Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-gevkcaacfj
Target 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA256 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
Tags
ryuk discovery persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030

Threat Level: Known bad

The file 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030 was found to be: Known bad.

Malicious Activity Summary

ryuk discovery persistence ransomware

Ryuk

Deletes shadow copies

Executes dropped EXE

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:43

Reported

2022-02-20 06:34

Platform

win7-en-20211208

Max time kernel

174s

Max time network

80s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IJecnaS.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
PID 1156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
PID 1156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
PID 1156 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe
PID 1156 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\taskhost.exe
PID 1156 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\Dwm.exe
PID 1156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 852 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 852 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 852 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 852 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 852 wrote to memory of 876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1696 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1696 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1696 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1696 wrote to memory of 1508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1156 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\icacls.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\vssadmin.exe
PID 676 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\vssadmin.exe
PID 1156 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1156 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1216 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1216 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1216 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1216 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1156 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1156 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe

"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"

C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe

"C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe" /f /reg:64

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1156-54-0x00000000766D1000-0x00000000766D3000-memory.dmp

\Users\Admin\AppData\Local\Temp\IJecnaS.exe

MD5 090826c3c34fb53a639f1d2919e1b44c
SHA1 ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512 d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

\Users\Admin\AppData\Local\Temp\IJecnaS.exe

MD5 090826c3c34fb53a639f1d2919e1b44c
SHA1 ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512 d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

C:\Users\Admin\AppData\Local\Temp\IJecnaS.exe

MD5 090826c3c34fb53a639f1d2919e1b44c
SHA1 ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512 d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

memory/1144-59-0x0000000030000000-0x000000003016F000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 9a4d5a97f359c430fa85e4062b0f0722
SHA1 bc343aaffa58cb9a93fcc677e8c2917a5cc9c556
SHA256 9befa8ae8dc78fed1fb3be0fab33b028922c5b0c3624cb26ddf265487ce21f00
SHA512 73d8b35fb1f27b73f51eab186b855e9011bc05226aaa6aa4314c665a5d3eff60f5cc4bc47ac6a9fb8969b093905c0e380fd04fddf85163a34eebb197646c936a

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 0548767fd4eb790636d918494bb59147
SHA1 629887f7de2f5582387de39a76263f6f6d07868f
SHA256 7fae49675da5b7f33508b4e2ed7bfa461b76a1401eaf24e70bea38ce04e2df8c
SHA512 c1ffefd3cd577f24941b1166a23e0a4c9fb58663067cb193c58926456385ad5b2610fc738d7a43584bc8d6f9b0259341622d267c2c191f93ada09eb208af3bf5

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 c76dc13d3aaa5abb7f7caa5e4a3384dd
SHA1 85c77271cb2fdf97b916d8a2aed37127a942c6fa
SHA256 6c525de967e85ca649d46bed23e279866a898d7e0f50480e571fa77b21132460
SHA512 5b9ffd349bcc7afe90b95c9cba95d462533faa13491e1971eaa4b25f8396606b0c40ba2f7be9300efee3487076a215564fb98c4730154bbe249743418604a5ad

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 ad9cb5b733e30c0bec951cac94130619
SHA1 1b8239170a5ad6dc31fe4eb046d0758721fa31b5
SHA256 4b22ed6e92f70f0a4c050aec76df11991def25ab37267042bab120498163351a
SHA512 5b18adba30a4ffa760ee7e262b45dbee174e965715a40f6c41de97b39396dc8e3dfb15b095ab9587a51ba35b2488b6925ccde82540d7da0281d8755eb1836fe7

C:\Users\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\IconCache.db.RYK

MD5 3b6bcaa76bb3758cd611498758dd96d0
SHA1 377d1428c3dfe489d25dace08bcc7c03a166b66b
SHA256 0adb863edef9fe785fede471bbc38b057e58a237cffcf6feea149210118db3b9
SHA512 cf85b21fe70d81c6b3bb3afa625288f12e10f3d8e671bcb2e869956d13344a9ab67f58c6f613d34cb1abf7031702db5e6402842768ad83037c614793b1a9a136

