Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-dj2yfagaf4
Target b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a
SHA256 b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a

Threat Level: Known bad

The file b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Drops desktop.ini file(s)

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 03:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 03:03

Reported

2022-02-20 03:13

Platform

win7-en-20211208

Max time kernel

165s

Max time network

138s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\DBS3QI6C\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\ZKOSACOX\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\AKOZAZUE\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\8927RJE4\desktop.ini C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Windows\system32\taskhost.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\system32\taskhost.exe
PID 1588 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1056 wrote to memory of 1484 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1056 wrote to memory of 1484 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1056 wrote to memory of 1484 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1032 wrote to memory of 1148 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1032 wrote to memory of 1148 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1032 wrote to memory of 1148 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1588 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\system32\Dwm.exe
PID 1588 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1648 wrote to memory of 1212 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1648 wrote to memory of 1212 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1648 wrote to memory of 1212 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1108 wrote to memory of 1348 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 1348 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 1348 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1348 wrote to memory of 1440 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1348 wrote to memory of 1440 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1348 wrote to memory of 1440 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1588 wrote to memory of 8768 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 8768 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 8768 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 8768 wrote to memory of 8796 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 8768 wrote to memory of 8796 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 8768 wrote to memory of 8796 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1588 wrote to memory of 16476 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 16476 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 16476 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 16504 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 16504 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 16504 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 16476 wrote to memory of 16520 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16476 wrote to memory of 16520 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16476 wrote to memory of 16520 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16504 wrote to memory of 16536 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16504 wrote to memory of 16536 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 16504 wrote to memory of 16536 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1588 wrote to memory of 34668 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 34668 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 34668 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 34668 wrote to memory of 34692 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34668 wrote to memory of 34692 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34668 wrote to memory of 34692 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1108 wrote to memory of 34712 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 34712 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1108 wrote to memory of 34712 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 34720 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 34720 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 1588 wrote to memory of 34720 N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe C:\Windows\System32\net.exe
PID 34712 wrote to memory of 34760 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34712 wrote to memory of 34760 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34712 wrote to memory of 34760 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34720 wrote to memory of 34768 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34720 wrote to memory of 34768 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 34720 wrote to memory of 34768 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe

"C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1588-55-0x000007FEFBEB1000-0x000007FEFBEB3000-memory.dmp

memory/1108-56-0x000000013F7A0000-0x000000013FB37000-memory.dmp

memory/1108-58-0x000000013F7A0000-0x000000013FB37000-memory.dmp

memory/1164-59-0x000000013F7A0000-0x000000013FB37000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_3bd845b8-ce6a-4337-9974-31490196462a

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc

MD5 d09ba02e9758c071a0bb13aa77e155a8
SHA1 73b0bcbf846a0dc1b690546d6527610a73ef8487
SHA256 1174b9f9bb570741659cc98de031efce798ad6e14418d58e682a9db241ba445c
SHA512 847631787f27ff6db42f7ba1cedc7c6121d247710149ed776aade88c0317733dfadec7f37515d95ee7bfd725676240388256249dda5bc14884c8eff5873a3d4e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 9328658c388593d043087fafc05b1c09
SHA1 c6d8063cb08620a8fc3f2146db5c398d4e8a7910
SHA256 7dc01084d4c0a7401ed7139282edf265419fdebf48d7b65653d7bca909607898
SHA512 7715f94d57feba034207934dc29a4e06e5da3893010d836bbfec5beebc962199f88c4c348ad9402db51ef040c068b009c52010469a2df0410c6d448c13a930ae

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 cc2b345edae02613caa9cb2c41386024
SHA1 5bac8b37618cba6e080f6a2701910533f7c51d23
SHA256 f890433e7437430d8ef9932caf361e51725cd80f874f2ff8489a1394a9687483
SHA512 1b6a9e5be5f3cda6f38adcf20ba4a72c1cc2857b25413dfd62d2fd39dd3fcedd9d787aaf1600c0e35b08428b34344b9c23286c52958cd5cc1ac0ecb7b2209a8e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5 767f26d74a82ece4e4eeaa65ab434f2a
SHA1 8558ff5cf9520d45addb5f645942e077423b7bf9
SHA256 1ec1ab813c638feb54448dfd7df84be9b29012667c5ef641a539aad1b5cfba85
SHA512 0464d11e555da2fc257ef6088d0bdacad0d86447273de5b05539bf38f9e693d366692c537849d0661a239e52f501121c2d058fb2fc6b91d587c61114999dc72d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 4f7bb557ea49414c8e592079e05bc844
SHA1 86466a948199460e387eb4b859a1c9e20021d6f8
SHA256 b066f994ac44682a86a4c0ad723752b6f70d684ddf78274c75c0666484e907cb
SHA512 60a652b348b47dff66d789c037b575ba30613f1a55b61239fd05321b5bc4f67bb9806ddff3ccb269944ec782ad6e0d429a90771727957599747b9394ed9ddf1a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI1E30.txt

MD5 f00d47b29ff5eae65e5b89a566cfc4bb
SHA1 384cd40c6ed71fbbb9b386a695f14c746f761a06
SHA256 0c63385893ffe3952e0da018868ec1141f7f38edeb69223238fd9c71100c3178
SHA512 e345c049f03bc156dd1433b788e629cee9bd40df8f152f0f36493430d46cc7dbfc0ae6da3956075d61da00572fd078d369af3339dc65eb24cc15b01ac293e179

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 f10c1e5f53296c63b1eaee98a49b1ef4
SHA1 cc0692e262655561f6bf7e8290f7c3c02d63c359
SHA256 7402bf32b575762aa5a61f7f4e869d4b4b9438b16fa0dc063705248e30136ff8
SHA512 90b07382f5cfccd36d0c970a1924fd6179e7b4a0a1678b2423bbf11e92914bbf0a395df621110fdde1ba40f9e1f764e89b00c276a6cb10b5d5faabe2fb2a54f7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 3d3ae81acd1f5f1438993be919635949
SHA1 68116d971b076c30dca40b26335f302349d22ce5
SHA256 54352aee3f80cbc495447f1d1e3d4b64acbfb38e1b80d16975352a0f123abe13
SHA512 8cc398ed8d2c694bc581755a125ac9c7e83f3d9bc2f8e70322ba6ef39171792cfeb88727686ae092b1bbd567d0a5279621d29ea971addd185b8c31ef51b2c476

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 246286e1f103e6630ae39be3079a5b51
SHA1 f5f83838a6f35f0cb6e12be41b86685335ba820c
SHA256 6245ffeecef603ece6d004a4386b0c2f8995ffda12be537fbfa3fe0c61e9c681
SHA512 ef90e162cf11e8d3c8c6c368cb180d3235068e54015d62ba8a5e40513b3e2eab82c3d71dd9a04ef9938eae5f272026d766cbd5259253fbcac763770cb430b51a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 693a2f691087ce917ff15cf863b93e4e
SHA1 f1cdb12e989f2ca44a231553b06d30ae1269b621
SHA256 9f3e0f82bbd035bf900a52e9372dadd1b5252e95818306a6e047972c1fe1243a
SHA512 acbfa673806ecc72817e1b0dfef2d8e0c6d6c34f67c9051145733de83027361011a2b45ba345b7d205c7c3c0ea836e336d344638a67ec41c2300994f049a804c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini

MD5 065ff5ee4eba34e1cd8924d475f519ff
SHA1 91a25d2356260a60180c411169eff81ff98751aa
SHA256 8ec372a78831980a99d80692fc0eac51ae5956fecc417dcc9f6e1c374ece4f2b
SHA512 82386b75ade06ff7e7ad14ad9f85bd98998839fd2f8b44ca88e97c1d53671c3a5f358a580646a0298f08e1f0290cc1c06c9c7316ec14865c7f9bd749fb95a226

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\VL9MRVWS\desktop.ini

MD5 de17c05429438140984c0aee200cfabd
SHA1 b9d8c9cd330f6c650a6052b5502a2b9b7c4db002
SHA256 c0687e30edcbd3f74d727a76ee99a596d39c6bc3d465bebc67f5343032bdd68c
SHA512 8f95d4205dea5b6f98e52a83b73c40de76e1ab3b972246cf3d0ad6626c38db9c8e6b6bf949bc2b9026f402507339922b51751cc0464eb572951a7420cb3523e8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\ZZZ3YRT4\desktop.ini

MD5 ad0205ec54a538a1491c5d4a9e7df4a2
SHA1 f200d6b91bdc6a80d4ce8636d4a8a5c98cf5e7e0
SHA256 605eb4d00104d7ed4fa56c62a248853bc6cff6023b725eb0f1a4e1c0c5253efe
SHA512 1d2da0ea11d40d8a952c8b42dae7b45af48794c745d89395c0061e198bc8e0f61c8e0e73369289a24248c3fa0a2b5ee454e67189566123fe1394c681bc50cd35

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\E16QEJ8K\desktop.ini

MD5 68c4fd0cf3bbe4323c1d89f3d41ed9a6
SHA1 88724dee466c4bc24d13b9da27dda9e4eee5a3ed
SHA256 cfe03730251a9df875affd73bd73769c8af41f61dda89f0708c76d68c36a0a80
SHA512 9af83c5b3c1a01d81f651db6884c300ff423fcdf8c9c6b20360b9d9b61891ce2da0cd5a3fa8aa958632b4f3a399892d2b8f3bf7e1cedc684a7325b2a9a4f983d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\H2R8HLJC\desktop.ini

MD5 50ea5f35d6021e5d5d84c7ccbc60f5be
SHA1 8a2e2180852592221fee72f9451268acd20cede2
SHA256 c2120f55036124d70685842ecbee94cdbe108d12055cabde7e0391d35441dfcc
SHA512 42f346390b11dfd31c9a611334eba0c8407a970f2b2cd10a66f9cede5cc0da45a953db7b87a70549a73c7ed4eb429313f73098123254cccb64b16219128ca475

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGIFCB7.tmp-tmp

MD5 a54d675b0c92f4a1107a1eff435400bf
SHA1 b77abfb365da1e38ff171282057da2a33c91e684
SHA256 8dcd55c8a0f2c24acf1cbbe14283a33dac2548e3fe1d6f0b4489c2e42950b7d5
SHA512 77ee8425596f89fe5c7f859a2c48ab7f0d5eabecbe6530721393a8cf35461a2b38dbe555688476886670131f00e53e309c766e5c103ebbd3e72339ced3b8c193

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 b6c1fb0f97fe68f68d72546b65b5cc91
SHA1 5d73d22f50c5efc3433f599d769afaf7bda1c523
SHA256 51f928b6c052a70559abca5e4b8210258b8fa69be9086ca9c6c03b00bfc5681b
SHA512 bfa2471d98a66507b674466a0ab3f12fa71e02da893094ff103bb5295b440d97a0aab2f21efba2c4b80cbb9e59af11c970ec428e081d0f78c9662cc54d782e06

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 d099077fe4f665bbd76cfc90a88d6712
SHA1 c4a128bec9fd2e5df58149cd0f1c34d8ca1cdeff
SHA256 fa3a24f6b28ff610865b5b3c604b593437af234c0961c53187394d5699993eb5
SHA512 c639e18507cb97f3564f80c175dbd459cc207cecd94f4ce6c00a28f660668595d072cc1bb51bb874c31e4fd59a518fd203af4a1dd97cf71d51833d0ec7468f55

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5 ff314dd43bdbafb58977de815bd8c711
SHA1 f36f8c03f93b76c12ded6ae815082b532b316004
SHA256 c47f30460291b5bb9af0f756a368ed1a47d6f811500a42cf03a3a3338034cf4a
SHA512 0bd38d7f76ddfb6f45cf23fe895ac62ac8f4d5dd26b6001c179b98598ede95d5c6e20560d3244413bcda1ff5ce0ddd273700a7de1d490fee1aa1f49de905c372

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log

MD5 29a70ab682e5deb66a984221d580f456
SHA1 878df172cf5b8693493497ef1c170192d55e0164
SHA256 3f331d5d4f2b79ae1eaef4e7405cbb9d2d4a3a7dba26bdf3115a5733e0227eaa
SHA512 6d29bf46c5f6be60aff6bd3704444ef9edf98f0d5cfa850f51b9150afdfad0f37bf2f91688cc89f39d2cca2b13a10619cd8e17809adcc40d5a98fac0dfbcd218

