Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-gfxq4ahcd7
Target 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA256 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b

Threat Level: Known bad

The file 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:45

Reported

2022-02-20 06:14

Platform

win7-en-20211208

Max time kernel

190s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BwDVIKn.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
PID 1488 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
PID 1488 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
PID 1488 wrote to memory of 1260 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\system32\taskhost.exe
PID 1488 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1640 wrote to memory of 1568 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 1568 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1640 wrote to memory of 1568 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1244 wrote to memory of 2000 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1244 wrote to memory of 2000 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1244 wrote to memory of 2000 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1488 wrote to memory of 1352 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\system32\Dwm.exe
PID 1488 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
PID 1260 wrote to memory of 1484 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1260 wrote to memory of 1484 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1260 wrote to memory of 1484 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1260 wrote to memory of 1508 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1260 wrote to memory of 1508 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1488 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 1488 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\cmd.exe
PID 1488 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\cmd.exe
PID 1488 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\cmd.exe
PID 1104 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe C:\Windows\System32\net.exe
PID 1104 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe C:\Windows\System32\net.exe
PID 1104 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe C:\Windows\System32\net.exe
PID 2008 wrote to memory of 1704 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 1704 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 1704 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1484 wrote to memory of 900 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1484 wrote to memory of 900 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1484 wrote to memory of 900 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 892 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 892 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1300 wrote to memory of 892 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1508 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1508 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1508 wrote to memory of 2316 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1132 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1132 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1132 wrote to memory of 2308 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1104 wrote to memory of 15504 N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe C:\Windows\System32\cmd.exe
PID 1104 wrote to memory of 15504 N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe C:\Windows\System32\cmd.exe
PID 1104 wrote to memory of 15504 N/A C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe C:\Windows\System32\cmd.exe
PID 15504 wrote to memory of 15532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 15504 wrote to memory of 15532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 15504 wrote to memory of 15532 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe

"C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" /f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" /f

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1488-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp

\Users\Admin\AppData\Local\Temp\BwDVIKn.exe

MD5 c49c19e172c2c6f8390bd26258557b18
SHA1 641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512 a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

\Users\Admin\AppData\Local\Temp\BwDVIKn.exe

MD5 c49c19e172c2c6f8390bd26258557b18
SHA1 641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512 a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe

MD5 c49c19e172c2c6f8390bd26258557b18
SHA1 641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512 a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

memory/1260-58-0x000000013FE70000-0x000000013FFE5000-memory.dmp

memory/1260-60-0x000000013FE70000-0x000000013FFE5000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst.RYK

MD5 7d9e3486d198ffd148f67c73079fde58
SHA1 6f0017c90c6a3d79737bfca98f4d1ec860b7cfc2
SHA256 26b0d4609f05016bf0121fa0c19df53a2e4328cdd4dbf944fe9aa5fc7ca1cfc3
SHA512 fc0c2c3d803369ff9e696337c162b36d4fef0efb2b90b782492467b945820613c4c593b65aed0b3ea934d0bde691ca8e81a2f6f409a90703f361a04c64b10d4f

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 19d0b3b89234480752ac8b513981ee05
SHA1 54111398aa98c807387ced24931862f1cc9f8f13
SHA256 40c5656680a5bc6dffb48036eee94cddf64e5f7ce4e87fc4ca4b6050d98e0134
SHA512 d754157e59242b7bd21be06fc33c9a90dad256d6a5e9a09e5d105e18d01708e8460afeb830fe330f4cb0b568308a953c1c8940f26104d6401bbbc756c89eecfb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 e94cd1e32dc0417b33af58f5c89f33d4
SHA1 53eafcfdcebc9312177f84d892686006a3a6e72f
SHA256 966f6d081f5b89505023bdc9d1b3c14050ebb10e81fe8d9a3ad06743acbe24dd
SHA512 908ff97a11bbf978a417e82927f14015bd56c38d38b3acbf7063a327f2f6e3a52321ace98356708db7b2eb2c1d55e40499ad0acfd639a2eec0f1a296c9e90e83