C:\Users\Admin\AppData\Local\Google\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 064d78a24de28cf38e57907752b77b41
SHA1 e7a2a7132fb27ea9febb15866e04219137475321
SHA256 c99ea6c6a769d97c9563ff1748c9f1e5e73b9ddb74f00427595fab81d9334709
SHA512 445cb42f8bcbc554b485684c16937007558e41acaa4275b88280000c0acbded834189c7d25b4cc3a4e950c3381d341fc18ee2b52388bf1fd1b7ba42ea48ff64b

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1HZZ20GT\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\K819CMRP\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NK9YD4KU\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QDAZQ7UR\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Tiles\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\TabRoaming\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml

MD5 4b7d72d5b844f5a4135952ce613322ba
SHA1 a0d9174d308c5a9339aaebe1af7490cc08534da0
SHA256 abacf5de8a07fdd11a011b49ccb72fd81100ce76682ef0a5a93a33b5ac2c192e
SHA512 f7efc8fc0145ae3317ce785eae21c3dcc2da9d758073519f82584db99515a46e13553cfe69d6474f0f92acf72374cca7041652f047378acbdcadcc750e2ce5ea

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 1131c33d7948438e2f2775abea4cb375
SHA1 9783139d7e9624f98945de31b0ed628535b39351
SHA256 cad15167b8452ff874ecd31f040cae958891e68a7bebf4bc087b233f7c9c9acf
SHA512 bd0eb5463532ba9762c8149f3bd1761c9019a1abcbcb306e1635c590ab7a48fea6defdbea6a6f69aa21d29ddf5d5540bdf3006de44b90a7a18c7715db9b64ed7

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 ccf25e67b39e0a7ddc1aca1a6d9ef104
SHA1 95d35c75489b57e75f44b209355081f3a8ed5f1c
SHA256 09d86bb1ae9926d6c52fbbb4eea69f4df1b93cda8d763ddd455256bd04e15a72
SHA512 191fc47653a0d94309d1882697c9997f029819171cef5c52fb04edb3188fc21b0a78ac6e11f078b71f099586cba4a07fe77982bfce92aa3205be19f1a6103505

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\TN1O5RR8\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\T9SSAR8Y\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\S3IV548V\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\N4BWCEPN\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb.RYK

MD5 9d095c37d4838fb5a035cf3395905ad7
SHA1 b203142c336515f9fca29bf2af911cb15ee92ff0
SHA256 6fe5fe21e30de7b330c8c8d4152a1594a6f8e63d8f88d0eb7bb89817b44632c4
SHA512 bb5f389bfad7e788f673dd798c98db80ff66a90858f6f2ca1c3f11bc32689821e987813a237abf2899c60f25058f948d66663e5ba254490a12dd532df6f4fa1a

C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 73457c40d3009e96d2f6774076d80b93
SHA1 cf353b1b747dc80f31bfc3af823b67702c9180bc
SHA256 682e465ce4ec1312ac860deb574eb49c505a5ac85db8b7a8e0ef12b2dd418fcd
SHA512 d545d47e3cbed304dbd79cba64ee4d6d8e9f04955397452efefd746fe23f8f4e0e4a0df275ffdfe1329d90d963a68fb061e575b5ac1fd9905c0f12ceb3f81afd

C:\Users\Admin\AppData\Local\Microsoft\Media Player\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\PlayReady\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Office\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\User\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\System\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Office\Groove\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\GameExplorer\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat.RYK

MD5 09bbbbedca9b4304390aad0516732fbd
SHA1 e6f0cb2bc70d6950cbffab3df6b73424eb9e15df
SHA256 154e93259945386252639e89954ac7ab801d24ac728906bcb589bbb611fed67d
SHA512 15baf0f41cdf4e725929b845897e34545e6a1010aa779a42b3ddfbb75b17127fffb31b55a2cb7661b148b45aafae53f4ab2187e5088608dae836177052e4a3a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:43

