Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-fw8mvshae8
Target 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA256 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
Tags
ryuk persistence ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05

Threat Level: Known bad

The file 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05 was found to be: Known bad.

Malicious Activity Summary

ryuk persistence ransomware

Ryuk

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Enumerates physical storage devices

Program crash

Modifies registry class

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:14

Reported

2022-02-20 05:41

Platform

win7-en-20211208

Max time kernel

175s

Max time network

96s

Command Line

"C:\Windows\system32\Dwm.exe"

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qcmUfvS.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
N/A N/A C:\Windows\system32\taskhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe
PID 1528 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe
PID 1528 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe
PID 1528 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\taskhost.exe
PID 1528 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 676 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\Dwm.exe
PID 676 wrote to memory of 1260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 676 wrote to memory of 1260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 676 wrote to memory of 1260 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 276 wrote to memory of 1328 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 276 wrote to memory of 1328 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 276 wrote to memory of 1328 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1116 wrote to memory of 308 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 308 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 308 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\cmd.exe
PID 1116 wrote to memory of 916 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1116 wrote to memory of 916 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1116 wrote to memory of 916 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 820 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe C:\Windows\System32\net.exe
PID 820 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe C:\Windows\System32\net.exe
PID 820 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe C:\Windows\System32\net.exe
PID 756 wrote to memory of 2024 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 756 wrote to memory of 2024 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 756 wrote to memory of 2024 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 916 wrote to memory of 1792 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 916 wrote to memory of 1792 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 916 wrote to memory of 1792 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 1944 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\cmd.exe
PID 1528 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\cmd.exe
PID 1528 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\cmd.exe
PID 1944 wrote to memory of 1348 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1944 wrote to memory of 1348 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1944 wrote to memory of 1348 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 308 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 308 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 308 wrote to memory of 2256 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1952 wrote to memory of 2264 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 820 wrote to memory of 7188 N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe C:\Windows\System32\cmd.exe
PID 820 wrote to memory of 7188 N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe C:\Windows\System32\cmd.exe
PID 820 wrote to memory of 7188 N/A C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe C:\Windows\System32\cmd.exe
PID 7188 wrote to memory of 7240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 7188 wrote to memory of 7240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 7188 wrote to memory of 7240 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 1528 wrote to memory of 7992 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 7992 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 7992 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 7992 wrote to memory of 8016 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 7992 wrote to memory of 8016 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 7992 wrote to memory of 8016 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1528 wrote to memory of 89504 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 89504 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 1528 wrote to memory of 89504 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 89504 wrote to memory of 91140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 89504 wrote to memory of 91140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe

Processes

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe

"C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe"

C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe

"C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe" 8 LAN

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" /f

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe" /f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

Country Destination Domain Proto
N/A 10.127.0.1:7 udp
NL 154.61.71.51:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

memory/1528-54-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

\Users\Admin\AppData\Local\Temp\qcmUfvS.exe

MD5 8431a207fab74137df795fb46732544c
SHA1 abb80c03d3aa69ac38f62a447636b0fc1bf21d45
SHA256 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA512 98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

\Users\Admin\AppData\Local\Temp\qcmUfvS.exe

MD5 8431a207fab74137df795fb46732544c
SHA1 abb80c03d3aa69ac38f62a447636b0fc1bf21d45
SHA256 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA512 98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

C:\Users\Admin\AppData\Local\Temp\qcmUfvS.exe

MD5 8431a207fab74137df795fb46732544c
SHA1 abb80c03d3aa69ac38f62a447636b0fc1bf21d45
SHA256 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA512 98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

memory/1116-58-0x000000013FB90000-0x000000013FC26000-memory.dmp

memory/1116-59-0x000000013FB90000-0x000000013FC26000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 69de2e62dda158285f42c548dd41c00f
SHA1 cc077ca26827c4c265ace347759fcc2677e5ffd6
SHA256 379e54748a83205e12939cd2dc0f78a38e1f571720e485adddb84c62b6765100
SHA512 3d4c4509ec88ea324b8e1e92e04ce553fd22ca5eac0ec21b9e9cb8ceef42e853603f82e48f99829ec6037e30cf7924e8b8111dc472feaaeb150a768a73e48fb8

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK

MD5 a4c5fee8d60b4fb28228e09b63251944
SHA1 faf0606cca5c2abe2f48e464a3869da89690860d
SHA256 6ae0d8d28e81f4d3fd0e0618cadcb53e83d6336c5ed72e66eb175fa6eca73558
SHA512 159d939940aaf8610aae6bf8ac2353017fef92d77f54c9079267a6336ab1b429fc595f3817c9a2efeea6ede6215c1b60f210e363a17163f3457fb238c80dd916