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 e94cd1e32dc0417b33af58f5c89f33d4
SHA1 53eafcfdcebc9312177f84d892686006a3a6e72f
SHA256 966f6d081f5b89505023bdc9d1b3c14050ebb10e81fe8d9a3ad06743acbe24dd
SHA512 908ff97a11bbf978a417e82927f14015bd56c38d38b3acbf7063a327f2f6e3a52321ace98356708db7b2eb2c1d55e40499ad0acfd639a2eec0f1a296c9e90e83

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 91a1eb913ac6307e9c87bbf69b69e97a
SHA1 e46dbee2fc7a3fa60a4b1ae22c60a150feb29391
SHA256 c7595af9cd74daf9e46d23f65133bf117c8118c40813570f64081c7f5f339b51
SHA512 1d58c1e7070e337a8793ab3a16834420bdb44e2d7f948f06449c304f1ed66c84f64d820b3b2626d927e5eb3304966fd07972c3e3a5ef52410e0eaff2492e49ad

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 f1867c9548f5f0422eae73e1ae710d8f
SHA1 d5550b2b58fbfb6dd889f5e0c07510ec96bde8c7
SHA256 793a93ecb984c6a2a689e5797352be79822e33ae4865b77e77abd5332a7d2b1b
SHA512 2fc2245b782ca357ff634004ec51492486ea145eda63aec3f506a8d9c50623a1f09e0543cdd2f3e7aed9d0d4440af331b68777dee719328758773f931c60dede

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt

MD5 74ce4d44fcf9ac144908544af46a54be
SHA1 0eee2c0649fd41a6586d17b310b330771bdf604b
SHA256 b7aa3cd3eff5f5cc4bf0f9a29513934fbcbe6508032451fa704f82ece2cde695
SHA512 16e73573117f009805474d58e5bfcc290c8ec8bb08dfb34f6ddfe573e674225ba8bd2534950e444fda1182fff509c9688566e7c55902ad1cbe74b2dc82e3570d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 09ddd83903b3550bd0a5db604268abd9
SHA1 85fccec4f05df0a7b74b2dcbbb8ce4e6f26fb327
SHA256 52b3bcd51e0ecfd4e5eddea77fd7c1147638500ec3b93f686e40ed047cb4d866
SHA512 a678fe5e99b509ef7296edc1fc035b5dbf4aa910f35e84be78d5bcce342c7f66d3512ab95db4846292c37f99fb9d14738d3483934526acb2dab2c9537e90e41f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 c76bee51f4a7ce9764b4a11933d3dc54
SHA1 3ea952514ad5969d3e0c994936ca4a483352e070
SHA256 3a433c531c801a883d85a6b7184340ba4da8f8f03c9a124f4f49d43eadbd0ca1
SHA512 642b05bfb713efed3947bf1e9acd123aa04ce45d2a9574bce7898dca6a367bb0a85c9706f54475dfd1a27b371e24657b0d9bd236600119323276571765844791

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 768bb1472937e6b129510bed855c9e34
SHA1 d97b989f6ee47e47901278a2c77012b91e3be4be
SHA256 95d631531d08559577554747d8a2d82111c6f12699c4533f2a180d01fae94732
SHA512 e9d02f9b752610291209704f02e697d1c9ef43022991cb48a5ad0f83f44cd1272eac2a9d4a53169b0c4d55d80b69b9bdf7fd9d240fa63d461db0177edb67a13a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 1cb1fa6d5ce2f42fd429c3cbc2d24903
SHA1 80be16803f2780e2b04504dcdf70f5f6af44b2c3
SHA256 787e719df0dd0ae9861cbadae2d85b82ee54bc82dc4399642959d5300dc1c678
SHA512 d14e1a35abade9f2e05b6a1de26f3e1eee0cc792c4d19360efc868bc2a8e0ee3512a7558fd2a016686b49c4c00649032ce127a3a3d887d74fe322a19a7b2f1a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp

MD5 331a524eabac175897f4c43f50cb7a2c
SHA1 72b621973793acd6309214f1fc342f88dc060239
SHA256 37ae99537b9078a0c274cf4680d5ead28cea74cd229ded2ad077ff59766be28a
SHA512 eb40018fdc953cb31eaf9c1ce0b4e9d3b4ad7a4ab04f5df04efaec2ab34fa799eb64a6dc164161082bd6367b446c746f090c30b58ddffb50f8d8f6b638312efe