Reported

2022-02-20 06:33

Platform

win10v2004-en-20220113

Max time kernel

184s

Max time network

205s

Command Line

C:\Windows\System32\RuntimeBroker.exe -Embedding

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PqdfzJO.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
PID 1392 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
PID 1392 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe
PID 1392 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\sihost.exe
PID 1392 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\svchost.exe
PID 1392 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\taskhostw.exe
PID 1392 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\svchost.exe
PID 1392 wrote to memory of 3284 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\DllHost.exe
PID 1392 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1392 wrote to memory of 3452 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1392 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\System32\RuntimeBroker.exe
PID 1392 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1392 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1392 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\System32\RuntimeBroker.exe
PID 4820 wrote to memory of 4452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4820 wrote to memory of 4452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4820 wrote to memory of 4452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4800 wrote to memory of 804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4800 wrote to memory of 804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4800 wrote to memory of 804 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1148 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\icacls.exe
PID 1148 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\cmd.exe
PID 1148 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4160 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4160 wrote to memory of 3568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1148 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\net.exe
PID 1148 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\net.exe
PID 1148 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\net.exe
PID 3580 wrote to memory of 1236 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3580 wrote to memory of 1236 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3580 wrote to memory of 1236 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1148 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\net.exe
PID 1148 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\net.exe
PID 1148 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe C:\Windows\SysWOW64\net.exe
PID 4564 wrote to memory of 4000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4564 wrote to memory of 4000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4564 wrote to memory of 4000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1392 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1392 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1392 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1392 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1392 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1392 wrote to memory of 4512 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\icacls.exe
PID 1392 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\cmd.exe
PID 1392 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe
PID 1392 wrote to memory of 3448 N/A C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe

"C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe"

C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe

"C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" 8 LAN

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cmd.exe

cmd /c "WMIC.exe shadowcopy delet"

C:\Windows\SysWOW64\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\SysWOW64\Wbem\WMIC.exe

WMIC.exe shadowcopy delet

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030.exe" /f /reg:64

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe" /f /reg:64

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 52.184.215.140:443 tcp
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe

MD5 090826c3c34fb53a639f1d2919e1b44c
SHA1 ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512 d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

C:\Users\Admin\AppData\Local\Temp\PqdfzJO.exe

MD5 090826c3c34fb53a639f1d2919e1b44c
SHA1 ab355fed7323cb1dfaf1e32833acd77ffa23c287
SHA256 7465a3de8afaacba99d8bf27d06b6e8702c2baae28b95b3a68749e45bd7e3030
SHA512 d0ac51019f6d2652ae285b99fb68cbe5e3f2acf9cfa30b9d26d95e9692a5562fb8e5f5656afb55c71d191617be4336dd9b4dd7dad8b5f9107f7c9fd4789a7720

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_e269d2c1-0edf-4391-ac7b-818b8e88b04f

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\3D Objects\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc

MD5 c9e68ed326520b4ad5ff9f00576e1b09
SHA1 4189465ad4d3563eebe685d01e87ca55e7e085dd
SHA256 d2d79fb3e3095eefd2a8c29f499157f80df66e2a9b61bf37285d4c6841c49eab
SHA512 3a97934055a60fc58259d26a272d33a43c374aacf5bd762521020bd1f97b4b0159dde594e15cbc4b3a16be8b4b0dddc5ef529630bc38a4e37c1d6a281d3d5c57

C:\Users\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 8d23eb184e108fbd3fdd93df2cb2be6e
SHA1 6109f3336c87bac6488a193625ffd9019b209346
SHA256 055fbf05544ba3d8707ba53a2b51d0c5d848b7c0187db0f1a2bcd66a2a307957
SHA512 7c24e95603991d4145082d3749bf378ee0d6933d87dacc06fa50f6a7872d6f88fcde7dea5191a080a79af36ecfb3fab38e6cfeef6108dda1a9881d059e2aaf09