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5 591f848c5f3ac7cc35e4b9e418ea99c7
SHA1 ab9b55916a9d77b2eba8713a21773d86120b85c4
SHA256 bb47936e188859f88f1e2b337e85027c020b9562ac790fd82d768d6498859dfd
SHA512 161089762b6c99e56eaf482bd531b1689bbed82520033ba38787d833ac75b0c14ae5be8827fae530d46bc197801ffa70496477439243437652965d9a032773b3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5 94fce93f071a2ad1578dd87f13e20c87
SHA1 a9782ffd57c2c3489a705795a23cdb533a195e4f
SHA256 cb59a60232e1f9c783ec747d0689921224af1b27961582f2dcdda992723a2cd8
SHA512 448384e5799bf70f70522318b6daa9423901cee17345dc425f6112d54a8e74cf72dfe9f9a50a2eb1c8cfa4d9ad53a26bcddc407baa911bd52dd2ae208c1ab01b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5 53355680ed678d8639124fb5dce266b3
SHA1 4e7d9488752c7dc437b969ce0820e066813d9e74
SHA256 dbe57a92cd01d55e6ae2ad5132b976534b8be335948b11a3bfcb48785e936d58
SHA512 d1b3e31df1cdfbee9f18e7aad26c5af6be64c9c4943648cffb6b1ba14c2e73a1772855329034688ca7b4fb50f4802f24d49f347a08775707aa1f798d96a97216

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 c38be0ab2d7e50797a553892743317e4
SHA1 8fda82677062ce3508512c83797caa87d4ce24c0
SHA256 cffc06a12d11378d89942b78870f8ca4e097f54abcafbfa7b49f8752bbcda6ac
SHA512 c1aad16ba8a6df6d4f296f5283ec81017c954cc607b47833fa892872fe6f2e56b48ef42df5710bdc77a55727017420e0d5f57cdf67a160e9bdc3705dce9ba011

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 4a713f18330c72534d6c79bd72e9e1a0
SHA1 d60c6549a43eaf73e23cabd2d75d57b86a165a92
SHA256 73ee1d7c6f419c8fed41aad4ae0ed7b1a030809827809a6da314178b7378c094
SHA512 85999e103317599ec41de339ab8b1e9c30f5f642d8046990ea2ba3871cd0593f9c316b5d12b4f6846d18ccd2d22cbcb2c5b2e17c7f4c10e09daacf274866259f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 f982a83b086ce02278a7da087b324e1b
SHA1 7e98402c722ba5c645307bcd92d1aaf8490c1967
SHA256 d3c9580a81aab337e15ddfc2d6d1d389ed3e86e9b9e797c5562046d14f1abfa6
SHA512 011dfb21f01d2dff80a12d51609d0a57e2d539e76f2cde2c23524b391b92b0d5118a90c3cb70f26c1ed49b115f097c12a5dfc50dd8679ecfa2f32aae32ccf68c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Tiki.gif

MD5 03423224e0a663989a968094e1d36879
SHA1 a7edd1d57033bc5129531f1fcb3a04089013b008
SHA256 ad511ac5b649d65eeb75ec8a59f334c0c82908e9e35e2d018409775f47d40345
SHA512 668c390926c2c4d4cba0d3a52992fcad14203681a9013ed1445d6e82fc39f563fbc5f9078cd0f24bce84357e9281f469c779a04a66482fe95816e374acaa91b8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg

MD5 031a223394d8cb2b1d14a3fa49f80d84
SHA1 4369324ae25abfddc701a8544cddb0f4877ccf68
SHA256 2f59416a81fc5c6a3ca06b4961fb7591aa2a339a91a736db5ade976f0dbbb43a
SHA512 48b35d37ba15b1b64300ba960268f8fafac9d259a505bb30ccabce43ee34f7291f669d7793d0f34d3a707c0ce7d5b441db2601815c4cdfe727b267304dcf2a15

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Sidebar\RyukReadMe.html

MD5 b193dfda39d19928ccd7b78cbd78ce18
SHA1 69f26c8e8eea61433de9fe892dd6201c4d993af8
SHA256 97e84fd5d5695c998662d0c9d3aa45d785063ddeb35858f19c012c3732734ecd
SHA512 2298094f7dea4d9dd5ee1fa11d00e639495ed4709844d7bd7d1ce218e24c72f0640c400c8354068129307f6639595c2fc1e62e8c59c9b671d3a4b89e5b0c9140

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 03:03

Reported

2022-02-20 03:15

Platform

win10v2004-en-20220113

Max time kernel

47s

Max time network

149s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe N/A

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe

"C:\Users\Admin\AppData\Local\Temp\b3f9ac2849fcbafb5abcede2fff0d05754d4b08b20b102af9f14849c2c10e63a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 crl4.digicert.com udp
US 93.184.220.29:80 crl4.digicert.com tcp

Files

memory/2320-130-0x00007FF64BAA0000-0x00007FF64BE37000-memory.dmp

memory/2328-131-0x00007FF64BAA0000-0x00007FF64BE37000-memory.dmp