Malware Analysis Report

2024-10-23 18:37

Sample ID 220220-ehnj4aheak
Target 9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17
SHA256 9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17

Threat Level: Known bad

The file 9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Drops desktop.ini file(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-02-20 03:56

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 03:56

Reported

2022-02-20 04:32

Platform

win7-en-20211208

Max time kernel

172s

Max time network

157s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Windows\system32\taskhost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe

"C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe"

Network

N/A

Files

memory/1140-54-0x000000013F040000-0x000000013F3C3000-memory.dmp

memory/1140-56-0x000000013F040000-0x000000013F3C3000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 50b3f2fbf1fd004bef5455c39d6c9967
SHA1 e1bfe81aa3b3d4e847f9fb229c455a1e9c6ee87a
SHA256 d6dacf3aa9c57feadb5c9e5dfea2c9f549be4b4f054cad9fc115e6ee3e172556
SHA512 0be90b31e14fcd075098241b5735173604e34651b2716a4fd41d187874be9547873889883c4cdd88a50f34e739858d58bbad6970753ac237711f29ff7629f3c1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc

MD5 e1013dfaf01055b78fc27c92894c8347
SHA1 032e5cf3efd9902b19ef330fdb05b14bcf54cdb7
SHA256 9015d29c2e87429e1614c9105a4d08590e959cd7524c155f0169932bf590ba44
SHA512 3264e6910304df57e61ac7ffdca76791e442b3395e52e80798c132d3c04953c239d7cbd81f807b714824eada7f68dd9a88fbb62616bd24a2e554dff0fc2e7d9e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst

MD5 6067eddd6450593fbc7fc2b2bfd5cfe4
SHA1 a8d44f6e88d8f72537a2c74f99e9715e2a5ca9d5
SHA256 6504d5a673ce2d8d70848daa5bdc7b25180202af776f4de19ccc7abe6270709d
SHA512 68a611a60fc16db014506617fc265766cea7d11a2220891dcd1561df9be8d78ece3d4692b8130477dd3c3d6f0fae07911f5a8ff9db6be19328b0cf2eda9a565d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 31d8277ffe3e87795ab37fd99c3df05c
SHA1 c4925ddb6567578ba5a51cfae5e4a324250c5bef
SHA256 9a096ca10a36389a8c52e0df069ce4619b90c559b47159f4c579d803c4a961b3
SHA512 b9b85fc3fd1bfb875419bdee8c9520242a59765b9f5a2ddd79b9ce7bdec15aec98a98d4e87a22da3da41d113d1a4b0abef360349af82dba64cebd55c899642ba

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 31d8277ffe3e87795ab37fd99c3df05c
SHA1 c4925ddb6567578ba5a51cfae5e4a324250c5bef
SHA256 9a096ca10a36389a8c52e0df069ce4619b90c559b47159f4c579d803c4a961b3
SHA512 b9b85fc3fd1bfb875419bdee8c9520242a59765b9f5a2ddd79b9ce7bdec15aec98a98d4e87a22da3da41d113d1a4b0abef360349af82dba64cebd55c899642ba

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 31d8277ffe3e87795ab37fd99c3df05c
SHA1 c4925ddb6567578ba5a51cfae5e4a324250c5bef
SHA256 9a096ca10a36389a8c52e0df069ce4619b90c559b47159f4c579d803c4a961b3
SHA512 b9b85fc3fd1bfb875419bdee8c9520242a59765b9f5a2ddd79b9ce7bdec15aec98a98d4e87a22da3da41d113d1a4b0abef360349af82dba64cebd55c899642ba

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini

MD5 423e40086627d3047147593380ea8ca5
SHA1 f784ca440b21ae4f672f49de1e1a2d691e06cbd8
SHA256 2689967db24241712d22c484dbf92b89848a405267fb23b7ff5173283dc6b219
SHA512 a53d7950e8d5431dc9487761da16d467f29935a472fcfe6bba3c3890c57774a0d7eeef99d67306da60f85cc171934426304095befc9182201583c1a6ef7b3663

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 e5e8af40077dff17ad3baefb8d5a3782
SHA1 090eb835c6dcc45b3b18fb5d28c8b131117ccb99
SHA256 e9c21242c9bd9be0c289a3d11f4c4234838b2fd3410a81a4f1c2c0c26415986f
SHA512 4e596d4973ccb6486740563cae43500855b3fb1c23ce49cfe86a494e013d137b2258d379687d61d267f127f6bee14d4fb75af600be73b705ea4ab9d0a87d0d61

