Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-efb4aahdfq
Target a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10
SHA256 a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10

Threat Level: Known bad

The file a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 03:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 03:52

Reported

2022-02-20 04:27

Platform

win7-en-20211208

Max time kernel

162s

Max time network

36s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 744 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\system32\taskhost.exe
PID 744 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\system32\Dwm.exe
PID 744 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 1116 wrote to memory of 1868 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1116 wrote to memory of 1868 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1116 wrote to memory of 1868 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 764 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 764 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 764 wrote to memory of 1832 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1120 wrote to memory of 1992 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 1992 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 1992 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1992 wrote to memory of 1804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1992 wrote to memory of 1804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1992 wrote to memory of 1804 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1120 wrote to memory of 1724 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 1724 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 1724 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1724 wrote to memory of 1496 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 1496 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1724 wrote to memory of 1496 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 744 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 472 wrote to memory of 2120 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 472 wrote to memory of 2120 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 472 wrote to memory of 2120 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 744 wrote to memory of 31420 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 31420 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 31420 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 31420 wrote to memory of 31444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31420 wrote to memory of 31444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31420 wrote to memory of 31444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1120 wrote to memory of 31456 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 31456 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 31456 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 31456 wrote to memory of 31480 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31456 wrote to memory of 31480 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31456 wrote to memory of 31480 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 744 wrote to memory of 31492 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 31492 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 31492 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 31492 wrote to memory of 31516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31492 wrote to memory of 31516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31492 wrote to memory of 31516 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 744 wrote to memory of 19496 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 19496 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 19496 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 19496 wrote to memory of 1672 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 19496 wrote to memory of 1672 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 19496 wrote to memory of 1672 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1120 wrote to memory of 31448 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 31448 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1120 wrote to memory of 31448 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 31448 wrote to memory of 31428 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31448 wrote to memory of 31428 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 31448 wrote to memory of 31428 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 744 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe
PID 744 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe

"C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/744-55-0x000007FEFBAD1000-0x000007FEFBAD3000-memory.dmp

memory/1120-54-0x000000013F500000-0x000000013F7DA000-memory.dmp

memory/1120-57-0x000000013F500000-0x000000013F7DA000-memory.dmp

memory/1180-58-0x000000013F500000-0x000000013F7DA000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 0be16aa241eeb7741b47dade475b9b8b
SHA1 80c6d64acdf0cc67bc8d404b768f82c3bfc1682a
SHA256 359ebde7187de84da3523b4d85025b7f83ea36a29942eafbc5603b569b09b07d
SHA512 07217b3da6461d5cde456cdeaea377e0815af49c91900bc36967615f38bdb9acb57878a53ae4361f2d491d564a3c517d9bbed86464098d61b631802294f23f76

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 7732787c4edd9ea5aceafad97ffcdcdd
SHA1 a1885afbdbc12d360e4a681be063d6b33483caca
SHA256 29aab684606acd86c7de691359503b7b70166ad76381ae75b81aac7aa35eaf8a
SHA512 4d042b0fee3b82d447e5e0a465c36b6d614440948ca47fb6fc7e7d4618608e46e6f3234422bcb860008a170370f6c955b92497f51fab91ea1ff037a21a641739

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 094e821af46dce25eb9d5056d63b92fc
SHA1 c3db9a038747058bd18c83722461f2ee8b88b173
SHA256 3f3f20527e9c7b6425e9141ba54ef9fd3ae88d4604c901d34e85b7bcfa6f8220
SHA512 8dff784974691fed265fd18b57fc3d2a9600894e4a802e32bb19472c3f5c37f417db1678ed8b30431538d6808a27a08c66c6f55e8f1987583053c4419927e339

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\ACECache10.lst.RYK

MD5 6d56b69286fccecdbc13fa13d25a475b
SHA1 2e5ad48cf0b993fc9c4497c23fa9ec003a539811
SHA256 d5d15240e1efa096b725a79d93a14b39af9a1bffc105621cc8a413482e85aee6
SHA512 74a48c5dbc45ddf586f77e67315c60e6e56a99b927e79a5db41a77e7d954d21a2962d6f7ad37698498bd2aa94c26ffa41d749a386a158e43091ddf2504a0c5cc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 61d19386608c999b6892153510e35e09
SHA1 5a07cb0e4e3e88702d64fa3a39b1437b5b8a1353
SHA256 cc903ecfd8c0551d4f7c9126ec1c4cf4d7a1fbd26b6364c565c25bb79dccc087
SHA512 8b370acf839302aaecd4f31feb818ff7dfab9208bbae1b4489a3817d740cd247e62ad7973d362a210bdb141b3bc58c947242ac015cff685aa9a922cc5a5421db

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 3bba43fe4c920d9411e86faadf94b900
SHA1 41d759fdd4feac2cf60c567e44add2319d5dc0a8
SHA256 855eab8b05ea9fba87312202bcdf0febf7594a573119f14f40669d975f155b99
SHA512 73a9e0ee60acb97008526ce224c638021c433ef932058d01ab1bddfb3deb4f653807d8234ee813f8e23ad117a77af7c0be2e8828469a56dce9fff03548cd9306

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 3ffcbd7202bab86bd35e1b40bb991320
SHA1 f7bab8636031d2363fa9f3e8a228e94fc3e21c22
SHA256 c5ebaef9bae4b010cf72787ce6c6ae1ad0cc45908f926b5241fd71bcd3b10f63
SHA512 340bd18e2571002bf96612c61f124e1306b71259bdf544101ff872e63e7e432a759c3e5c21de04b58975886c6a832906b6556cd8b070acbcb22239692836df2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt

MD5 c6d72c6adb1bf85686db58dbac4533e5
SHA1 bda2e4ed63814f6f44eebab7f138a8acf0e2b053
SHA256 0747e62f78a7f9568ad61591287f3d098b57b97fbb4b0542033f293e8968729a
SHA512 2b6ce09fea4885fc32511045f17bb14580ae04d86d4eda6fd38d9956d5c3ca6d65f2f38fb58569b1b4e00f74f4d35f1dfd929992b2e6fb95269225f0c81ad468

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 3e98b676ed822dc72e6c9dccf47bdac1
SHA1 f1f8fe423f93c0fbeed96a993853a1ccda0025de
SHA256 db3bb8b9fa01928d3e4f2788557765a37d484034709c796d459bbf8e1796c34d
SHA512 3deb53800b827faadd3569d347bc4743cc14144b1634ff225174866825603e1ef0ad04b558f7e0d78ff144207bc03e8dc4859c697e0460626775f57bd3aab03e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 d9faaa45e2fa4dccaf96307459f10363
SHA1 eb011d19eb626db509620c8303e8bb70ff1f8daa
SHA256 294baf5514a1eaf82bcee689afca5d708dd6f307b663b7a8b756cccd2fc640c0
SHA512 56b0480dea253361a2d08b3ff2cbd0c3bfa542ed0fa9833df7fd1630dd449c5779c38ae510bf81df29a18c62a7307b7de20edbe303251d580281df5900f26610

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp

MD5 8fd340c540dbdbb90d9d6d92556e361c
SHA1 c53b78e7569a9497a682c17d2ccd694d1255e2d7
SHA256 a261464dc74af97221e52fa1ba383cf78d0e144386caa2c0056551ea541fd2a0
SHA512 4ad7a39c47c923febcd239890d853d432de5fd3cdad13700e536326b8f05e98796461dac008e0f6925129bebd51b1b012f123c6536346fc57c0c6711993e0d7a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 23537978727376e90147578d6e4a0cad
SHA1 bc2c3a75bb0a102bb46c592ff2d0f0fa926dc699
SHA256 073ce2a1530a511ad7309c8f2e7f3816219709262e36684c20ab27cc367417cd
SHA512 8d95b249da0796e0842f72bd9123da0dad06242c49f7e8af9708c45ab9d54fbeb2339b57a2ed6c8abe447cf2e1e68ed847480e70a4e6a7589e91c14e149ba4be