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 8704e16fd12a1dd62bde8fa7f984ffb8
SHA1 fdc33b7b5a53520ca4bec933fc9565960b79b9ec
SHA256 a173fd55bcb678a7e19cebdabc4180b8a15628d1b1f55fae3ac087567756e959
SHA512 916033c78f2a48f55aacc68d9b02c35ac433b348c98bd112d14e490a86c235c95ae288b9459ed862f9d5a79120be435ea27c33a4b643d4659a8bce86414da332

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 6ad05c4624a2ef38c39b421d2cd94d2f
SHA1 2bf3d459d287fb99d455592a34b4090af936b4fd
SHA256 e4e1797e8986786c8ae77af2702b647301525a59119e29a91df567079c5437f0
SHA512 8ae457f59d276e86ebc8fc47a717eac811c28be2962931b82cf17dc7d3186ab0fa6fea5731550b464b0fc932a408dc06f456c0e17738aee3aff1d1b8225f39d7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 c43e74af077a5bddf7ddb8df5ddbc27f
SHA1 5444bcc788b3f299cd83853b03c589a3d4a5adf1
SHA256 5537ca0164fe3c5f6ec233e79405701b3286eab9a23d60eb7a772ce58cd7f3e2
SHA512 15a53ad04079595ab3a0b9fe30d6a677e20c27b7b566da0010f46fb20769fec7084990d6867523f88437144be4479074f0cfb9c2570ee894f7e602268a9ed730

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 d64f1dbb5228c854947c4bb22d3e1650
SHA1 1a134aea77b399271bb1895b1dad6d58a8522f18
SHA256 ef742b029135af3b8dc0a02198b6a4b8ce76a1081a5b036ba491ba2220c6f589
SHA512 a5fa3d93620c2965f3e1928c951eb17ceca321406092f84f24a9eacd51670ea1665a185af97499afe70f9add1224789cc435cc0b3276e6d358850ad4a43b9c9c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 659de372ab2f38296e6a3f04a5b910a4
SHA1 2ce3a9330e73a852dc079e087c356e48001ccc42
SHA256 738f88bc2b6727502806b9cb242dc1444bde2832b4969c6c221fc65bb50e08f3
SHA512 c08e8f8a711c902a0f9c56a2949d7e72a70796b72330ef6b0549f99146724d0acc18cea0693c646679e949451a4d909faae01eb339f6ee0b27ffff71c0865781

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 cf40c2f13cec42a80238f678216e237e
SHA1 7a31132f8154dc7d7d904a281e46e092ddaaeeda
SHA256 18cc1f84aeb3d83f54c607677de88fd06db616cdab141b02d8af38df540def3d
SHA512 439bf9d12d501568855113ad270558bf670f43d3b329b61ff70ae41faba02052e58edc811d4e66c071634ebdeb603354777625cb4c006ecf8b06d9912e776e66

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 c97d5a00faefa833687e098cf9dbedec
SHA1 f7e106266ce278c225615927adf8416d9d93b781
SHA256 01c810438e60a821efc0be349a71484d55a3f59ef61bf72df76817870f340362
SHA512 74193412346275fa7886e6b330e77a83bae4e21cdd8fd25e80845f59ea7fab5b9f75fba85f597c7b09222da368feaee8a83976402b5313075b884ff70ac44734

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 6759dd67092ab01baae35736ad962476
SHA1 e312dccc0ef0afa9f16f62e178d610d16e94f159
SHA256 d52bb81b0d5d58a5893150731fd8775da3b8bedbeb704753e5c394cefe7dd1c8
SHA512 ad8eeaa99a33b20e23ec85d80ad2d933c69502012259b15bf18b2f11ba12681464d02440918c1004fd877ad30532f531882a45fc38d9dd7271807f99e9ddcf29

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp

MD5 4d727a21ff8e89bdfbecce4108fb2ff6
SHA1 cdc365a9c14b57600869e6bd2e0de55089f2a972
SHA256 af5c5773aa8661fb7802a38f936c967b5f8b3bbe3aba5ca705eb39e41ed6635b
SHA512 a7b2c6c3efca0e2fb67d6e5a4df77556b4ce41a0ca9c8f31f36ca949fae1afeb59a23d7c1e9ff9933034579e702a846afbca63ac640052b3a7dffd9647656710

