Malware Analysis Report

2024-08-06 09:28

Sample ID 220908-q7nryaefh5
Target ryuk.exe
SHA256 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
Tags
persistence ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Threat Level: Known bad

The file ryuk.exe was found to be: Known bad.

Malicious Activity Summary

persistence ryuk ransomware

Ryuk

Modifies extensions of user files

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-09-08 13:54

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-08 13:54

Reported

2022-09-08 13:56

Platform

win10v2004-20220812-en

Max time kernel

8s

Max time network

11s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\GvTYI.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\users\Public\GvTYI.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\GvTYI.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\GvTYI.exe N/A
N/A N/A C:\users\Public\GvTYI.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\GvTYI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\GvTYI.exe
PID 2284 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\GvTYI.exe
PID 4208 wrote to memory of 4904 N/A C:\users\Public\GvTYI.exe C:\Windows\System32\cmd.exe
PID 4208 wrote to memory of 4904 N/A C:\users\Public\GvTYI.exe C:\Windows\System32\cmd.exe
PID 4208 wrote to memory of 2408 N/A C:\users\Public\GvTYI.exe C:\Windows\system32\sihost.exe
PID 4904 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4904 wrote to memory of 4816 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 4208 wrote to memory of 2448 N/A C:\users\Public\GvTYI.exe C:\Windows\system32\svchost.exe
PID 4208 wrote to memory of 2744 N/A C:\users\Public\GvTYI.exe C:\Windows\system32\taskhostw.exe
PID 4208 wrote to memory of 3076 N/A C:\users\Public\GvTYI.exe C:\Windows\system32\svchost.exe
PID 4208 wrote to memory of 3280 N/A C:\users\Public\GvTYI.exe C:\Windows\system32\DllHost.exe

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\users\Public\GvTYI.exe

"C:\users\Public\GvTYI.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\GvTYI.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\GvTYI.exe" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
NL 20.190.160.22:443 tcp
NL 87.248.202.1:80 tcp

Files

memory/4208-132-0x0000000000000000-mapping.dmp

C:\Users\Public\GvTYI.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

C:\users\Public\GvTYI.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/4904-135-0x0000000000000000-mapping.dmp

memory/4816-136-0x0000000000000000-mapping.dmp

memory/2408-137-0x00007FF6A5670000-0x00007FF6A59FE000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-08 13:54

Reported

2022-09-08 13:56

Platform

win7-20220812-en

Max time kernel

96s

Max time network

42s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\users\Public\HlgEm.exe N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\InstallInvoke.tiff C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Users\Admin\Pictures\TestConfirm.tiff C:\Windows\system32\taskhost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\users\Public\HlgEm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\HlgEm.exe" C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationUp_ButtonGraphic.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENV98SP.POC C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\1047x576black.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Qatar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins.nl_ja_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\pagecurl.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Los_Angeles C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Verve.thmx C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay\TAB_ON.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwrcatlm.dat C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\localedata.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21342_.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15059_.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00489_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SL00308_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\TAB_OFF.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01152_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR49F.GIF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\sandbox.luac C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\lij.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Port_Moresby C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.webapp_3.6.300.v20140407-1855.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Qyzylorda C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216540.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285782.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Thatch.eftx C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanMergeLetter.Dotx C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0199483.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0214934.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach.zh_CN_5.5.0.165303.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\vlc.mo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\RyukReadMe.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_ja.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Monterrey C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Montevideo C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SCHDCNCL.CFG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\CollectSignatures_Init.xsn C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\ModifiedTelespace.ico C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Center C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD00155_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXT C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ASCIIENG.LNG C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_Earthy.gif C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\users\Public\HlgEm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\users\Public\HlgEm.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\HlgEm.exe
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\HlgEm.exe
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\HlgEm.exe
PID 1968 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\users\Public\HlgEm.exe
PID 1952 wrote to memory of 932 N/A C:\users\Public\HlgEm.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 932 N/A C:\users\Public\HlgEm.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 932 N/A C:\users\Public\HlgEm.exe C:\Windows\System32\cmd.exe
PID 1952 wrote to memory of 1108 N/A C:\users\Public\HlgEm.exe C:\Windows\system32\taskhost.exe
PID 932 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 932 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 932 wrote to memory of 1324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 1156 N/A C:\users\Public\HlgEm.exe C:\Windows\system32\Dwm.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\users\Public\HlgEm.exe

"C:\users\Public\HlgEm.exe" C:\Users\Admin\AppData\Local\Temp\ryuk.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HlgEm.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HlgEm.exe" /f

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ResumeGrant.wmv"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x41c

Network

N/A

Files

memory/1968-54-0x0000000076141000-0x0000000076143000-memory.dmp

\Users\Public\HlgEm.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1952-56-0x0000000000000000-mapping.dmp

C:\Users\Public\HlgEm.exe

MD5 31bd0f224e7e74eee2847f43aae23974
SHA1 92e331e1e8ad30538f38dd7ba31386afafa14a58
SHA256 8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512 a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

memory/1952-58-0x000007FEFBE81000-0x000007FEFBE83000-memory.dmp

memory/932-59-0x0000000000000000-mapping.dmp

memory/1108-60-0x000000013F9B0000-0x000000013FD3E000-memory.dmp

memory/1324-62-0x0000000000000000-mapping.dmp

memory/1108-63-0x000000013F9B0000-0x000000013FD3E000-memory.dmp

memory/1108-66-0x000000013F9B0000-0x000000013FD3E000-memory.dmp

C:\Program Files\VideoLAN\VLC\plugins\plugins.dat

MD5 dc631f7ad52dca0e066744467f4b45f4
SHA1 8b4aa780d12ff1fa712a50c43dddf310eeeb30ca
SHA256 d1158d72d5dbd791cea17a76b86738b1d633ba8dfedb89870df99edcc2f78fcb
SHA512 0ab7123642180ad9b456da5830c7ced003ab9cdd84c93801b2f24b82b74ad59bb8428408c8b570858b7ab69247a79fc31ec5adf1670542dbdc92e2387216d520

C:\Users\Admin\Desktop\ResumeGrant.wmv

MD5 907a7794190479a3cbed7ba994e987b4
SHA1 94f0773f2417b4dcb345ab4ddbe782a0dc5e98e3
SHA256 4cfbfd2b9b866caa6563716ce146e1dd8e064b61d773aa9f25f2c301d6765346
SHA512 19d8a6540f0779838f10381c2a70b18f67ddcca02513bbefc21f45b27c07a3bb0af3d47aec589acd36fc07969f7258c7a2793daa4487b193ef492232ce827064

C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_streams.luac

MD5 0c6b0f2c39319ba72d5bd4dc850d357e
SHA1 4735ea9e31cfdef00ceae0fadf6a83144a098be4
SHA256 c8d8dff3cece98dda6fc1a38075edebc4d4d9e42d9eeca39ca6f5cfb94a18656
SHA512 b5ed0247aba81d4f817f324599839635bafb76ad7e5f5a633a638ba3d01f37390eb6ca7c817db31bcf350dbf482f579c619b43249a7403bead4c53c2dfcd2f54

C:\Program Files\VideoLAN\VLC\lua\playlist\anevia_xml.luac

MD5 df62321f1f71d82c5fba3ab1846e0b21
SHA1 8598e7d0c22ae94ab2943b674fb33e1b74c1ee5d
SHA256 bac86dc063e6ed1703daf6c3150db0148eedf5da1ad3d605deea131d986c85bb
SHA512 6025b786654f0bcc0322fcbc6f8b8a4459fb4057d5cbe781973ea15e4fac6eb9044770ac95ef2eb0c238a655c2a7b6e02420cce050d53940b3340a72b9e29cdf

C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac

MD5 cc3d6acf2948a27750536625cb20d67e
SHA1 70e250634c71857a508fe0715f36b24771089e5e
SHA256 819421c3042dfb2d4a90837bd73bbb998dc12fface0567307c530b167634fa17
SHA512 db5df3743fa72ae6d45027cacfc0d9f87aa153de2cd4099eeb598a14b265747cb03e80909230248fdcae1417c454d461e92025950fcb6f2b3281546417b5d0c1

C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac

MD5 a917152ea8036d40e9cd640665afe17d
SHA1 5a96433df460b6769f21a0bf5a1150b99bf5b5f4
SHA256 4df562a9f197bc2a48078e76a3be4b83f1d9a710bef977641ea589143eccaa83
SHA512 5e4ab9a9594f5075df118ec9d8dfd5cb680b4088631e36e953d1b039d77c3f630a64866f881cc2c19a8602315e666a9d1ca47e61d171ba05cfde7f87b32fbdaa

C:\Program Files\VideoLAN\VLC\lua\playlist\cue.luac

MD5 ae078e836ef4e138c28b0be8fcb58f93
SHA1 097ad177e777c7653f77cfb2e90acaafe1109153
SHA256 8ab03901becfb3646c601e77ecb0c1abe517ba854c9e49ec3147e0b43ae5984c
SHA512 a2e1a5f5dfc0fde7df0edde553db8d572252da93d095b9e098ef49ef68e72d906406f816b3e2496eb9ce3c64b55cebb70892400932c066a41c7f6d67cbca1b8a

