbeaaa72af42\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
File opened for modification	C:\Windows\winsxs\msil_microsoft.windows.d..gprogress.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3070ccf237ac1cb4\RyukReadMe.html	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
960	AoWpqrX.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
960	AoWpqrX.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
960	AoWpqrX.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
Token: SeBackupPrivilege	960	AoWpqrX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	27
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	27
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	27
PID 1568 wrote to memory of 960	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	27
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	28
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	28
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	28
PID 1568 wrote to memory of 576	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	28
PID 576 wrote to memory of 768	576	net.exe	30
PID 576 wrote to memory of 768	576	net.exe	30
PID 576 wrote to memory of 768	576	net.exe	30
PID 576 wrote to memory of 768	576	net.exe	30
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	31
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	31
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	31
PID 1568 wrote to memory of 632	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	31
PID 632 wrote to memory of 304	632	net.exe	33
PID 632 wrote to memory of 304	632	net.exe	33
PID 632 wrote to memory of 304	632	net.exe	33
PID 632 wrote to memory of 304	632	net.exe	33
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	35
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	35
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	35
PID 1568 wrote to memory of 1000	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	35
PID 1000 wrote to memory of 988	1000	net.exe	37
PID 1000 wrote to memory of 988	1000	net.exe	37
PID 1000 wrote to memory of 988	1000	net.exe	37
PID 1000 wrote to memory of 988	1000	net.exe	37
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	39
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	39
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	39
PID 960 wrote to memory of 9520	960	AoWpqrX.exe	39
PID 9520 wrote to memory of 9580	9520	net.exe	41
PID 9520 wrote to memory of 9580	9520	net.exe	41
PID 9520 wrote to memory of 9580	9520	net.exe	41
PID 9520 wrote to memory of 9580	9520	net.exe	41
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	45
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	45
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	45
PID 1568 wrote to memory of 56624	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	45
PID 56624 wrote to memory of 57080	56624	net.exe	46
PID 56624 wrote to memory of 57080	56624	net.exe	46
PID 56624 wrote to memory of 57080	56624	net.exe	46
PID 56624 wrote to memory of 57080	56624	net.exe	46
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	47
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	47
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	47
PID 1568 wrote to memory of 60316	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	47
PID 60316 wrote to memory of 60348	60316	net.exe	49
PID 60316 wrote to memory of 60348	60316	net.exe	49
PID 60316 wrote to memory of 60348	60316	net.exe	49
PID 60316 wrote to memory of 60348	60316	net.exe	49
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	51
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	51
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	51
PID 1568 wrote to memory of 113268	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	51
PID 113268 wrote to memory of 113292	113268	net.exe	53
PID 113268 wrote to memory of 113292	113268	net.exe	53
PID 113268 wrote to memory of 113292	113268	net.exe	53
PID 113268 wrote to memory of 113292	113268	net.exe	53
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	54
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	54
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	54
PID 1568 wrote to memory of 113304	1568	683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe	54

C:\Users\Admin\AppData\Local\Temp\683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe
"C:\Users\Admin\AppData\Local\Temp\683c3cdeda665afca5af0d964d280f27b3fbb77185b0a24584e139c33c5edddb.exe"
1⤵
- Drops file in Drivers directory
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\AoWpqrX.exe
  "C:\Users\Admin\AppData\Local\Temp\AoWpqrX.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:9520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:9580
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop "samss" /y
    3⤵
    PID:113344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "samss" /y
      4⤵
      PID:113368
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:768
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:304
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:988
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:56624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:57080
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:60316
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:60348
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:113268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:113292
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:113304
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:113328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-61-0x000000000E270000-0x000000000ED2A000-memory.dmp

Filesize
10.7MB

Download
memory/1568-54-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download