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 d3666d7fbd0181614846fc58962382fd
SHA1 f106bc2379e6e5007823cb6f91913c98aeb75ec9
SHA256 2bb5291300608969eb53c6ec9da494be8d0334109fd7f40fddc7e7f512a93d33
SHA512 30640e350b28c5b0a0040af687434bbba52f6831b971bea13099eaed9e804e4919576a683f1f2b5210d1310c58c9bc15e0b56fa4f342630c58bfb95bb085f7c4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt

MD5 6fe077f37126d6cc6a601a21bf59a623
SHA1 900a6f0a489469695c15d494e92fe8eaaa0a2fbb
SHA256 84f520c695e55bb0004fa65315e6248f539647b63add827e4b92882ba40e3d70
SHA512 c140053b3612cfc58c4df5ab058a6e29f41ee050d6d52fb8e14feeb440bbcd591ef0ff27271939d26674269f431a17024afcd40d2815f9ec48f63a96f1cba50e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk

MD5 248380e8e878673c1f3d1c5d503869c4
SHA1 1f9eaad3d2ccfb41edb959ff0e637b4f448fa9fb
SHA256 a352d1147394eb81ac1975f85c92d320aaeb348bf69262918edddafdd88b907d
SHA512 c4be3ef31b2f89091ec0dc5741d821b331bf517b23ec285e810358c604da88da127dc6d2132394372207bd7661c273c47f2b3f392976db35ec401f7c98e837bf

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm

MD5 e81766b72807b94dacf40a7bc8cd033c
SHA1 c68edeecddca803a003078c9b2c6d20b63a45774
SHA256 7be91c343e29ac79aded29fe02215f1e976d9bd9beb547634176a20c38988c2b
SHA512 e6b06d8aee979445ad1f33404703d5b1b4c03a58da85f7cfc3c95006d19cc3901254f876246cebd818b080eaf623a08acffdfc4d261aab907223158950415ba3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg

MD5 4d7a7578ede64ed923c0477a05a52aec
SHA1 a64ac1f4f079a31554456905b2846e759e24c676
SHA256 3b144ce09b133492b9f6e93d0c6d8085a254a1078250bb29f07c2d4a80efe1d8
SHA512 b25b28d6ff7854d0d543c0bdb776249cd4749bd4abc1dee89a94d0fdfec47b2791afe373c554d326790cc7dd7d29652975c287545244b6f4253953c78923c845

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5 5c68f98397b76be5cd328b9fdc1fb0db
SHA1 68af656eecc169eebb0c90818a268eb51a270e5f
SHA256 a8b183127b7f430326df249e1a8d67f17eaca208393a0d23a615a28ba09698b4
SHA512 3b7e078ae59b8521c3188f88f3baa2eb15a3fefe113e0cc43dab2f26acad47cb1b7abe68f547d44fe4d8374314274a8a720371e748307f8caa8473ac5ef528f3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg

MD5 b8a8bc4707924d1db7a69fbd5a54fb98
SHA1 c4424d5ec1cd876864380dc8aa2255a59188359c
SHA256 e616cc54c158c6b736416287d5f9bcef47c1988dbab996b9deef20b3be8de241
SHA512 3f8a81a60564b3dc7eda83ab2e06f288734d97d2dcf101a2ed0321b807742f1ae56c7dbdbd115e5920aa84ae145f25d6f226b3651a9cfe4205e4ff8a3eda8497

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5 bff091796ef03436fd7776596cc7c822
SHA1 1e5a9dd36289cbd8f7732599c13ab4350c28a84b
SHA256 c905a6827b4c54c02e1d0ca3c9c8ed4ec68d808e64644f4c551234b178fdd820
SHA512 0e986f441cfd47d7f7d84548add199d68769078cfbbf0db7ce7ccabd76fd57b6328e9829203185e65fb417fe16a52dc73be3c20a3a141129a7f05413c025a055

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs

MD5 4595b3eea727863c18506abad3470f3e
SHA1 ad64fc68dfb8ac76db2178b9cc4847c107f78094
SHA256 37f00b1f88ac309e32d0418682f540dee8d534fd065c6e8c0b0459c8ecf4557d
SHA512 eac7f0667d7ad74408910d857a3d1968c74ce6b45dd6a77a85b09ed40b2bc7e56f4f5b25fa14321dbab63ba55b26112b106e3d2b4450ff4fab497261fe7f7f89

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5 5b63d250ec92c644e776c8a70fe3b5bc
SHA1 35dbc54381986adeb0ebc96c45c60ce7b6f8c141
SHA256 5b21f401b71d3017f826f8f6a74af887c8feb543ae58a21b7d5357ce23ab93cc
SHA512 7830d308f55d722b8f06d63b74e0f10ff4fc23b0cba436ed1f9b1f6a1a9bc5eb768db69552ea170c7635b3130542cbf2a13bb430821eba7c4b3e258e787169a5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm

MD5 0d067a9c37148edc994a9d0dfae48748
SHA1 193b848a958701ffe26418951b395533ca7f135f
SHA256 8ca6724d61d2554d6ccb1fb112f4dc30eed76cc5f40b5023eded1383925d764a
SHA512 4aee4042d6bb933d7ad5a6ea135abfcef381dc45027c898b6dfbb85f77581882fe4422ca83b3d6bcfe19a43457d24a11b7aa6f02465e0189e9c7714e63fce7a1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.htm

MD5 c152d06da156d8b449c601af2d638412
SHA1 eb8717f32e2fe93142b1bd670dc27c6e6c1d0326
SHA256 f19c48e2778c8e7f0250e02499e432cda2690f1d6735955b14d2cec65a7e4702
SHA512 ccd9b795658082f32fd338d89d15a4580adff876a434c7920ce234d48af21f35f76dc608edd994f60f6009b327f04cdfe88ce5f12a571416235055fd2e5b4ef3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf

MD5 7d1d4da501702726e875ddf7645b51e1
SHA1 ec08db8ff44d81e1e1627a86399a6cdc7f943a32
SHA256 befd6a61ee0d9a31073fc5b9cbfaae11743412a9ab5429c56b1e50bac4a66708
SHA512 f3dfb9344c55fd285fa6f54577b14e4251d6c1b85253b55e01b7fe19f8c07ed87a20e10a9c9f5110a58ba9cb1610e8d7716ecb96a70cb332325b31963f661bbf

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Memo.emf

MD5 3cb8fe3e79440cf3ca80ba463d46b24d
SHA1 718a8cd3d9592b0a495179d10fdc7270e71d6c76
SHA256 25cf2e28586722861813193299ed4012cb9d405acd8f28b0639e01ac484a72b0
SHA512 3c41ec41a12b9369d1d926c0bcfefbb166fed668ef48393ab2e0031a3e0e64888ff100e3d8e3c7abddfa75a4a9c0f4b3cd833fbef29db5b785559f4c2962d955

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf

MD5 e8931414359e4783093b266e1a47ad0d
SHA1 b25816055d8f07c5c8733c6c02a22ac8bed390d0
SHA256 fe57d6f07cf5df99737889f915645e6148ff058f9b54e33223c3190bc47e5a87
SHA512 b91018ba2e93d63ef110c05b0f04b12c0063df45ca2c6ff1c5cf5610182310ab5cb9b04d9aa050f410367852b3e4cd324ad1e63c23114ca7dff523287680463e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log

MD5 d24549b1db22fd40006cb7324bce6c67
SHA1 a7dd5f4936a00d476e0dd97d7866aaf5d0e98408
SHA256 20c34231eaba7ebd1e7010d7d9fca4fa208aa9611f04d681d3ce2580c1aecd88
SHA512 1231550e0d2d1df5988a184ab298a953252d3b280e7b08e44c069c42c38a5e52ddaa3d82694018459177a6e07bab56308d14ff4e73e647afeb29973ae0adfb34

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.jpg

MD5 ab36e44e94145b83fd21f8d46404e88e
SHA1 5ca38df33349bf9d5b3705d49b7a9fd67acd6056
SHA256 a9ec234977b88353a782cbe38cf8c8a745a539d77597b68ed7351cd40b7f7ba2
SHA512 2ddf1bb74180fd7f02c9252cc8413ccf04b6d70f7e9f57dd5fff36fa1156be9bb20e5f7ecc23178a0ec28293792fb06b57f3402965d50a866ef7e8cddd66bbb3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Seyes.emf

MD5 b937e3f00d3375cca90d26ab73b31a2c
SHA1 5a941f38afda6ffe078d5a33da19f4104fcd2be3
SHA256 f34a29598505f7fa1f49d91f401edbd3d9b3afeb15b47c2db9b42867efe33246
SHA512 3400862aaab4ffbfdb3c749559dbf60ca50de38cbf8b838dad7783bbf27432de8c8dcfdb468f9ad977d8554e0099682670bffda960c5114dd69b8f45b1987a88

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg

MD5 0ab361b8be73ba6f94298584f0678920
SHA1 de98e4058e049dea7e6db12f49eeb79fe9ca2e0e
SHA256 bf3b94baa562dec50db90a016605cd4e8adcfde8ee7e1a0a4162197b06e58361
SHA512 b845160c57bb95fd20cbedd41869c20ad81b3e1cd9c8c0904a5687c34f79efc35ad3a913e5dee4a4a47fe6a17a00d784f87e7fff4d32e455df667c42a9f9322e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:14