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 acb6e70e1d1aa7ff03330b0f298e9883
SHA1 4603e8e71b5e957a73f11b1334600ba2b8a0fb63
SHA256 0135ca5da840ac3adaf43b1a87bb00fc52be7c4c67aaa03136ac894d641c16eb
SHA512 7bde39e8d5ef219e78cfae50854e7f4ee0b14e64dd7b69e8f58b1dff67c0e4332bfc53d810238ab391b194df7c6fd49587418af79061264a091ee412dfa230dd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 6dc9d8463dba249d37c271f9dbe2a344
SHA1 0a43bd4bbbe908271c480cc6e3bbb163ce24c477
SHA256 ef5c8a485ef3db5ee2923d0d4f58c864fcaeeff56304c5608344f694787729fa
SHA512 dba0c0e3ced58c088a354b86c09c2c1544ee4e07875954472747528db16d5dc4c16831fb83234c06a8fff1303236262065515d59f9899d56d8c1e197519b1ccc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 cec93602bff0b1508c4d83e36b4af13c
SHA1 dacf344cba9c11df17da29b6f38feec6f2630a7f
SHA256 69e26529db3efb68a18211439e1cdffed08656b3d37007841ebd0ba896d1e8b5
SHA512 94fa5e73f089eb8c053cb83d246308cb2f5ea88ef3c1961797d05cd6b7b750a491e87bf9a9ed6b894e5debb280aba59c98c5a4d1e07390162f4b0787e7b4c6dd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp

MD5 38762a14d4971ef8a688f9483277c97f
SHA1 e99c116f42d3726d30cc58a4f2d7ab35937054b8
SHA256 7c1f0c51097a3dfd1f6cf3f33918b52d7f018bba30d2643f8c94a5052db4e9fa
SHA512 a0558b0d6c794c910ca71408d24c35eecacb263574b727f76c48c4a7eb2328144f1da218a06938ca3dda20df4e24e80a7bb59e9dae60ee237e8454511f78f843

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log

MD5 367bafff650d08397b3fdeb2aadefa41
SHA1 2c1b5bbd55f05fbe8d84bbef767011d568f78ce6
SHA256 707d5f9b89ad3a5315b64a1502035cd76f0f4be0f872e7cf23a9004c5e1f939c
SHA512 92f4d341e6427eca3255743d97030719e9b9fc26e5dfa99028718a2868cef3a8c1b36243187ddf492e5418f8cfb0e9e3876156309a48109940253b681f99e9d3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini

MD5 530840ddb4af161aea11de73b1d2feda
SHA1 118e37512bfd4fc3a6bda87dcb6000c9e9289896
SHA256 22b22732484a1fc15cc19b15d85ccb615d0ef08aae09d988c63d1359d31cec1a
SHA512 c8c832f6e6c8cec5de4fe33debe70a6b9c59211616516dcf261b04bf58bbfec5869388be8947087814ad97610587c940f57a892f37badbf7ec32252af7d54243

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini

MD5 ae82a8e607fbb6a828558ada4ff266ee
SHA1 98cc3e079494f683a9d6b8f05bf6f0ffe35e4b76
SHA256 00b55758406a79006cbfd460c5e5e798a21a7e05867159a244c4373948659d43
SHA512 bfb2bb63fe386c58d976aa71429d31f76b39863107583d8fcb73ef562e19e0c345f3856ae2ffaf25e3c1d3fef40edce32f3bff6c679a06363f4a67cc70bbfa8e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini

MD5 1e42bde26accc334647624ab16412a52
SHA1 e8aa4ce34105a4969c06d4163a2485bfbc53f713
SHA256 34d10bb259b3197b5ce7d6611817ab9c5cb897ba862cbbcb90ec53957e7132b1
SHA512 951c2a538fef2465bfbb36645b7ca37f422d789d6356afa1f5a172f2aa3924f1fbd5ff0a7ea73dd74ed394f177c563b20e69fde134c2484be3d2e47b6cfb9e42

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini

MD5 750e6a5b84dec99848ffb50051fd0604
SHA1 4ceeb0d58e611cdcaf0e69ae80dba52e68ea6bef
SHA256 b6b84538b333d1384ad3432e18bc62e31ff1135e94e5c833dcf950d4eeb080b4
SHA512 59bde0acb175a89c53a129cc455ec4ca770c5b93b79279ec5bfea14512830e8bbee75fce2fc8b0bb785c13f5cdd6b680059d16da499c692afb616046c3012d09

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini

MD5 18b967db686a2d7d04e723973784586e
SHA1 49b4ee6dd6558a4263b445f7b4e8a69325e8e7c3
SHA256 d93c2ef3660c4dd4feac8723872054984ce66108739a9c04198c5f2c5a6947f8
SHA512 d0612efe58a9e09865c6d397d60acc96270885f2541d2e1b4a1d1edd2b677195b3c5c99f0676070c4ef101e693b1b836a67f4a6f1191c3119e110b5e07be6c2b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini

MD5 4c4607086eea303132607280ca6f7a6c
SHA1 5757476c22b230f057b948ddff78b93d52cbd3e0
SHA256 33e755e49ae9ad60e26e4fdc3c4f5a7179cc54ad512e29695d0301d4745d5713
SHA512 a47df932b00c11520825a2c00090ed3cf5eb0ce17e2daa05180c8ccd97b95d72b0bdfe06aedcb3603bdbe8658b12c2c11400684e9c6dc8db43195e4bc7ce5584

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 1737e2a33c2a9457b5951ceb7708038a
SHA1 fbafc0e2cce5b609fe82ce735ef502b46b7a339e
SHA256 b56c198e8e5cd3f970af404a26f06aba0f408fbc56ae4584ee943c890f97b1fa
SHA512 13e9ebc693c360ba7a5a89bac25bd271e7607fc15b0f2f0115bfb2635a75a2ae95c39dc18219b3d5a0f603db23fff70a4e278de6d995b39753dfb982845a235d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt

MD5 b0b9d7d80e94897f7f383d7cd9d59b52
SHA1 550c921474a9e3f5b4a711ddca2b4948acedf1f7
SHA256 f5ec548ad1fbca404bf032752945db98fba2e76e386098d19f3a5a5936a1d2fa
SHA512 63c155a094aa87c3694f135e997131f49c5aa98c2bbbdcd6f42ec6aa7f82208c8e58df8323ef2673cd0de948a5031c921be6d2fccb605f049381a82c671771e1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 763e9b750f2e3aee9c63ad66fe8c36a2
SHA1 5b42ff9b443e80349f47b654e9c835c441f40a24
SHA256 3fb05b7bf75fc45fcb6d4aa863261c20f479df98c8886dad9eb3e2dba8739c39
SHA512 6ccd5cc1bef4827513484ca20c5f06925a750782d6c024abf7c398873a27addfd50e94567f1848ccf934dab9dddde6834079bf3b3ee62b5c4066ae18a76e5d11

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5 1e920d0d93a5df1b135bc091d1f72728
SHA1 423d16b3950e50f5b5e9677a92b708bad3c9d440
SHA256 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2
SHA512 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 980f020e7a847e6a5102fed314daf30e
SHA1 7c2583f473478445ee30f918524e89b925e64797
SHA256 fcadbde5eec4986b9227f7c6e3a2ad8c7dec01a50690499b4c84451e1a1feb53
SHA512 666f8fd7275545cd26b1e1a1fb2ffe153292b74bb129c46417bd59b9e64c18bcb287269f62931d7f2f574bf2778b4c9746c99b521f1fd112e62d7c1d3be21dfa

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 fa2fbc47358beabf4665dbeff3a585e8
SHA1 24451c2e50ec54c2b48fbf9bec0d09ba38aa3187
SHA256 08ccc235104e6dd10f3a3443dde6f6f9a3f8f29acb06eea0d63fb4bb75300644
SHA512 cdd829cbcc049ada7ccfd808166e1929b9654439327cde66d480b7f476fc2e0568f2a46825b6ac843a9da13f268f05becedfc6176df758404267eb52750e58e5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 e420f9a48eadb6cbff5baa3c0a70df37
SHA1 75d00911b1a349bab521d6f20dbda1ed6dbb8640
SHA256 71743c954184108756070c1adcfefaccd44919d008ac25ee7da3abaeaa807728
SHA512 cb9baadf7b3a09df83c4c1aff54accc1af08d7f4499acc6200462e59f09390f8083a506070cd977d5ab3b79015339355db0cc26aa9b3a99b59bc1e12791f1d3c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5 dab430269417b48ecebf3711839e0db7
SHA1 f0f31bf811a11bc917550f7457cfcd93bec4ef75
SHA256 a7d31e96c514421cf66a2430330b074274714c50cab7f93831735adcfccca883
SHA512 3e6e5dd17be81b0a4b5a61dba4d59f685c654b8df3d3f356b9864d38bea8f4c941c294e43f729e43c383860410183b991c95c51d59533e9c4df327c76286ec8d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg

MD5 05fa39bedde2f73c03a1897e6d13d4c6
SHA1 44989867fbba3178b63ac517307fcaccf6a397b1
SHA256 3736523d93b6c50edd5ee86c53c5125b4e64e01fd44160819b99278c3d88e78c
SHA512 e66506717b3b68a0f86b6711f070542615c4beef6b791b03b00dbf5f49866d8c4b2719a473fa5f391aa599081b56a584c0f4924ac678116e6d49d1864d247cd4

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 03:56

Reported

2022-02-20 04:32

Platform

win10v2004-en-20220113

Max time kernel

28s

Max time network

92s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe N/A

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe

"C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp

Files

memory/2280-130-0x00007FF79B9E0000-0x00007FF79BD63000-memory.dmp