Analysis Overview
SHA256
9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17
Threat Level: Known bad
The file 9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Drops desktop.ini file(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-20 03:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 03:56
Reported
2022-02-20 04:32
Platform
win7-en-20211208
Max time kernel
172s
Max time network
157s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 976 wrote to memory of 1140 | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | C:\Windows\system32\taskhost.exe |
| PID 976 wrote to memory of 1252 | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | C:\Windows\system32\Dwm.exe |
| PID 976 wrote to memory of 1292 | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | C:\Windows\Explorer.EXE |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe
"C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe"
Network
Files
memory/1140-54-0x000000013F040000-0x000000013F3C3000-memory.dmp
memory/1140-56-0x000000013F040000-0x000000013F3C3000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 50b3f2fbf1fd004bef5455c39d6c9967 |
| SHA1 | e1bfe81aa3b3d4e847f9fb229c455a1e9c6ee87a |
| SHA256 | d6dacf3aa9c57feadb5c9e5dfea2c9f549be4b4f054cad9fc115e6ee3e172556 |
| SHA512 | 0be90b31e14fcd075098241b5735173604e34651b2716a4fd41d187874be9547873889883c4cdd88a50f34e739858d58bbad6970753ac237711f29ff7629f3c1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
| MD5 | e1013dfaf01055b78fc27c92894c8347 |
| SHA1 | 032e5cf3efd9902b19ef330fdb05b14bcf54cdb7 |
| SHA256 | 9015d29c2e87429e1614c9105a4d08590e959cd7524c155f0169932bf590ba44 |
| SHA512 | 3264e6910304df57e61ac7ffdca76791e442b3395e52e80798c132d3c04953c239d7cbd81f807b714824eada7f68dd9a88fbb62616bd24a2e554dff0fc2e7d9e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst
| MD5 | 6067eddd6450593fbc7fc2b2bfd5cfe4 |
| SHA1 | a8d44f6e88d8f72537a2c74f99e9715e2a5ca9d5 |
| SHA256 | 6504d5a673ce2d8d70848daa5bdc7b25180202af776f4de19ccc7abe6270709d |
| SHA512 | 68a611a60fc16db014506617fc265766cea7d11a2220891dcd1561df9be8d78ece3d4692b8130477dd3c3d6f0fae07911f5a8ff9db6be19328b0cf2eda9a565d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 31d8277ffe3e87795ab37fd99c3df05c |
| SHA1 | c4925ddb6567578ba5a51cfae5e4a324250c5bef |
| SHA256 | 9a096ca10a36389a8c52e0df069ce4619b90c559b47159f4c579d803c4a961b3 |
| SHA512 | b9b85fc3fd1bfb875419bdee8c9520242a59765b9f5a2ddd79b9ce7bdec15aec98a98d4e87a22da3da41d113d1a4b0abef360349af82dba64cebd55c899642ba |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 31d8277ffe3e87795ab37fd99c3df05c |
| SHA1 | c4925ddb6567578ba5a51cfae5e4a324250c5bef |
| SHA256 | 9a096ca10a36389a8c52e0df069ce4619b90c559b47159f4c579d803c4a961b3 |
| SHA512 | b9b85fc3fd1bfb875419bdee8c9520242a59765b9f5a2ddd79b9ce7bdec15aec98a98d4e87a22da3da41d113d1a4b0abef360349af82dba64cebd55c899642ba |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | 31d8277ffe3e87795ab37fd99c3df05c |