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp

MD5 70742f35bf266ead9efaba36410aeda0
SHA1 00fafbfe805a98931ac10be2fe4b2d3225ff2fd6
SHA256 01fdfca19cb7a2309b432979a1a467e40935ae833ece0a7e2d67dbdfd2787c8c
SHA512 aeca60adbcce54e17077a00e3649f1687095e1084f07592bc1ac510e9c2954d31b19e303edec28f5f667bfdfe59673f984ca469c32441be154990d1e177c2322

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 fecda2e7727aad12e1499782412b0e21
SHA1 78692bf123ac4eb5fcbe59e7bb47901c98839867
SHA256 fd096d9c2f7843c07240de833a5e16f6e224ea5bf4732c63d3bf377b478e99ab
SHA512 2e924ba5af65e65dcae6a34f42e1549d735ceefe79ad31a3d470a52b8667be9ed988830a2529f35a3826cc74b2f133536da3ead3594919e8a85e20ab1324252f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 ab7b69045f9151d8abf87a286ab381b0
SHA1 cdb1f385e27feabb1d735e401d013bb5ff822675
SHA256 1682fdd5ecf580ac40bed70ecc720ad6f7ebf74bf7a1be5184dc1e2b7c95eaf9
SHA512 ef211f4aeb298ddbe8234a0261b3a264ac3b187d2bd0f2b47e6cf29e1a13ab9af0cb090628db1ce5b57f966a5284a29ce4a8284495c1daf81acb3987ba68d52f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 d6d9ea261bdea3feb7e7df9f29e6a458
SHA1 1a4d0c1e09cdf5df576c55fb90b3483e76e395c3
SHA256 af960ef1352022038686eae69a592738ca2ae61a77b78597a7dd0326904f02ef
SHA512 84bc76e7bfc759855f78bc29161a2e035ecff6ea4fbc3ebb445df42d78bdf38f39960f73023620ec549bebed91f7e90d02cf5015558143ae3bfbe9fa6089c148

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 89656b5143edbd214f2b3a9237d8bd4d
SHA1 53b309709c4f51537dd4bcae4ccbb68a9558ecda
SHA256 5fc975cee9fdce794508050bdbc928a4f66c2f1f9501cdc8b06dd299da3c3cfa
SHA512 3619cbb171b2db99d1e0285305a05ca2f6cee828c14091b56c70c69b1b236c21e9dccebf9aae6af64137f0ccdb1410b0f60f8d823bcf1444f3e42cca46b55d3e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 eba00c9dd9208b14869fcfdd6cc71522
SHA1 f7927c20b43ab4f2fa50770517d07c7f832b030f
SHA256 65857bae586ecb687047f9ce6d98e3a4dab7ecd08b71a574dccb851329cebb4d
SHA512 892c727ec97cd9cb5435ac4e1360d1a14b7be90dcf658ab91a488f9a3e8c1fdac48cfe5a8266f52bf7999397a8f3d20f0312c6650b972bc8c56b763270390b3e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 658752e015378aa15a5410a51fde75a0
SHA1 e0424aa69de8b3118625f93533e63ae962cf4b79
SHA256 a164ec417cee5196ffe0f093ae52854e00b42fbf664d05d73eda8f7791c7a012
SHA512 d0d8d30acd8cc7b0890f8feb1bb401bc130fb48210701381c34132912e5ed39a7a36cf6dea7d5ec35ae3c3dfa1eac159504c1baa4f92b20a8a0b0a2f4b789986

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 111f6c5a6972ddb596f9af525e3ffb98
SHA1 ed3719d62274c342e1a3f0870a3065959631184a
SHA256 a76c8ce21de9f18326597b8170d829871655dfdc23d9e9c4e773a6744ad2a6f5
SHA512 6881ede0a83b8bd09e022f8e6a7024effadc4457ac8dac727c90b05cff06f3b1065aff989c4e009f0851a7e65998455634e3602fd83ed7b88055cd6d2629c6ce

