Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-f6l7lshbe4
Target 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
Tags
ryuk discovery ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab

Threat Level: Known bad

The file 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab was found to be: Known bad.

Malicious Activity Summary

ryuk discovery ransomware

Ryuk

Deletes shadow copies

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks computer location settings

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:29

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:29

Reported

2022-02-20 05:57

Platform

win7-en-20211208

Max time kernel

166s

Max time network

113s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
PID 1648 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
PID 1648 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
PID 1648 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe
PID 1648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
PID 1648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
PID 1648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
PID 1648 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe
PID 1648 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 1648 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1648 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\icacls.exe
PID 1484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1484 wrote to memory of 1592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 544 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 544 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 544 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 544 wrote to memory of 2248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1648 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2532 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 1648 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\net.exe
PID 2764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2532 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe

"C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe"

C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe

"C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe

"C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe" 8 LAN

C:\Windows\SysWOW64\cmd.exe

cmd /c "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delete"

C:\Windows\SysWOW64\cmd.exe

cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"

C:\Windows\SysWOW64\cmd.exe

cmd /c "bootstatuspolicy ignoreallfailures"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delete

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
N/A 10.127.0.1:7 udp
NL 154.61.71.13:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1648-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

C:\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

\Users\Admin\AppData\Local\Temp\HlcPadDIxlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

C:\Users\Admin\AppData\Local\Temp\hfZhdHvkMlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

C:\$Recycle.Bin\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\$Recycle.Bin\S-1-5-21-2329389628-4064185017-3901522362-1000\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 db4ca29781842b11c4a2ce4917ceafdd
SHA1 533d98314670965f4facbe48b44a5549cd8fcdf5
SHA256 3bb429147e7b2c3c92eb5542372289508c2755fcc608335cb4a0d175ca5ad7d9
SHA512 83206f81429d3afbda72ec46ebf75a556551859d5d724e2197b3ad127de735adb01fd07f6ae9163af6cfedc5b9e731708cf3b3dd27b9cfad4ac22954f144b1e0

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 dfcffd11420575d7a90124f900bc468d
SHA1 81c9d9e93958a6be073aaa629fdadc9f8a915677
SHA256 7def7f5c6039aba320c281ecf12365bec3cb4ec15801853cfab9afd2717aaffb
SHA512 235034e149d005c22be60e2118bac7f8ab1f41f8b4f845e1fd06772e882aa75965307b25b8236bf8fe970bbbcd0062e06f0a91821335cd8a0a4b3e1db1f9d0af

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 6ee12ae700a6281f5a0318dcdf99b06b
SHA1 2e0703a20cecbe10111368080efbf8c9accfe092
SHA256 a1bedc24c8ad249322c9102b020b4360d28ebdbc0cf10831f2f1f3a749549493
SHA512 40ee9a580653b9543dfed84d828941e6d9f6dfa748a898a950d8f954e5c9e4daac68ad7405bb04fa85b0b5bde2eff5b2e29b5706f31a92a8e27e997f96a26184

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 0dd839453dcdd4f09adf74d5f62db29c
SHA1 8a3af6b66cd6ea1918b3982399f5d0d2ec482f79
SHA256 d98a55b776800afaf2f279d1628f6d309e3fef56b46a0e06358c7729df5fef36
SHA512 ee6205d54e6195fc727a3875f8d5f1924be331d95179ff1ddb141e43c7c70aa4cb5d37eeb06a036a65e5030034a94df6489622c01fcd3ae7b64070bdef8e29d8

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 3d6a3119e0d253902bbe90e0ea7e70be
SHA1 bb06079920a708b1aeba66e923780b588f154742
SHA256 69052c0cbdf0c20197849b4d7c342d077f37dbd6c471631fedce10e51324fc3a
SHA512 9738fbddc6e3a5b5c58e1be1576b09f3b42e9978fc7593c4b7bb15f71eddfc48f92a5f596788940ddd577c4e9ff140627124ea048fe6d32349958896fd7f8ecc

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms.RYK

MD5 7d1642b9a7ead62110fb4067b27d7ba7
SHA1 41a86eae972e1cc8bfc991624d90a8c24607a46f
SHA256 3eaf066f124a65ab912764280737ed698bc8f9e5aa447402085c9afe93cdcfdb
SHA512 8e17e0e8c647f956f6a0ea959ec2c15b6e49cfedc96a48f66a00ab261018403d620867e39d39228292b0e7aa0ef6a017ba56c117a5bb22bc16c58d5de67279a3