C:\Program Files\VideoLAN\VLC\lua\playlist\dailymotion.luac

MD5 90ddf3555d69f39593679fc09c61d93a
SHA1 ee9ea884717a1bbdab023cda2ec6ca2827833ed1
SHA256 ab26d628bbdda0aae1059f6bd1572f8bf95a36e0b469fa43c258ea822465f9dc
SHA512 0f8c0eaadbc41b7cb001510cac2cd6c37fd33c48098eab627681353bc73f7a550c506dc67024e284fd73cc5c4385056728c4da119ace87441efb6f9c69bff660

C:\Program Files\VideoLAN\VLC\lua\playlist\jamendo.luac

MD5 11b5ae823aa5626a95f6656d80af60a9
SHA1 bfb989a8e2422b5cff3553461c7cf8d1c468e332
SHA256 ea217df7e54521e6342d4f338c71223418dcc17402bc341d585c8c1f23e3240c
SHA512 c1663f9d73503ab479c93f0c903291e27127f6b22ab3201acf64fead87b1b0e590378c37d91766c5f78b9fb4f789dd1ae09a836e2263731d6d5febb11a9bf278

C:\Program Files\VideoLAN\VLC\lua\playlist\koreus.luac

MD5 b57e687796a333a3afef7d4aa05cfd02
SHA1 e4ad6cd69fe088c2b9fb45fc176e5120aa1245b1
SHA256 b885aa5354b89e535f67edda564c13adcb010e3ad241fe6e53b554093de1883c
SHA512 6efe04b3ad12e63004ce8020b53f32b40c500b600d23bde60f64dcc0a2c0634418e9847da250a53994d0c50e9ec50a4289a9ed5d3cc6a8b755e0125d8ae9c77d

C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac

MD5 777cb17d99ac3f1cb729e98056a2811d
SHA1 db3277185ecfae6d7793dd260218fc4831bc1b33
SHA256 baf101836289431ca1a5f602deb7ae6565d3cbd11e30a89a34e96a307c1ad3a0
SHA512 e13f41b91da13444592b34ce9a91747ece2ddf6e74499268bcba25930056a686e1bc5bec13cfbf60b3208a2abd9a7504ccda3f88b1d3ab7a48eb5e27e04331e5

C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac

MD5 e800489432a8bb8c3f2d0e7e52c7ab7e
SHA1 c25e98a24e4b3ae23ba09d12122bbc20f52209ae
SHA256 5fec668abdc8b995ff7a0ad4b48bbf8d2a5e10c0d39a448d73805bee66974da9
SHA512 4e5d3cc863b2834b3b6c5856bbc05faca74572e917a6de48052a73e1d639d6c51ce9af395b03e56d41fb24abd7d2e74602606f24dc489e97b407682326bd0572

C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac

MD5 fc776c05c6504eac2a2b37998ba2c0d9
SHA1 dde0ca26c1d1afe557c0020a9fa12569332c6b16
SHA256 234e9bc8d4c60193029b6c42775391b5d64a7702ad687070117b7c725edf60af
SHA512 b917ce8abb334b19bc84db652ab2a83db8289b400c4e7784b19868a748f89553a345bf480059c6ca95f58b3ad5815cecdf96d5e8c5000b70797369673614487e

C:\Program Files\VideoLAN\VLC\lua\playlist\soundcloud.luac

MD5 1ba6e1d541a1e83f227128e89768e081
SHA1 f2fedf03e7ca2de31fbba2c82ab36a889dc1e8c4
SHA256 b487686ca1978cd21affd9524a2419ed43ef524ad199db4f5f2e2938f3a877a6
SHA512 554f0bc3228478e30774a92e3341c210eb3ab7fa08afa63cf303ac3b32b38c15a48803e9f54688dbc4c77ec1e893cbe50573aec48bb1e1c70b7d3333d780ef4a

C:\Program Files\VideoLAN\VLC\lua\playlist\twitch.luac

MD5 2b681e45bf7beabede78b2a82abbb2aa
SHA1 54cb8e281cec6ad2810070bf6ec90a8ba9d55055
SHA256 f70c61ff4352c335d3e19e294baa98f3a5ba6a4ca208e12a6a116e077065cc82
SHA512 17d317fab3c8d9cc8fa232cb13cc203743eac816bed4fe6546fc654caf630b4f21a854066734440962b186f1050c2a25931083bff882cf269fe04464cf9c96c7

C:\Program Files\VideoLAN\VLC\lua\playlist\vimeo.luac

MD5 b44bf4e7661f5ab4317e50b6ce58ba3c
SHA1 effaf6bbf1422b43d77cd14ace395d4461d61a8d
SHA256 9f0909b4fb615f78ded34f4ea92121869663addcc960f8aa0b335e78b9e8d0a0
SHA512 440b7dd3ffee1d11849986918d1c2b1aa2b83ca419616462d2b056dbff5a603ee6092dae8eeb784f75d06657aa31af97934c2d3a7ce1e0e270a47eedc9cc76c8

C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac

MD5 6542c779545fef7e792a2431c09045f9
SHA1 08d247b73ada981be0e7b02b47e342c1cff0e029
SHA256 62fcdc0b97cb8bf4ddeb0465d6be9949bf6915383ebfe34adef8e08e8012bc25
SHA512 4394fc3980cf018b921d1a5c2d98e9dd6062f3c8d4a9be71000c4df1a52f74c403e16470b774853ea0f0eb16e6bd302c49509ff8ce4948f18374c514edd7501e

C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac

MD5 dc4ec50486e61b9241b6f32371b506ae
SHA1 ba413a4c71a1b70ee5f483769cb34d10bab5df09
SHA256 3b3acaae06fec4624bc64b5625f8a457790f3c3ea9c148dacc1cf8c1b5114cc9
SHA512 ba802754b05514c9405d5500284c7021bafb20fc3c1390e37f65d0b8072909faf18f37f1218f4be1ef5ee9445ab7f204cffd917fc34fe803e8aa944bafbd9da4

C:\Program Files\VideoLAN\VLC\lua\meta\reader\filename.luac

MD5 87128a9a20393b63d82a1eab52697215
SHA1 65bf41f98e725d9aaf4086d2c725ab2dc323ce88
SHA256 ac9935a504e3034ff21f65594bfcd0506e1c45a71dcf91da8c335cf146542666
SHA512 5cbb1b8c1f6228a2b05d89458e9eb7826f409891638608877f8f8d40ec71ed7515b1a65332c6b55cf0bf81d4ba1d871182eb566ed82cede96c299d1c75d80b44

C:\Program Files\VideoLAN\VLC\lua\meta\art\03_lastfm.luac

MD5 fa882d5fb7f3949e52a6877435619001
SHA1 c2c8774a0c817a743dd854808fdc2a97da8b7389
SHA256 193470c183be5f04c91ec82b8b46b9a103e20c325d560e60505c6bb0550cbe0d
SHA512 f872d7a143c741b53645b3fe4cae3475448b36638528996eb139968920e09bab8cbcfc129b633d50d33e6af0d091209728eb478db1ea19a82e4247de441fc8e2

C:\Program Files\VideoLAN\VLC\lua\meta\art\02_frenchtv.luac

MD5 f2dad5a782bac4f149c39b08a71172f0
SHA1 2bacf2d7aa05d9911e8935abcb7d28bdc4bd274f
SHA256 4c4af8d08a7d095de4f20006c77666023e99ae3917baee6f5f11660414be6668
SHA512 8c451e80d757933b3abb5a65243284ffca30c7f97ee5adc0cbaa184b0956a6cc9a3b32e4b90575bdebe8cd96759a4a2a1ac08cd270ca3e7ff12ce55879d1d99a

C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac

MD5 b5d18ca82dd4b37db423c13d2c0d5421
SHA1 f8e343cf7dcdfd12688a13a76286d45b8152a622
SHA256 4147a312dfc5d3322a7ca4bc69e92d80718977544cea908b8393b840f531c6f4
SHA512 7554f44d04bc8b98e38a419ef9054b6acd0021dcce27372a4d581521ba7763f9af272ae9d83127c3fcd3c056a199a35225dbee72d2b908e07c0a23202d790778

C:\Program Files\VideoLAN\VLC\lua\meta\art\00_musicbrainz.luac

MD5 9be3465e3848b5f184287f9fa377b18d
SHA1 52e0f4337fbe01ac44a8697e9c699ffd8423b26f
SHA256 e3c5cfff4579985c39296bfc7d40db65857862cd812705d3e77519f4edc359cb
SHA512 af88bd25243b64c730854d58a343bd47bb8a7290ab25217b855bb6aa07d4ada42d3d71e4588e99a7347288fed9061e4d0a61a7db1eb17bde02df539ca43b4cb2

C:\Program Files\VideoLAN\VLC\lua\extensions\VLSub.luac

MD5 659a873e3705f1f29b3e90847dc59d19
SHA1 f509b0d6f6b61ead7a3e0bbc63cef289fe59eacd
SHA256 af996c80c23157d76eeeab1f6bed1084b2f5a1d14592989d5e432be99c1244cc
SHA512 7093de6e3008563c2bd4bdb98b961d09555ef26ba26723fe091e462bb945e2be853df467c603beed56f0d55925d66b9279bada71223bb243a6aaa5b01fda2d9a