| SHA1 | c4925ddb6567578ba5a51cfae5e4a324250c5bef |
| SHA256 | 9a096ca10a36389a8c52e0df069ce4619b90c559b47159f4c579d803c4a961b3 |
| SHA512 | b9b85fc3fd1bfb875419bdee8c9520242a59765b9f5a2ddd79b9ce7bdec15aec98a98d4e87a22da3da41d113d1a4b0abef360349af82dba64cebd55c899642ba |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini
| MD5 | 423e40086627d3047147593380ea8ca5 |
| SHA1 | f784ca440b21ae4f672f49de1e1a2d691e06cbd8 |
| SHA256 | 2689967db24241712d22c484dbf92b89848a405267fb23b7ff5173283dc6b219 |
| SHA512 | a53d7950e8d5431dc9487761da16d467f29935a472fcfe6bba3c3890c57774a0d7eeef99d67306da60f85cc171934426304095befc9182201583c1a6ef7b3663 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | e5e8af40077dff17ad3baefb8d5a3782 |
| SHA1 | 090eb835c6dcc45b3b18fb5d28c8b131117ccb99 |
| SHA256 | e9c21242c9bd9be0c289a3d11f4c4234838b2fd3410a81a4f1c2c0c26415986f |
| SHA512 | 4e596d4973ccb6486740563cae43500855b3fb1c23ce49cfe86a494e013d137b2258d379687d61d267f127f6bee14d4fb75af600be73b705ea4ab9d0a87d0d61 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | acb6e70e1d1aa7ff03330b0f298e9883 |
| SHA1 | 4603e8e71b5e957a73f11b1334600ba2b8a0fb63 |
| SHA256 | 0135ca5da840ac3adaf43b1a87bb00fc52be7c4c67aaa03136ac894d641c16eb |
| SHA512 | 7bde39e8d5ef219e78cfae50854e7f4ee0b14e64dd7b69e8f58b1dff67c0e4332bfc53d810238ab391b194df7c6fd49587418af79061264a091ee412dfa230dd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 6dc9d8463dba249d37c271f9dbe2a344 |
| SHA1 | 0a43bd4bbbe908271c480cc6e3bbb163ce24c477 |
| SHA256 | ef5c8a485ef3db5ee2923d0d4f58c864fcaeeff56304c5608344f694787729fa |
| SHA512 | dba0c0e3ced58c088a354b86c09c2c1544ee4e07875954472747528db16d5dc4c16831fb83234c06a8fff1303236262065515d59f9899d56d8c1e197519b1ccc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | cec93602bff0b1508c4d83e36b4af13c |
| SHA1 | dacf344cba9c11df17da29b6f38feec6f2630a7f |
| SHA256 | 69e26529db3efb68a18211439e1cdffed08656b3d37007841ebd0ba896d1e8b5 |
| SHA512 | 94fa5e73f089eb8c053cb83d246308cb2f5ea88ef3c1961797d05cd6b7b750a491e87bf9a9ed6b894e5debb280aba59c98c5a4d1e07390162f4b0787e7b4c6dd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
| MD5 | 38762a14d4971ef8a688f9483277c97f |
| SHA1 | e99c116f42d3726d30cc58a4f2d7ab35937054b8 |
| SHA256 | 7c1f0c51097a3dfd1f6cf3f33918b52d7f018bba30d2643f8c94a5052db4e9fa |
| SHA512 | a0558b0d6c794c910ca71408d24c35eecacb263574b727f76c48c4a7eb2328144f1da218a06938ca3dda20df4e24e80a7bb59e9dae60ee237e8454511f78f843 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
| MD5 | 367bafff650d08397b3fdeb2aadefa41 |
| SHA1 | 2c1b5bbd55f05fbe8d84bbef767011d568f78ce6 |
| SHA256 | 707d5f9b89ad3a5315b64a1502035cd76f0f4be0f872e7cf23a9004c5e1f939c |
| SHA512 | 92f4d341e6427eca3255743d97030719e9b9fc26e5dfa99028718a2868cef3a8c1b36243187ddf492e5418f8cfb0e9e3876156309a48109940253b681f99e9d3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini
| MD5 | 530840ddb4af161aea11de73b1d2feda |
| SHA1 | 118e37512bfd4fc3a6bda87dcb6000c9e9289896 |
| SHA256 | 22b22732484a1fc15cc19b15d85ccb615d0ef08aae09d988c63d1359d31cec1a |
| SHA512 | c8c832f6e6c8cec5de4fe33debe70a6b9c59211616516dcf261b04bf58bbfec5869388be8947087814ad97610587c940f57a892f37badbf7ec32252af7d54243 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
| MD5 | ae82a8e607fbb6a828558ada4ff266ee |
| SHA1 | 98cc3e079494f683a9d6b8f05bf6f0ffe35e4b76 |
| SHA256 | 00b55758406a79006cbfd460c5e5e798a21a7e05867159a244c4373948659d43 |
| SHA512 | bfb2bb63fe386c58d976aa71429d31f76b39863107583d8fcb73ef562e19e0c345f3856ae2ffaf25e3c1d3fef40edce32f3bff6c679a06363f4a67cc70bbfa8e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
| MD5 | 1e42bde26accc334647624ab16412a52 |
| SHA1 | e8aa4ce34105a4969c06d4163a2485bfbc53f713 |
| SHA256 | 34d10bb259b3197b5ce7d6611817ab9c5cb897ba862cbbcb90ec53957e7132b1 |
| SHA512 | 951c2a538fef2465bfbb36645b7ca37f422d789d6356afa1f5a172f2aa3924f1fbd5ff0a7ea73dd74ed394f177c563b20e69fde134c2484be3d2e47b6cfb9e42 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
| MD5 | 750e6a5b84dec99848ffb50051fd0604 |
| SHA1 | 4ceeb0d58e611cdcaf0e69ae80dba52e68ea6bef |
| SHA256 | b6b84538b333d1384ad3432e18bc62e31ff1135e94e5c833dcf950d4eeb080b4 |
| SHA512 | 59bde0acb175a89c53a129cc455ec4ca770c5b93b79279ec5bfea14512830e8bbee75fce2fc8b0bb785c13f5cdd6b680059d16da499c692afb616046c3012d09 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini
| MD5 | 18b967db686a2d7d04e723973784586e |
| SHA1 | 49b4ee6dd6558a4263b445f7b4e8a69325e8e7c3 |
| SHA256 | d93c2ef3660c4dd4feac8723872054984ce66108739a9c04198c5f2c5a6947f8 |
| SHA512 | d0612efe58a9e09865c6d397d60acc96270885f2541d2e1b4a1d1edd2b677195b3c5c99f0676070c4ef101e693b1b836a67f4a6f1191c3119e110b5e07be6c2b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
| MD5 | 4c4607086eea303132607280ca6f7a6c |
| SHA1 | 5757476c22b230f057b948ddff78b93d52cbd3e0 |
| SHA256 | 33e755e49ae9ad60e26e4fdc3c4f5a7179cc54ad512e29695d0301d4745d5713 |
| SHA512 | a47df932b00c11520825a2c00090ed3cf5eb0ce17e2daa05180c8ccd97b95d72b0bdfe06aedcb3603bdbe8658b12c2c11400684e9c6dc8db43195e4bc7ce5584 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
| MD5 | 1737e2a33c2a9457b5951ceb7708038a |
| SHA1 | fbafc0e2cce5b609fe82ce735ef502b46b7a339e |
| SHA256 | b56c198e8e5cd3f970af404a26f06aba0f408fbc56ae4584ee943c890f97b1fa |
| SHA512 | 13e9ebc693c360ba7a5a89bac25bd271e7607fc15b0f2f0115bfb2635a75a2ae95c39dc18219b3d5a0f603db23fff70a4e278de6d995b39753dfb982845a235d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
| MD5 | b0b9d7d80e94897f7f383d7cd9d59b52 |
| SHA1 | 550c921474a9e3f5b4a711ddca2b4948acedf1f7 |
| SHA256 | f5ec548ad1fbca404bf032752945db98fba2e76e386098d19f3a5a5936a1d2fa |
| SHA512 | 63c155a094aa87c3694f135e997131f49c5aa98c2bbbdcd6f42ec6aa7f82208c8e58df8323ef2673cd0de948a5031c921be6d2fccb605f049381a82c671771e1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 763e9b750f2e3aee9c63ad66fe8c36a2 |
| SHA1 | 5b42ff9b443e80349f47b654e9c835c441f40a24 |
| SHA256 | 3fb05b7bf75fc45fcb6d4aa863261c20f479df98c8886dad9eb3e2dba8739c39 |
| SHA512 | 6ccd5cc1bef4827513484ca20c5f06925a750782d6c024abf7c398873a27addfd50e94567f1848ccf934dab9dddde6834079bf3b3ee62b5c4066ae18a76e5d11 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | 1e920d0d93a5df1b135bc091d1f72728 |
| SHA1 | 423d16b3950e50f5b5e9677a92b708bad3c9d440 |
| SHA256 | 18fb3d596fb7bc197d0ec8eca275dca9f1de473f7e9157d03a9850305077fef2 |
| SHA512 | 0eaaa191cf984e13740405610df18ad6db649d5abb4bb865acb4058c69862ecefbce3aff99147532066771f869b626c32c3b5cc05774bcec1a544e0826d87a48 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 980f020e7a847e6a5102fed314daf30e |
| SHA1 | 7c2583f473478445ee30f918524e89b925e64797 |
| SHA256 | fcadbde5eec4986b9227f7c6e3a2ad8c7dec01a50690499b4c84451e1a1feb53 |
| SHA512 | 666f8fd7275545cd26b1e1a1fb2ffe153292b74bb129c46417bd59b9e64c18bcb287269f62931d7f2f574bf2778b4c9746c99b521f1fd112e62d7c1d3be21dfa |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm
| MD5 | fa2fbc47358beabf4665dbeff3a585e8 |
| SHA1 | 24451c2e50ec54c2b48fbf9bec0d09ba38aa3187 |
| SHA256 | 08ccc235104e6dd10f3a3443dde6f6f9a3f8f29acb06eea0d63fb4bb75300644 |
| SHA512 | cdd829cbcc049ada7ccfd808166e1929b9654439327cde66d480b7f476fc2e0568f2a46825b6ac843a9da13f268f05becedfc6176df758404267eb52750e58e5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
| MD5 | e420f9a48eadb6cbff5baa3c0a70df37 |
| SHA1 | 75d00911b1a349bab521d6f20dbda1ed6dbb8640 |
| SHA256 | 71743c954184108756070c1adcfefaccd44919d008ac25ee7da3abaeaa807728 |
| SHA512 | cb9baadf7b3a09df83c4c1aff54accc1af08d7f4499acc6200462e59f09390f8083a506070cd977d5ab3b79015339355db0cc26aa9b3a99b59bc1e12791f1d3c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
| MD5 | dab430269417b48ecebf3711839e0db7 |
| SHA1 | f0f31bf811a11bc917550f7457cfcd93bec4ef75 |
| SHA256 | a7d31e96c514421cf66a2430330b074274714c50cab7f93831735adcfccca883 |
| SHA512 | 3e6e5dd17be81b0a4b5a61dba4d59f685c654b8df3d3f356b9864d38bea8f4c941c294e43f729e43c383860410183b991c95c51d59533e9c4df327c76286ec8d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
| MD5 | 05fa39bedde2f73c03a1897e6d13d4c6 |
| SHA1 | 44989867fbba3178b63ac517307fcaccf6a397b1 |
| SHA256 | 3736523d93b6c50edd5ee86c53c5125b4e64e01fd44160819b99278c3d88e78c |
| SHA512 | e66506717b3b68a0f86b6711f070542615c4beef6b791b03b00dbf5f49866d8c4b2719a473fa5f391aa599081b56a584c0f4924ac678116e6d49d1864d247cd4 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 03:56
Reported
2022-02-20 04:32
Platform
win10v2004-en-20220113
Max time kernel
28s
Max time network
92s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe
"C:\Users\Admin\AppData\Local\Temp\9fe66773c84d371ef1b424005996ade4d5e16fb00306a1d54b107b2b2d03fe17.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp |
Files
memory/2280-130-0x00007FF79B9E0000-0x00007FF79BD63000-memory.dmp