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 81f06adee36cff78baffa40278483df6
SHA1 ace6aaafcaad0fbe87a9c080c1c3b8d826b1bc1f
SHA256 25e52384ae3b9cee4e361d719b7d3a066b5c717ad5ffc724da9e9477a6f074d8
SHA512 fe7bc1449c3f23d74bd7e379724d93bbe5dd9860a2165e03edacd5c6e401603bac7b747f1228e7045d95c8f459c8570c8e7b8304f005058466b5dc72d0831170

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD

MD5 d6ae4eb4a3f384a56b52c6110af40bfa
SHA1 019b40c3e94ebbdd9c120fa31a4a2695aa0e4409
SHA256 0bce0b98d4d2246dd8088d4c80b5ca4d6fa7216927f57b4180501c942bfb27c1
SHA512 ade41a40b0dffacd5b67c3777b556ab622c0c5545b4085a56be9fe588380de686fc57206c7bf070bd5e9849bfd6aeb7301681c285287c39bbd7a049db2cd01f6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5 1f3a542e0a6716a4050e24018e87be43
SHA1 ad06bd77b36f2985143fd2da9183193963b8a04f
SHA256 4e546fcce6d81d3944d7d31be784bfc510ea837f7c9916ab62eb500507ebfe1c
SHA512 0549c3ae2a8b4f7e21125b8d79416078191e5775881db5306318839fdaaeb03437a847e29484e47e00c36c26fc4a5bf9f07f524212481479c8bbe6b37bf7ab8a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\174997711\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat

MD5 43597a612d922202e6de38b8a555b569
SHA1 a8b8566d132f8814e74ca44db7c2a36817d67e52
SHA256 63afa6fe1a03ee6651b91f4c0c14b73830dc5e1fde2eeb9e25421c9350ecdc4f
SHA512 2eca45ad8c9b72a1b70b9741e91522a04a5e60939f5a2045853c5f1225e7c1edd0fa5449f9b7bd3d43a0e78069c5685bfd4ca8b380a5f826714540388b9acbf3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hsperfdata_Admin\RyukReadMe.html

MD5 5cedf73dbf75099b8abcefc3f07e9975
SHA1 2ecabc828715573e9d7aefaf82bfb0e7379e92cc
SHA256 beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63
SHA512 dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 b77d8b04939d8bf78358996fa11ccc59
SHA1 5e2931781996e1c26eb2dab0915696ecdebc5909
SHA256 c43e54e8db49c679cd7a4d41e64986ecc72cbbe2cad90fe350cc82a7536771b5
SHA512 256efe9def79c4816a8e87db80ef224be7bc76db4ddb021f48d5e16bc4ef1244ae2245bfeb600db1ca9de2864c5702d32ef165608424b002488a41ddc5eca536

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 2d3b7c5a823586b6de170a4bca61b376
SHA1 f281d49b342f82378f170fe1e612d1106edb2625
SHA256 e59ba8a596ba9e56666e7699bdfd9ec0ce1045a83a41faf0cda936bb4e91b87c
SHA512 806c46210b2f4f81e824fee54e0319189b63da1b258ca372bf9f39d21fb7d9e20962ac9973bef6c67036a8cfc9e66d79c6b339f7b838a258b0690ac276f6eddf

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:45

Reported

2022-02-20 06:14

Platform

win10v2004-en-20220113

Max time kernel

33s

Max time network

66s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
PID 2700 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
PID 2700 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\system32\sihost.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 2700 wrote to memory of 3816 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 2700 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 2700 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\System32\net.exe
PID 3816 wrote to memory of 1320 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 3816 wrote to memory of 1320 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2700 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\system32\svchost.exe
PID 1608 wrote to memory of 2364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1608 wrote to memory of 2364 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2700 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\system32\taskhostw.exe
PID 2700 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe C:\Windows\system32\svchost.exe

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe

"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"

C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe

"C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe

MD5 c49c19e172c2c6f8390bd26258557b18
SHA1 641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512 a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe

MD5 c49c19e172c2c6f8390bd26258557b18
SHA1 641d8da9c08060b04fc63b07c61e1c891d5d393a
SHA256 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
SHA512 a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc

memory/2396-132-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmp

memory/2424-133-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmp