Malware Analysis Report

2024-08-06 09:27

Sample ID 221220-mrdegscd9y
Target bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
Tags
ryuk discovery evasion persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800

Threat Level: Known bad

The file bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800 was found to be: Known bad.

Malicious Activity Summary

ryuk discovery evasion persistence ransomware

Ryuk

Deletes shadow copies

Modifies boot configuration data using bcdedit

Executes dropped EXE

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Interacts with shadow copies

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V6

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Registry Run Keys / Startup Folder
T1060
Privilege Escalation
TA0004
Defense Evasion
TA0005
File Deletion
T1107
File Permissions Modification
T1222
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Inhibit System Recovery
T1490

Analysis: static1

Detonation Overview

Reported

2022-12-20 10:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-12-20 10:41

Reported

2022-12-20 10:44

Platform

win7-20220901-en

Max time kernel

109s

Max time network

97s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Deletes shadow copies

ransomware

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Users\\Admin\\AppData\\Local\\Temp\\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\EV = "\ufffeC:\\Windows\\system32\\taskhost.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\fr-FR\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Internet Explorer\de-DE\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Athens C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BL00254_.WMF C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Cancun C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.jpg C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_corner_bottom_right.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.emf.ecore_2.10.1.v20140901-1043.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\INDST_01.MID C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0157191.WMF C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\drag.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu.xml C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\dnsns.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\Catamarca C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Sakhalin C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\gadget.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Jujuy C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw32.jpg C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099159.WMF C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkNoDrop32x32.gif.RYK C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Belize C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\MST7MDT C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\currency.css C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-impl_zh_CN.jar C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-12 C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\pause_rest.png C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\CourierStd-Bold.otf C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\FD01658_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\currency.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\kab.txt C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\OFFICE14\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\mainscroll.png C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Uzhgorod C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_zh_4.4.0.v20140623020002.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01586_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\ext\RyukReadMe.html C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\de-DE\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153265.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00118_.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0152702.WMF C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee100.tlb C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\RyukReadMe.html C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-spi-actions_zh_CN.jar C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml.RYK C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1B360F51-8053-11ED-8DFC-667719A561AF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe
PID 1672 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe
PID 1672 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe
PID 1672 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe
PID 1672 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe
PID 1672 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe
PID 1672 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 1672 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 1672 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 1672 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\taskhost.exe
PID 1460 wrote to memory of 1532 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1460 wrote to memory of 1532 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1460 wrote to memory of 1532 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1672 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 1672 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 1672 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 1544 wrote to memory of 752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1544 wrote to memory of 752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1544 wrote to memory of 752 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe
PID 1116 wrote to memory of 1852 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1852 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1852 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 952 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 952 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 952 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 972 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 972 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 972 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1456 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1456 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1456 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 1588 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1588 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1588 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1868 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1868 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1868 N/A C:\Windows\system32\taskhost.exe C:\Windows\system32\icacls.exe
PID 1116 wrote to memory of 1620 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 1620 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 1620 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 768 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1116 wrote to memory of 768 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1116 wrote to memory of 768 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 972 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 1492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1852 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1852 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1852 wrote to memory of 872 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 952 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 952 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 952 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 972 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 972 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 768 wrote to memory of 2140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 2140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 768 wrote to memory of 2140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1620 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1620 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1620 wrote to memory of 2160 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1672 wrote to memory of 7264 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

"C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"

C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

"C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe" 8 LAN

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

"C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe" 8 LAN

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4ec

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\cmd.exe

cmd /c "WMIC.exe shadowcopy delete"

C:\Windows\system32\cmd.exe

cmd /c "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"

C:\Windows\system32\cmd.exe

cmd /c "bootstatuspolicy ignoreallfailures"

C:\Windows\system32\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\system32\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Windows\system32\taskhost.exe" /f /reg:64

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\System32\Wbem\WMIC.exe

WMIC.exe shadowcopy delete

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Windows\system32\taskhost.exe" /f /reg:64

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default}

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

cmd /c "WMIC.exe shadowcopy delete"

C:\Windows\system32\cmd.exe

cmd /c "vssadmin.exe Delete Shadows /all /quiet"

C:\Windows\system32\cmd.exe

cmd /c "bcdedit /set {default} recoveryenabled No & bcdedit /set {default}"

C:\Windows\system32\cmd.exe

cmd /c "bootstatuspolicy ignoreallfailures"

C:\Windows\system32\icacls.exe

icacls "C:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\system32\icacls.exe

icacls "D:\*" /grant Everyone:F /T /C /Qþþÿþ

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64

C:\Windows\System32\Wbem\WMIC.exe

WMIC.exe shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin.exe Delete Shadows /all /quiet

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "EV" /t REG_SZ /d "￾C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe" /f /reg:64

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled No

C:\Windows\system32\bcdedit.exe

bcdedit /set {default}

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\RyukReadMe.html

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:90884 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
N/A 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp
N/A 10.127.0.1:7 udp
N/A 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1672-54-0x000007FEFB7F1000-0x000007FEFB7F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/1584-57-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

\Users\Admin\AppData\Local\Temp\lMyNRbhtQlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/1060-62-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

C:\Users\Admin\AppData\Local\Temp\ZWuvnQjJelan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/1116-64-0x000000013F6A0000-0x000000013F804000-memory.dmp

memory/1460-66-0x0000000000000000-mapping.dmp

memory/1532-67-0x0000000000000000-mapping.dmp

memory/1544-68-0x0000000000000000-mapping.dmp

memory/752-70-0x0000000000000000-mapping.dmp

memory/1116-71-0x000000013F6A0000-0x000000013F804000-memory.dmp

memory/1852-75-0x0000000000000000-mapping.dmp

memory/952-76-0x0000000000000000-mapping.dmp

memory/972-77-0x0000000000000000-mapping.dmp

memory/1456-78-0x0000000000000000-mapping.dmp

memory/1588-79-0x0000000000000000-mapping.dmp

memory/1868-80-0x0000000000000000-mapping.dmp

memory/1620-81-0x0000000000000000-mapping.dmp

memory/768-82-0x0000000000000000-mapping.dmp

memory/1492-83-0x0000000000000000-mapping.dmp

memory/872-84-0x0000000000000000-mapping.dmp

memory/2140-87-0x0000000000000000-mapping.dmp

memory/2160-88-0x0000000000000000-mapping.dmp

memory/980-85-0x0000000000000000-mapping.dmp

memory/2128-86-0x0000000000000000-mapping.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_8e28fefd-2db0-4dd4-85d7-665f2cf2c74b

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

memory/7264-90-0x0000000000000000-mapping.dmp

memory/7276-91-0x0000000000000000-mapping.dmp

memory/7300-92-0x0000000000000000-mapping.dmp

memory/7320-93-0x0000000000000000-mapping.dmp

memory/7364-95-0x0000000000000000-mapping.dmp

memory/7348-94-0x0000000000000000-mapping.dmp

memory/7404-96-0x0000000000000000-mapping.dmp

memory/7412-97-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 2780949502724b7d937cfb0232ff83c0
SHA1 c9395bd8c161f6b20db325040f803765c0976f38
SHA256 686ef708963d0138c9dae936742ffaa2cdec2a986dd6760a3ae1b4b690332eb4
SHA512 b32ca097d180c430e0a1c7c7e1e4684b658404f0cd43d001093540fa86d67b2fe43ea33b5274217af51f59853eb8eb016d239692f2a8e20fe1029c48e3dc0317

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\$Recycle.Bin\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 bf90ca3762cc3d9e7e56046c711b97ff
SHA1 db2862a5b0c0691c1ac1488b889453df7f263afa
SHA256 d813c0ce502e8441e73d586cf656d14a1c4020fd735c3ca448505df0324aa757
SHA512 91feaf37a21e716b0707573d67c7e1a399b3f4f9e138bb56ffc235911082177edf2c1cf5d00a80af11e267fa599696ff1614508b40e44611bd913d6e7f120709

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 dd38c18944a06ee4a8cfacc6a00a39cc
SHA1 179102b3a74e13728d8128fdf9dbbe7a981a295e
SHA256 b0b1857e0ea13893b56527179cb95ab751d50bd0d66ab2e5b21ca8a9420b0910
SHA512 95f3da400e4f5dbdeefca0599df760fbe4f830f9fb71e8b08bdf68c15b3015793edab3d38a8e49831bca6c9c035927f23704a250d8b172ba801089fd7d5829d8

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/7572-115-0x0000000000000000-mapping.dmp

memory/7588-114-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 723ae1e3f9efb68233e85071f964aa82
SHA1 ce13c356632d00500d65f138d9836d554247cbf5
SHA256 2fb79c60cbf81627ea37859d1768b0ba627a720ba68e49dfc0d7202d2a85c078
SHA512 908735ed57b906bbd81524541aadb613aa7e984e441e9135f23d9ea71e80189facecd7daa6787f8199351da291b29ee11155a67c0608058a18241388ddca0a51

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

MD5 71e9601619dcd47e4159c38252015616
SHA1 93fc169ffb92bfa28b5f4a2d56acc77f72b9051f
SHA256 634ccb1a52b5ae68eb932244f8e4f1d5829e07ff40ae17dcabf8954357d03458
SHA512 662d1b7d4269609926b3743a201838d486d74af26da1e98c1b220784ea123b20303fa655da06de3464c6401f579bc67f4549e66e63a43f72eb7f36b4db6614ee

memory/8144-126-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5 fa51fa3dbb0a25388a7fc25fecd8fcba
SHA1 7333cb9fbdbbcba4fd35997c4fd04e00c759934d
SHA256 9e8e6b1145413c06ead94c320b1ca2ebe984b62a76df210aab9ea7926aa35a1f
SHA512 144d0ecd8d057bd77ec13117dc7b40feafcb850d93f9356317af6728e8dd7c9395d7113d7a2b900ca6bea789e42e4c2b3c16d083a869c2c192b713ff4f9d9a42

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

MD5 1b76c0afc705058d1f8c0f3a085ce961
SHA1 cc740f103e19bd5671cf3369ee43a29d1aff991e
SHA256 6eadb3c3e12c7d7ffa49a4b64a5667dbf9706c0d68d0c5ea32224889368f087f
SHA512 7cf4b1aa3fb58064cc69dc9c32a48573f14b7bc95353f7854d49d2df9d85518940db16c4add7d42ee77b044c216485991cbc1174bdf030bdeaaa9396422f2dbe

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/8120-125-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 897156ddc27f633c5e11b80c84d6b7ca
SHA1 34808c9473137bb00123e6f12a29574d23a857cd
SHA256 0945f524472cd3bc8e67d8719a52feb4c3ac11e62630caddd1a52580f9907e69
SHA512 406296be73f1442fb5d798817de4f0fae7454a84e72aa87ea2eb4b956b04498695913693660d0ff6e90997b2cfc307ba855550baec25b5f6b129321a6ac59ec0

memory/8592-127-0x0000000000000000-mapping.dmp

memory/8608-128-0x0000000000000000-mapping.dmp

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs.RYK

MD5 49820cb073bf1dc1653e62ed7c281aa3
SHA1 4f84dadec334761dccef8fe18e1f19dbbd5e76b0
SHA256 d3ba3d4977a6b70f4217fa89c1808cc24980263c01cead11e4b614f4fd496db7
SHA512 042800802c523fbc749ffe948ad2e02f0f5ddb7c58f89a1110c246d17ddb22bdaf4df74db5def2acb707b0051c93f72619da209dc1166ac7f5758adc9490a254

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5 4f76be2df9ef93cfbb9acab294f03961
SHA1 94e31ebf3d928327bb65198acc84ce2c7ca550c9
SHA256 192f760fd538400ab075c149de36887834fba30fb8c1b7d2a5ff06bab924331c
SHA512 96028f16b0aeeed27baacce704e3c9c6d91b62947fef2ee5b6003cc4e19b9e96d13ca4d237497fed5e6db0363da308f5ddb96c92c18edfd5f64bf151a07950b6

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs.RYK

MD5 845736c2f94a26ae4fba544b315097f3
SHA1 bfc0f010fb36e5cb82bad05fc01370f433719662
SHA256 5e022fc518541d2df49e529305d0f9013ea173af93ed33816193042bea22ab5d
SHA512 42b3295f673b0c9e5205676f180f8f36f38153c98c0f47fb96c5efe5c7ab4b4f806cb58050d317a48c73b0d09d50f318eb4945e65d58528dfd510310cd0fe670

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log.RYK

MD5 be3e049a5c32e1fd9b0fd0c84c405ac0
SHA1 2ecef2f0e62f303f2d83378a3170f85b25aa6364
SHA256 8f8f6d9058059e737a2aaa7d5c0e0ec06f0bf3329cbc967a10d9a57aa6e9a7aa
SHA512 cd557d509dcb2581f6a91ce52eda4fa90b8df1556ce24f7f19524ffff227a081ff69653f0ae31fe0bed7b69f311c6fb38a6fcde40753222f18228ca212b715bd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb.RYK

MD5 324b02213671bed4b3ac55fd44184514
SHA1 5535fdf3034e1f153cb45c92b8f155ed7f130d06
SHA256 31087ff2d2868453f7c525f8210b97ab91a7dcdfb54ef60ae96b1b8917601fe1
SHA512 5905bcf9f902e049121df00dc2a47c342f3cf1cf365bd5e80e1b01478861722ab21abcd092c53c308a49d9e53e51b4dbe2b4e9073ff9bcafda23f520055bf7eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 447f8f3381ec1b12fd035b277b10b94e
SHA1 cc345b79af03703be09b8d2074a27c8ac5fa274d
SHA256 55751e1ce4bf2209f71bdc2fe73268d921612f2253e52776b0b9655d60b677f1
SHA512 3afc78f62e4c8c8b090d9ab2d45bbee3ce71fe3d26655bafdbe01924975c7cd12f310c60ad69c569ffc9295bb563695c087d413b8be4e2ece146e74dc0a82fd3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI24D0.tmp.RYK

MD5 5c1f800b4e236131343ef7bc3da4e358
SHA1 4cbde89a7fbb17595557cdbb333d3c0e2c31fc01
SHA256 f362dc1bc0314afb4d1ed71806cecaff867a8f0df89e59736e9d75d1c309bd41
SHA512 f02867c0f604958adb621dc42792b7ee038dbb037fb76de80234ba1a9400423e8405ed7c22d9e228f3e595dafafdfb40f28862fc04d35a2c950a830150d114cd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5 7bc036a6a70b43a52ea270ed11a6d2f0
SHA1 04179f22cdf45ea2b0a7f8ee86ed2b5f2637d940
SHA256 f17fa60105feb0e2642c02336da2b67993c3f7a825e53f85c0368be32fe3d256
SHA512 7f9cae843372e0fd1f7c3652014b712794ebe259fcdece95dff949d9c7efc1072dd5abae17b423835bf7d03a7e35a5f551ee7ee4936f59a8acf748d909781ce1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log.RYK

MD5 90ff23f9771f1633ab5f188ac03a830f
SHA1 3575e0fc498566068a49dd033d5b1fca13439a21
SHA256 8512ea122434d355e9e9cbccb891cfca837946f5b2beeaa50d65f945d4a35bdd
SHA512 88276e4005ea724fc012b4e36a098c20ae59b17c7c723d95d3db19ca8b50b631b584f7ca9b34007b9bb3a5d4336a7e52672abf91b894c599a7a23b0062687493

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk.RYK

MD5 1039764a48b3a9b34b2568786b6e9fc7
SHA1 8c0279561e1cc9604dd8a8fef4c3ad308966804e
SHA256 7c19cc4fc7b285fc95c7f1f2e0260fb754c79a6a3e6f62c1d32049609bf9e757
SHA512 471f3b6b09493c148cebf55f150c47a93763a59eb6c8fefbf579b7c4ca10cd1aa5b0f9ce36f0ad95188a2f7286d4d246c6abd6c5c5521d68ee5c0e550f060abe

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 0a11dbd21dc8d6d57ae9c8bcc8c8f606
SHA1 a65eaf4b6e88b7c17dbaf8a4aefb0f683076117a
SHA256 f57c118d645bccc8868bb7b8b3b225de82ec8bbbe8f4ec58b4488c237e5933be
SHA512 57093e5c7bb226c488be606cdfb8f73bf63af32a971a397ad7cca631aa0ab7b879b377ce653bb8c2d4c415cdc168062f41613583af2f55568e846b1fa1eb5f9b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 a3d999fa78ff731c87c0f3a531eb1d8a
SHA1 c9cfa81df75127d66c774c6b0b49665714ff2d0e
SHA256 2958b36bc007fd1c3844b88e8fc793e8984bac5fd5fc72ab93e4341ed47970f6
SHA512 b182a033f0ce1abccf09067336cd2eca758211894451ecd703e744937446e27ab8d36c2f3ac4dffe644c328fabe51dd5ca7ca7765ba27a1e6a004adca7f198db

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGI24D0.tmp-tmp.RYK

MD5 0310ae8a0f3558d2b851da71a754a46c
SHA1 e156f64bb1a8a0c5507374fc3f45810b2d6fa580
SHA256 657ad475883186d7776b91b84e460b8c67dab45c9841bff0e414b5ccd86af5e5
SHA512 3db935fb8f10209239afca7366fc688b475474d5c9a583ee5c5596a0c27dca2ade13ff97c1282d28f400e794d5f98e33a65a21cfd553b661365b8c1bef15637b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 98c5368458ac9b511e07fc7b1dafd2ed
SHA1 d16a5c8f6f63d7397f6b42e455f81791b7d4ac73
SHA256 cff4722f0131c8d99cde6e37eecca12dbec42a21addf392183be441dbe4d43b2
SHA512 89698a41d14a03b3465f705d7962294356bd062a3cf88b954be8b184a5b2a9af98fb533f21b9ac06ab2d7ee3e5ef444bf92a2ca9373c3ccda85a071817363089

memory/1116-161-0x000000013F6A0000-0x000000013F804000-memory.dmp

memory/69792-162-0x0000000000000000-mapping.dmp

memory/69832-163-0x0000000000000000-mapping.dmp

memory/76660-164-0x0000000000000000-mapping.dmp

memory/76940-165-0x0000000000000000-mapping.dmp

memory/90808-166-0x0000000000000000-mapping.dmp

memory/90836-167-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-12-20 10:41

Reported

2022-12-20 10:44

Platform

win10v2004-20220812-en

Max time kernel

28s

Max time network

74s

Command Line

sihost.exe

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe
PID 2736 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe
PID 2736 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe
PID 2736 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe
PID 2736 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\system32\sihost.exe
PID 2736 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe
PID 2736 wrote to memory of 3240 N/A C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe

"C:\Users\Admin\AppData\Local\Temp\bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800.exe"

C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe

"C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe" 8 LAN

C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe

"C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 93.184.221.240:80 tcp

Files

memory/2520-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

C:\Users\Admin\AppData\Local\Temp\UROdMlePmlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/3944-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

C:\Users\Admin\AppData\Local\Temp\jdyBJlcBPlan.exe

MD5 f62bb82db62dd6b80908dcd79ea51fb2
SHA1 e635ba1b935adf31ffd055d71884098567b3dd4f
SHA256 bf575ce1c9425bc44f5cabbc34366e0e92ef369db0a8b69942c5bdb1cca9b800
SHA512 869863239f231d3bea636a98f7adb8d6f04f60fb2cacc5ef8d8d87bfaf327abc57668e0cc1e8f10adcb7156646ff75ff67fb3f06f22b25797220eccd91b93e08

memory/3240-138-0x0000000000000000-mapping.dmp

memory/2528-139-0x00007FF611270000-0x00007FF6113D4000-memory.dmp

memory/3764-140-0x0000000000000000-mapping.dmp

memory/1444-141-0x0000000000000000-mapping.dmp

memory/1828-142-0x0000000000000000-mapping.dmp

memory/2560-143-0x00007FF611270000-0x00007FF6113D4000-memory.dmp