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms.RYK

MD5 58fcd669cd7235e529003914c48b78e7
SHA1 554575d54b6db9a06e6d47fc0c0dbcffce371585
SHA256 1e1d1d15989a557e43312a83625a86f111a6dabcbbf2f5bf454fd41b275ab26d
SHA512 2dd6399e218efa12c92c23549e86bd896f19c46e772fd7b2b2c7c0794b32dc2234a79763013a9b9efbac6c532b9507083a9fea0a2b0d161f53b44e0345afa05a

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 fe9e23ada0dcda72ead85598c4b18492
SHA1 e27bbde11c4887f2167bb8bec6c3d883bfd210fa
SHA256 0ffc47621838cb127e38e25ae3ec6b83e74226f03a7104c60c66c1c1eacc8a60
SHA512 d816d268bf3966f06dc8dae3238d00d77fc054f20c5643fae9dc72a1d399fbc1df5eb19b1532d264ccd36d117d483edf255550f68ef58bb73b2f212f48909835

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms.RYK

MD5 8406ff02f229ec1bb441dc7cade6f30f
SHA1 7677d0fb4bf7481a929f76b4c94fe25a72346bd2
SHA256 3bdbc42a935ffc76502f021fcd0cb322205b2177aa8e0a63fdc511f0863b27ed
SHA512 dd0abec52109358d45274c0d40054a3ce7ef44a5fc0e57d552f838a0e9f776d4ee15cbde5acb0f51afc63847d251b81a422ca4ebb088c2f84a7a373fe2b0f48c

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AE02W23T\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4HKVW8NZ\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\DSVD0N50\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\E16QEJ8K\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tracking Protection\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin9728060290\msapplication.xml.RYK

MD5 4c196fdc8db9e5339809694a3aec235e
SHA1 1479bbf743ac3341f4b3c29ef6523eaa2b810941
SHA256 122105c084ab8c179ae5382bcbf2e78a1dfd25ecdd382e9b50afba631d426c01
SHA512 f89ed9fe529da0f0aa0a3e01d95c8a50df7898bb9f6acb10c5ed309876d1d2d1a1387c43c847d4af268ece40b7700ece90321edf4f6d9084b5c81b489187de0c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-2845162440\msapplication.xml.RYK

MD5 48f458ec8bca25a6530eb47fb55d8136
SHA1 d7355dd056f4cbc897076cc3bfa00b6f88a12db8
SHA256 7fa6ffe6042719d0475561a6d1674747a372580d690e3feb359da65ee7ad0951
SHA512 ce45a4a08d56a42b0aa9f38e466b0914fc711dfd22901a7b96f20b9a6ceb6e2f96c6f88b5e021e81fa355fa73a60ef8e83f82ed071fc5de7f66724877790c595

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\7w612sw\imagestore.dat.RYK

MD5 bb5368e91fa5ddaa98c950d88fc8c942
SHA1 b47dc07ec85ed2719ef13a01f6c2d054e6a097cb
SHA256 ef506c628c83ab0c8be4bec4c30855924e39c6e62a35cf9224c1cd9c3efbbbee
SHA512 a02b37511c770ac5deaf28fba5c43e8c1d8441d8f35ad3676836b90b5d913d501d3cc3329ccb0f0be8659e549686e1c3696288a7c51d30c15be296b140b4b53e

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.RYK

MD5 16074c1fdb008ff478cb57468970e5c4
SHA1 70652e69866bb39c57fa3f71a4638b1e836df663
SHA256 eb7fd1f89227c85c009d2fcc40d0d0c916639956aa81d0f75e646f13a973371f
SHA512 acf303f56593092945a3188d7f204e04d3897a95c522cbc3f3e8a3a87839dbdc600c602b06333102abc56a15be0159507cc201562a10f3cd90ddb502c3d9d36f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 f47c802fc6fc8d0ab33c86d73cb9d845
SHA1 eb0f1d5f71f1de40bd66e45a043b2ac8afe75f33
SHA256 4865ead64461d8555095c3dede228aa47b9f319a9df84199ae9c03a1c385f49e
SHA512 a4fec624b55ef2348b0b226dab2a872236c6bc4591345eaff0193050a2efd3f5f9a2a316b590ce12b299c6674393f09f768ec5e1936f988ea2057fe6bf7bf8e2

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 a81455e7a57ffe8098a24b17949c16c9
SHA1 210513822ea29b9e1a715a6be7bd830d9a2be588
SHA256 ef6091856507410a4c29229f490d1eb92b22e2cc34edce292e13ab07690fbcfb
SHA512 55c1854d99041d3e00e4447bf8aef8faff20716d58644b9873590ac156e1cd59664a2ec1c0dfbc8f250edd68bc46d01716567555e11a0c64d11f28404e9ea219

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\ZZZ3YRT4\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VU6HH54M\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VL9MRVWS\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H2R8HLJC\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK

MD5 bfea318b62b3b7a270d2689ad4133ee6
SHA1 056d9dc7e8cf89123abed7453c9f0ef46a93c70b
SHA256 eeafb6ab7344c2081005bfde4a8fe69eeec875acc2c139a6bb0d138ef9c8eb97
SHA512 e041429ba3745190ee3b8b37eec7c426bf5e4720c680df877375112bc5cccf8b3ba36860f4e7e76c0f82b3a2d5b0a8166e1348c41401fe1041856aa2f842e681

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 b152876cdaafe499a5b3426d9d8004b6
SHA1 7667a7ecce3bbb357c0b9dbd8f64dbbd33d985a3
SHA256 b8a23081a3eecb7b8f53750c7224a1e97ba3e6c25f0d7d751fd8742bf7e42724
SHA512 36bd75bf1536128b45508e12ee4ca71f9b17d3bfc415be6f50df482208eb806a7e39e77096857ac3c481488319dd256a54cd8bf53f7d91a04b35f45018cc55ea

C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5 bbb26bbeb685872b0f1eaa0d89360db9
SHA1 133a3deba856832771866df603311d09681654f0
SHA256 3fd4b5721e74de04ea47edb6defb2ec05af27e23fc33f149cfed437bde4b2cce
SHA512 9ae9c6848bc6ea4cf36cf5054460a0f498222bdd80c27864e12677723812569bbbb2eda0016aa0b929256001e8099839ae6df1fa34f251d6447aa2482850ec16

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\00008046\10_All_Music.wpl.RYK

MD5 d3ce640846e5117c8ee869e4ac6ac88d
SHA1 f686da67975be5e64b05bd2ba17565ba231e7238
SHA256 fb00a62aed4b887f7d775fc40f10fc7e2b87f2457ffe1055b76287e01471300c
SHA512 6839ad32efa76ed2dd354b5809cff37ba305d72cf20ad77a46c9ede5f722ebffb1844334f350ee32a32899af5bac2333e0464db3395b12a14f914ad916ac0078

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:29

Reported

2022-02-20 05:57

Platform

win10v2004-en-20220112

Max time kernel

170s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2856 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe
PID 2856 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe
PID 2856 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe
PID 2856 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe
PID 2856 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe
PID 2856 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe
PID 2856 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe
PID 2856 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe

"C:\Users\Admin\AppData\Local\Temp\7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab.exe"

C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe

"C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe" 8 LAN

C:\Windows\system32\MusNotifyIcon.exe

%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13

C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe

"C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe" 8 LAN

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delete"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
NL 92.123.77.56:80 tcp
NL 92.123.77.56:80 tcp
NL 104.110.191.140:80 tcp
NL 104.110.191.140:80 tcp
NL 104.80.224.57:443 tcp
NL 104.110.191.140:80 tcp
FR 2.16.119.157:443 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

C:\Users\Admin\AppData\Local\Temp\RasgMWNaGlan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28

C:\Users\Admin\AppData\Local\Temp\fxhrazOTClan.exe

MD5 cb5081d3b8af578c247dab9bd5e16841
SHA1 b4870d7b1f6a9f531259efc74a9468d8a045d8f0
SHA256 7a6c6890028ab340f918ef1116a4db9cc852d899290bd1e99b0b8565553768ab
SHA512 5bd6e7f2e04abb6d1d5f640730f7d60c1f202b6440e0888bba15708b4b88acb669a138aaf31d5782ce6409ab74970614970cda99dde1ef757299a4f61b257f28