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 0a59559fce05a717e41bd71cbf9777b2
SHA1 16a8f9db909afc9e40870277677deddc107f99a7
SHA256 551f528309b9df152bbbed67d412853120116cb0134e091b149cf94264c8b44f
SHA512 224a6a11f616c55a2c084598aeac0620c0bbc400a093c12030a7e47c5991e21efcb9213c6797f58eb993da5ed47c7b8636717238a410bc067125f0757a208714

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 0e5ffff16e069f8eacf3cb833f26c131
SHA1 0e7b80c7e8dc862f4bfc481d7686ec6e94d5d64b
SHA256 d5a26fcd6ea0a772dec6bef78d955ef52d3ffae8b70219d3c6a1643b1bfcb7e5
SHA512 9ab27b7b9b5e23f53f96fcf2a415b850abf1562cbb4d891e39297d8755503a2bbd969b53527e93a2cd97ecc098a4587ca763e22ddcce25d2341553574663e385

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 825e7c17486cb5daeeeaff9c238c7429
SHA1 b74b42139642fde274b72fde2faf5b35c8a614c1
SHA256 4dc761222ae865dfac30200b9e53fb59abd6d72d3dc70e5b7040049af42e143d
SHA512 0b90604734259290a310302a15c923a0524d08bab44219ebce14d803dd511abb79f4e1d67702ee9cefd1c73abeac6dca884094ef85153f5ddd47f9dd11120962

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 96a4e806c7393f91effa3998abcc6656
SHA1 d19677a9a38abdfe4bf2e0922fae7174e9e2cc2c
SHA256 66d841c87b16bb9bbe8d9270b616a1abcf1067056fd671fe1d1880d3a7e49371
SHA512 dfb2d14b2ab8aeebbcd9cb21871c8a2e968f27d94aa6c28653bc4f011a5689feb9ac425b72088e11148d936d03c418341adbcf803afbf29ea1e9d2343f780ad1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 fc4b05d46ca63e1fd8043ad88e9c72cc
SHA1 9c0677cdeeadb1950ea42adf68079c4b5ac5546e
SHA256 8906653c47e32e6d076916e7e73f143e7db11908a10d627898da4acd72c97e6b
SHA512 5f0cf2b0e642044a1427526175c39d3c52e86e003bd20bd473c88c1605d0e3e32315d5a05c86b33dca6670d2c2e0c559e2d21e3f9134066988dcc66ca6749e8d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 778a3409dffeca7379bfe0a9be17b6e0
SHA1 68bf4d12dc8b9fcb111d382a628e4c952ab20959
SHA256 fadf5ecd602b3b5eec1c3d39aabe0b7d23612e87f74f1616bfb4950496ecb5c4
SHA512 a73356d167be3bc29498d3f4563fcc5e464e39d632d01b2858d135436027e40cdfd0ea5340442d739c1e05f8b80dae91d2332d1352ded35b87dba68b9f3a73dc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk

MD5 9ede00e24edfad5b8d184990b9318bd8
SHA1 3ba3ff2d436cc6062840a6cc5d6a3d3e21691458
SHA256 82208881c53b6d8d9296347e7a2d6f2ac4bc9a32d349746386bc976fa5881014
SHA512 cff0242870c735370eb6f03e5e99b1f133e0a2ec8ccf13374342076d6f3271ff018e0deed8a8a52ef63e3a708c3612f6a256519b82c9ca28d4a4917289d1a9d7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5 089ee21f514af9863cfea0ffe0fa8c15
SHA1 4179a4c9997f3581b6ae5856f26f33afbe3589f5
SHA256 7816eb84cc6d0ca321f3314a4b4fb089e9f80046359ccb39b36b3e57893dd15e
SHA512 3af7bcc3f45e8098edec44e836424ba155f5ef2d7a79c9c869f309ca3a139886a6c4c1629affc3a65d6cab90b2e4eabada3fb8ad91ffc368f6fa7d4540003518

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 a4495cd42801823ef04d27f7ad75e9a3
SHA1 71fc4861597a1c1e4895570e10fe498087b2c8be
SHA256 38bb0c70efb319fbeee3806b62f587f091ec802a098d7ff3385e3fa98c799dcb
SHA512 de333a917d0d93b1ef6234f34a0e4daa5b01e736c0d4273aae8615cf3aadfe317ab4c7856276072d12e9da3f8fba0c3c8cb8343bc4ff3c791df449df174b1bdf

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5 62b35c15f688eea47474678af71fa62d
SHA1 60488069f7ba58ed318f01b453ce5e343071bb50
SHA256 0f46e088206c94330a84e635cda9fba153601732a9c6fed253b4e1f671766e62
SHA512 719e16c998babb0e6130413b400b1198258ae2d9a2d9d27231fcc04eaf847950a6008c06970da92e8930c35bf37dba970f0da8c7bb150d1b15bf99425f171204

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5 567902cae3e426fb8665a0305d219de8
SHA1 10bd810f309875f0920bd971549dad0a2da8cd90
SHA256 45a520c84c08cf9d8c49f920f467722d5570a97615b8713087304967ad652613
SHA512 04d2959b26f605087b58ebdd16125c1c2fffe0f4b3494fe72f9a2f750829e7e18b0c24d77743fef0f1dd4f595355a88e8e99d6832775d88c3f79eac9a831431e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg

MD5 783eb182d2e9b0b3ec1f7dde25270606
SHA1 b28dfb5c6b2e4afef2598677ed0b6553870bab2f
SHA256 c864fd3bc4c11053cf9a943795d11258d5b3978310376b09ed1ac1887b55899f
SHA512 62e2165514bfe5c3c0af2ed9385285eb367de003c4b8cfa20648b25f599afd684d8b688eec40cbe5218fce6b4b6357acb69a308c3c9f9f1e6e769fec3a402c74

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Seyes.emf

MD5 87c76be4b0b01516c7c5761e2b15e738
SHA1 1095ee0068b85b298ebb984333e5391177952cab
SHA256 359cdc42e0e77d5f02dfe55a2dc8d6c71d61ce3671a284434ae6bb45f30dcbf5
SHA512 b723d273f9f6b9d8019764a006281100a3fb3d223f1d20b67c133d48c091abddb66831e062766980b24d6e516ddc0bcde06f8778083f96ed5f953cc345c63c54

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg

MD5 de675bc597c16c8e2e82373b65e5f4aa
SHA1 79f445e012fdfd60c412993baab0429564129df6
SHA256 cb5f780f15fc1c7a38f0ca716bb0fb13635c62e90b2edc29db0accf692a16b9a
SHA512 47eb30106f7c3f2c76976699f644a6bfe9cf5a30820d0a85f9d12165d65ec6e336b8d81e0edb094b24f2242f2729685dc884ac9da9154f103c14f403d7862c36

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5 96a91962d17fd1210150b48859c9fe8c
SHA1 7b1c385b48682884985edd213044876a3d2cd2dd
SHA256 34479d7147a935c6a95454e3e334cbba577871ef36b2d4932bd41abfc468861b
SHA512 5c9efbf65e8559c5ac1c8e31a815e6e96dfd5beff989454421c0873bd8497b4d22bb2e789eaa48a64d3697cd1971191c8607dd97110f0d95193215b91bc5be26

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 03:52

Reported

2022-02-20 04:27

Platform

win10v2004-en-20220113

Max time kernel

47s

Max time network

100s

Command Line

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe N/A

Processes

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe

"C:\Users\Admin\AppData\Local\Temp\a1c2e6660cff8d87a924ed0079f94374d04602433014c46ae6c52700c45ddc10.exe"

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 13.107.21.200:443 tcp
US 23.96.229.177:443 tcp
US 52.182.143.208:443 tcp
US 93.184.221.240:80 tcp

Files

memory/2916-131-0x00007FF7F03F0000-0x00007FF7F06CA000-memory.dmp

memory/2896-130-0x00007FF7F03F0000-0x00007FF7F06CA000-memory.dmp