|
5/5
|
File System
|
Encrypts content of user files
|
1
|
Ransomware
|
|
-
Encrypts the content of multiple user files. This is an indicator for ransomware.
|
|
5/5
|
Local AV
|
Malicious content was detected by heuristic scan
|
3
|
-
|
|
-
Local AV detected the sample itself as "Generic.Ransom.Ryuk3.93DDF572".
|
|
-
Local AV detected a memory dump of process "sihost.exe" as "Generic.Ransom.Ryuk3.53B5959C".
|
|
-
Local AV detected a memory dump of process "v19v.exe" as "Generic.Ransom.Ryuk3.53B5959C".
|
|
5/5
|
Reputation
|
Known malicious file
|
1
|
Trojan
|
|
-
File "C:\Users\FD1HVy\Desktop\v19V.exe" is a known malicious file.
|
|
5/5
|
YARA
|
YARA match
|
159
|
Ransomware
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\$GetCurrent\SafeOS\preoobe.cmd".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\$GetCurrent\SafeOS\SetupComplete.cmd".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1025\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1025\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1028\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1028\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1029\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1029\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1030\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1030\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1031\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1031\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1032\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1032\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1035\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1036\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1038\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1037\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1037\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1038\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1036\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1035\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1033\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1033\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1040\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1040\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1041\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1041\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1042\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1042\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1043\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1043\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1044\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1044\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1045\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1045\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1046\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1046\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1049\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1049\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1053\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1053\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1055\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\1055\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\2052\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\2052\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\2070\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\2070\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\3076\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\3076\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\3082\eula.rtf".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\3082\LocalizedData.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Client\Parameterinfo.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Client\UiInfo.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\DHtmlHeader.html".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\DisplayIcon.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Extended\Parameterinfo.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Extended\UiInfo.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Print.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate1.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate2.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate3.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate4.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate5.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate6.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate7.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Rotate8.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Save.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\Setup.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\stop.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\SysReqMet.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Graphics\warn.ico".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\header.bmp".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\netfx_Core_x86.msi".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\netfx_Extended_x64.msi".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\netfx_Extended_x86.msi".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\ParameterInfo.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\RGB9RAST_x64.msi".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\RGB9Rast_x86.msi".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\SetupUi.xsd".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\SplashScreen.bmp".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Strings.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\UiInfo.xml".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\watermark.bmp".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\netfx_Core_x64.msi".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Boot\BOOTSTAT.DAT".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\BOOTSECT.BAK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Active.GRL.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\MF\Pending.GRL.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.001.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateUx.002.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.2.xml.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.1.xml.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\DeploymentConfig.0.xml.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edbtmp.log.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edb.chk.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edbres00002.jrs.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Network\Downloader\edbres00001.jrs.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Storage Health\StorageEventsArchive.dat.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\Default User.dat.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-32.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-40.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-48.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Live\WLive48x48.png.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOPrivate\UpdateStore\UpdateCspStore.xml.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUx.001.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUx.002.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.001.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.002.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.003.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.004.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.017.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.016.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.015.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.013.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.014.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.012.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.010.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.009.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.008.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.007.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.006.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.002.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.005.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\NotificationUxBroker.011.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.003.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.004.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.005.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.006.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.007.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.008.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.009.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.010.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.011.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.012.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.013.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.014.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.015.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.016.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.017.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.018.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.019.etl.RYK".
|
|
-
Rule "HermesRyukEncryptedFile" from ruleset "Ransomware" has matched on the modified file "C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\USOShared\Logs\UpdateSessionOrchestration.020.etl.RYK".
|
|
4/5
|
Injection
|
Writes into the memory of another running process
|
5
|
-
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" modifies memory of "c:\windows\system32\sihost.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" modifies memory of "c:\windows\system32\svchost.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" modifies memory of "c:\windows\system32\taskhostw.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" modifies memory of "c:\program files\microsoft office\root\office16\msoia.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" modifies memory of "c:\windows\system32\dllhost.exe".
|
|
4/5
|
Injection
|
Modifies control flow of another process
|
9
|
-
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\system32\sihost.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\system32\svchost.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\system32\taskhostw.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\systemapps\microsoft.windows.cortana_cw5n1h2txyewy\searchui.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\system32\runtimebroker.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\program files\microsoft office\root\office16\msoia.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\system32\apphostregistrationverifier.exe".
|
|
-
"c:\users\fd1hvy\desktop\v19v.exe" creates thread in "c:\windows\system32\dllhost.exe".
|
|
3/5
|
File System
|
Possibly drops ransom note files
|
1
|
Ransomware
|
|
-
Possibly drops ransom note files (creates 189 instances of the file "RyukReadMe.html" in different locations).
|
|
2/5
|
Anti Analysis
|
Resolves APIs dynamically to possibly evade static detection
|
1
|
-
|
|
-
Resolves an unusually high number of APIs.
|
|
2/5
|
Anti Analysis
|
Delays execution
|
1
|
-
|
|
-
One thread sleeps more than 5 minutes.
|
|
2/5
|
Information Stealing
|
Reads sensitive browser data
|
1
|
-
|
|
-
Trying to read sensitive data of web browser "Internet Explorer / Edge" by file.
|
|
1/5
|
Process
|
Creates process with hidden window
|
1
|
-
|
|
-
The process "net" starts with hidden window.
|
|
1/5
|
Process
|
Creates a page with write and execute permissions
|
1
|
-
|
|
-
Allocates a page in a foreign process with "PAGE_EXECUTE_READWRITE" permissions, often used to dynamically unpack code.
|
|
1/5
|
File System
|
Creates an unusually large number of files
|
1
|
-
|
|
-
Creates an unusually large number of files.
|
|
1/5
|
Process
|
Process crashed
|
5
|
-
|
|
-
Process "c:\windows\system32\sihost.exe" crashed.
|
|
-
Process "c:\windows\system32\dllhost.exe" crashed.
|
|
-
Process "c:\windows\system32\runtimebroker.exe" crashed.
|
|
-
Process "c:\windows\system32\svchost.exe" crashed.
|
|
-
Process "c:\windows\system32\taskhostw.exe" crashed.
|
|
0/5
|
Process
|
Enumerates running processes
|
1
|
-
|
|
-
Enumerates running processes.
|
|