Reported

2022-02-20 05:39

Platform

win10v2004-en-20220112

Max time kernel

168s

Max time network

189s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Ryuk

ransomware ryuk

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\SjvaCxf.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\sihost.exe" C:\Windows\system32\reg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Windows\system32\DllHost.exe

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- = 999f4d3e2426d801 C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- = "Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000055cf70929d17d801e729b93a2426d801e729b93a2426d801ca2108000000000001000000000000000000000000000000260514001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800e4003100000000000000000010004d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e31683274787965777900009e0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e003100680032007400780079006500770079000000460060003100000000000000000010004c6f63616c53746174650000460009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c005300740061007400650000001a00660031000000000000000000100053746167656441737365747300004a0009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000053007400610067006500640041007300730065007400730000001c00ad01320000000000415431972000313936346162363366663833313332383062353437353361306233306631326235383864353664643132326533623733353230373766333138346661363631650000b20009000400efbe41543197415431972e0000000000000000000000000000000000000000000000000000801200310039003600340061006200360033006600660038003300310033003200380030006200350034003700350033006100300062003300300066003100320062003500380038006400350036006400640031003200320065003300620037003300350032003000370037006600330031003800340066006100360036003100650000005000ab0000002700efbe9d00000031535053b79daeff8d1cff43818c84403aa3732d8100000064000000001f000000370000004d006900630072006f0073006f00660074002e00570069006e0064006f00770073002e0043006f006e00740065006e007400440065006c00690076006500720079004d0061006e0061006700650072005f006300770035006e0031006800320074007800790065007700790000000000000000000000000050000000eb0000001c000000010000001c0000003400000000000000ea000000180000000300000033e5ba291000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e57696e646f77732e436f6e74656e7444656c69766572794d616e616765725f6377356e3168327478796577795c4c6f63616c53746174655c5374616765644173736574735c31393634616236336666383331333238306235343735336130623330663132623538386435366464313232653362373335323037376633313834666136363165000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a0580000000000000072696263717568710000000000000000bad9b5dc40371b4eb595e9fc647d27d673fb99499083ec1182d0da616a59bcb7bad9b5dc40371b4eb595e9fc647d27d673fb99499083ec1182d0da616a59bcb7ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003700390030003700310034003400390038002d0031003500340039003400320031003400390031002d0031003600340033003300390037003100330039002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000002b5b8d01000000000000d01200000000000000000000000000000000 C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System C:\Windows\System32\RuntimeBroker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- = "8324" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- = "\\\\?\\Volume{018D5B2B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\\LocalState\\StagedAssets\\1964ab63ff8313280b54753a0b30f12b588d56dd122e3b7352077f3184fa661e" C:\Windows\System32\RuntimeBroker.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\PersistedStorageItemTable\System\12282a43-b513-45de- = "0" C:\Windows\System32\RuntimeBroker.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Windows\system32\sihost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3148 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe
PID 3148 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe
PID 3148 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\sihost.exe
PID 3148 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\svchost.exe
PID 3148 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\taskhostw.exe
PID 3148 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\svchost.exe
PID 3148 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\DllHost.exe
PID 3148 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3148 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\RuntimeBroker.exe
PID 3148 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3148 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\RuntimeBroker.exe
PID 3148 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\RuntimeBroker.exe
PID 3148 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\RuntimeBroker.exe
PID 3148 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\BackgroundTransferHost.exe
PID 3148 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\backgroundTaskHost.exe
PID 3148 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\system32\backgroundTaskHost.exe
PID 2200 wrote to memory of 3196 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\cmd.exe
PID 2200 wrote to memory of 3196 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\cmd.exe
PID 3196 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3196 wrote to memory of 2884 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3148 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\cmd.exe
PID 3148 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\cmd.exe
PID 3868 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3868 wrote to memory of 4324 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 3148 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3620 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe C:\Windows\System32\net.exe
PID 3620 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe C:\Windows\System32\net.exe
PID 2200 wrote to memory of 4948 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2200 wrote to memory of 4948 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3620 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe C:\Windows\System32\net.exe
PID 3620 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe C:\Windows\System32\net.exe
PID 2200 wrote to memory of 4984 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 2200 wrote to memory of 4984 N/A C:\Windows\system32\sihost.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 3148 wrote to memory of 5192 N/A C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe C:\Windows\System32\net.exe
PID 4744 wrote to memory of 5388 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4744 wrote to memory of 5388 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4948 wrote to memory of 5396 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4948 wrote to memory of 5396 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4984 wrote to memory of 5404 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4984 wrote to memory of 5404 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4956 wrote to memory of 5412 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4956 wrote to memory of 5412 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4940 wrote to memory of 5420 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4940 wrote to memory of 5420 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5192 wrote to memory of 5428 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 5192 wrote to memory of 5428 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4728 wrote to memory of 5444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4728 wrote to memory of 5444 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4976 wrote to memory of 5456 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 4976 wrote to memory of 5456 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2700 wrote to memory of 5552 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 2700 wrote to memory of 5552 N/A C:\Windows\system32\DllHost.exe C:\Windows\system32\WerFault.exe
PID 3620 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe C:\Windows\System32\cmd.exe
PID 3620 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe C:\Windows\System32\cmd.exe
PID 5904 wrote to memory of 5956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe
PID 5904 wrote to memory of 5956 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\BackgroundTransferHost.exe

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe

"C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe"

C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe

"C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe" 8 LAN

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\sihost.exe" /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05.exe" /f

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 440 -p 3376 -ip 3376

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 488 -p 1376 -ip 1376

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 424 -p 2700 -ip 2700

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2700 -s 1008

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 572 -p 2888 -ip 2888

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe" /f

C:\Windows\system32\reg.exe

REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe" /f

Network

Country Destination Domain Proto
NL 104.80.224.57:443 tcp
BE 8.238.110.126:80 tcp
BE 8.238.110.126:80 tcp
NL 92.123.77.43:80 tcp
NL 184.29.205.60:443 tcp
NL 184.29.205.60:443 tcp
US 72.21.91.29:80 tcp
NL 184.29.205.60:443 tcp
N/A 10.127.0.1:7 udp
NL 154.61.71.13:7 udp
N/A 224.0.0.22:7 udp
N/A 224.0.0.251:7 udp
N/A 224.0.0.252:7 udp
N/A 239.255.255.250:7 udp

Files

C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe

MD5 8431a207fab74137df795fb46732544c
SHA1 abb80c03d3aa69ac38f62a447636b0fc1bf21d45
SHA256 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA512 98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

C:\Users\Admin\AppData\Local\Temp\SjvaCxf.exe

MD5 8431a207fab74137df795fb46732544c
SHA1 abb80c03d3aa69ac38f62a447636b0fc1bf21d45
SHA256 80bb8c391d008606bf99888d7341e530375b92b0ff5ad326b0b0fddacb5ebb05
SHA512 98971c7ff9154482a53c05e725cea25f873ed88d6ac721e943bad35183ad070788f28da22ec2f8ee5fb38b862664a37c15b97bffcb5567d54c6476b1abef39db

memory/2200-132-0x00007FF7741A0000-0x00007FF774236000-memory.dmp

memory/2224-133-0x00007FF7741A0000-0x00007FF774236000-memory.dmp

memory/2888-134-0x00007FF7741A0000-0x00007FF774236000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_0d751396-3164-4736-b931-4f59d47ff1f2

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\.oracle_jre_usage\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents.RYK

MD5 4bd79b6ed47dfb8769bd62f1ad848935
SHA1 0fc1399b6f53722afe0fdb86a1a17229b79c3de3
SHA256 733028e9cd26f613fd5e48cabc4482f195fddd4d664c428170b5603b783115bb
SHA512 252c8432d4179d56f957b1f5d0fb857af500d7739c89b93d57735ca797d79e402979ca3aee4b11a2ba4a317af49c7f36e8668c094ffc90416eb3bb41e4eb81bf

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 ca8158f7979285cf88d3fde31829e7c2
SHA1 d4e588fd649cb62e3dd81e1b4e0c26e6aef2e794
SHA256 72f35a1df463887442208496dd3ce6df5691f919a9a0b4a8759628f67fa0bd19
SHA512 4ffb1528a6c228c130bca470c1278252e65ff261eb849987cd0fd3e0f8199cb4bff1be8876414eae45858fcbcedc61271ed34fa759f7641af2ee7cd6ff2b6110

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 a42fc9a77e18f516d3826933139c78e7
SHA1 a2d75c8424f4c1fff3cfcf2d7c751451d98414e0
SHA256 3bd4a467b59f07be10bc4509d385c8771855fe6b5bb981a5d2ea7c8e59ebd41e
SHA512 f40b618db903d3d4a8bcc98e5c26a6921cff44eca51a041ef344ca24056f6d4430edb8a7b870d7d9dbb9b070973ccc432d607eaa6d4ef833bde384f4ba3e7a77

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache11.lst.RYK

MD5 c20eac683a455fbb640bcf6da1927747
SHA1 d6a58cbe9787ad6e3139ca486bd1c8425e369c55
SHA256 ab8d222e562e85118c1873ee4e3cac4aaecdc1435d24db2b700ce313a1061ee1
SHA512 c6b3c77042a146ee27516193db9982634e6a4978f7a986dd6d82a41050a433eaaac02ac402f73752489429b2c4f17bc93c83835cb79b5fda9e35a0701dfd48a5

C:\Documents and Settings\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK

MD5 19eca2be09836b4efdb725b0ff707efd
SHA1 237a89f64124df2b413a5ff0d6edbe7500c77ab3
SHA256 ac0cd0958eb07be9e807d7b09a5c6af52b9d1a5e37890358b4e836b95163e5ca
SHA512 178676bbcf494008345970e4203ae7965519026071ebd8b8801435ef61f48793196dc2eb0e62f4055ce7ee8db56f3afc071db2fbf7c50e164f6a56f9f3aabbcc

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin.RYK

MD5 10cf4c89750fe37efa82f5557caa73da
SHA1 6ac7e9665e74fbea62cbff42a1570f9e8fd074b4
SHA256 e4381ec45beedab4458576fb39d724c535b6d204b6f34a0ba34428e85b5eea7d
SHA512 a8434895041bf5ea14a660b793fe5d9105819188f1a7f452c410a392d7d40d8c907d834513d30b819be0bf4a60be4e514cf099685340fd2db010fc0026452a58

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\3D Objects\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

MD5 2a23f69282c8984018d89e96a284d98d
SHA1 30864c46581508e22701c6f2642296d70d5007b7
SHA256 d7c2bcdd43df205a2aa10da617edbd5db0373680a66f1e7bc8d165e0c3f3421b
SHA512 e315ff8d049bdb63bb8da3615902c9b3729eeda0284be0f9b022275759951ec6506d46d2391501ffec4b9e67d312130a44e14cf81b9b6f5c1106b7eecd3eabd7

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db.RYK

MD5 d4bb46b4280f29b4c8932d9a561227c1
SHA1 3de6f779fdf008fac0b2a438e2cbf46bf8d4f60f
SHA256 186d5e3b40aec29762bdabea54d0cac2a3bd864a0032708638233dba4a12961e
SHA512 af3a14f1029138d8d089b23b6851869128d9e570cd164e0e31372cd3489c418c2bbab9d824cc21ad294312348475e23a3f8e9012bec6e9715937bfebbdd2a2a8

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.jfm

MD5 8ddf63fa08d2f60e4fd1a31c5cfc7405
SHA1 44f17ff1ad5c2316c25fe754273c84b628ef873d
SHA256 d0547a7544a13d49cf81db13623eaa1f11c05c89c96bdf8644d2f4697039fc68
SHA512 06c8b49cd110843faba7b57cf74611735804f38c945696220a07e2a7b748b42118d07292ad75458551f5ee08fd7b5397e58cd0e24175ff0ac58df18a15b20650

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jcp

MD5 5aeeeab8d93245fd68cb104be7476cdc
SHA1 2dec5a828afdaa631f33bf2a1f82022ce84c14c7
SHA256 e2d84c6cafefca44c79c0716e1e3a3d7992653be0c1813a3f4fdd995fa721a28
SHA512 d439137ca4bbffaec08315d9d6e3894f487d33ec684c29f59b4c30f2bc0accd33887b71fd664f160db78942cadca7baaba2ede7caf507db93a7486bb304c8f77

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 ca53c7f1b4844801fd589d05ddb8cca0
SHA1 65bc2e5f8ac7ce9675b4c53095cbcd3618000ee1
SHA256 005e079cd9bbc173d735509cc9e7fb85bdf7c367dee0e50046aeffbea3bff7dc
SHA512 dcf0aece6a72df3805a80da47c2e9f07de13ca605ed750fd49151cc6a44aa3488c1a34e7b14e72d04e75b0f754da0e499c382ad3b46af61f4fb06df3c93788dc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

MD5 d361070f76e8a7398c0a8e600eae7857
SHA1 6cd28fdf70d4b91f594569fbdf8c2961569b1303
SHA256 816fe71a374f01825d5a291cc19e04df54d569db3d5af9daa511112f6deada7d
SHA512 ab64929377606afbd329a4ac35d4d1af7871efd44c89dc11eb7736a0fbc522a57cb9a85dd0118d9e6839ee2b32cbc0c67480cb7f87e780ce421d60b1b5d04dfb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46E0.txt

MD5 b2aaf8e3811b66e1932daac35eaf6dc4
SHA1 cc7f9de401dfd3335c36cb65460e83a634333431
SHA256 f3685d893c3454ab2fb77c6d95440f638e9789c31357dbc040aedc215696d399
SHA512 d5bbab8b96698ee2b11c5fdc3794af0b13033acd6752b22a0e8ff3482245fbef4a942b8d2d7c7207e9b97034dc7b8efdc4c5be0efc10e14f98db212efea4bc0b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\temp\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\data\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 e2a3a50e124035bdd65079c363440097
SHA1 c24f2c08ae04b89926e2f7da67721e7da0e28749
SHA256 a1ddb99ebe9dac9de52d05357e5404a53d737a48ea3dc13370ecaf226ef40430
SHA512 f7975571212a4ecdc46fdc02360894795c511ccf12d25d24f9ded3d4cc55d78df0a1c542072d523b2ac6abc63d72c2517d882f28f52f19d7c9aad8961be64fbf

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\offline.session64

MD5 685d0f30768a2ca5ccb60ae6f690d78e
SHA1 07e7487106250671eb50f6d86139a5c2001a17d6
SHA256 59521cb00d5af55f47ec859f72ed5d3b541991a500ef889cdbd0459f705ccf47
SHA512 37491096a00d1d8ac1e05c67ff5bdb8fb11c3ee761c9e1de22f875ab32c9497fdb0812462204446d5f8224f80611419d7713234f56736b61e5e574da141f2b2d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\AdobeSFX.log

MD5 f453819b7b7c64df5eeff59905314e9c
SHA1 d5459dafb1650c52c92f5dc371909b55d14819b7
SHA256 de737f1dc5ef9364540192f797d43c879bcf8d3e602767fc9ca78bd2f673ab3d
SHA512 95b6cb712bea670193a2e30e59021b32caa446cf884d9e8b654c85d6b905d438484abd3867eb9fb75af3401e4a0b42f74f71c89a07eac719754f8d8657e03338

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\Unistore\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\aria-debug-2324.log

MD5 945bbad3712901f55c3f726ad38d9a68
SHA1 0f3494a530dabb3a288795354feceaef3d4c632d
SHA256 d41cbcb891743b742f5e134347e8fd96b8b4e3c8f1866b6afa8dbc0de54f465e
SHA512 0448cbfc0e4eb058462e65d6b0be50c5f43bf65976d939c6fdbe61c5dc6a74090b9192e61820e6ae2abaef827f9ada30d1d22ceda122219c054b0987670964eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 784f11c4ba607806f24449cfc1a11b08
SHA1 410365d1e8d584ab19c10f8a1ab0ac834fe8c2c2
SHA256 eb454b463bd59458183a8b015b62e748bdb220be8ab6e8048eef5009fd8253a4
SHA512 4d882cf40620589e303e7662109ca82369efc4e9dc0029c8b53d1334deb8ef7305eeeae519ba275b460598376dc453eb635acee83c269194360c2980cd2250c2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Publishers\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI46A8.txt

MD5 bcff6c7315ed06eb1a9853a694b7ee57
SHA1 1eb196912a2a020313ed6921f1e67a0559e43e48
SHA256 17f1c25a575a42063536e220350c1770c6c1ebb4756c1952129b1a649a1a420a
SHA512 e6258cb0c85ffe4e637927bda0cebcfb25390502d310c8a8367c7372ef2d3f9a5d6755197eb7176c41373ae2589370dc8086113feda39085b11fec30bce5e209

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\msedge_installer.log

MD5 51fe216fc224487e146dc38c7a81cd4a
SHA1 0a04c4072f8d4d3d2744ad5ff3b343af1483c6c2
SHA256 1e7e681a360784490a0e1df734c0d8dcab2feb36c2052c9f74d06f4cf2dd5bde
SHA512 e0f13ee7dc3145a378cb85589e6baa1d233e8a1bd86da257c5811e64c2c517a15e7ebde96c77945ea328d0a5c874d54add93287e9b864855aee637d9aeb0f3c1

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log

MD5 01a4f1fd1f2a820f5720169371e81c2b
SHA1 61443373b91b89a1ba1aa89e1a58c731b35c4398
SHA256 6f7b4ecc5a11c60fbec9dee46757b52140407125fe425407e2595d33da67b3b2
SHA512 a0bc9b6cfa5a84a8e2c22d77f1ed19f77e0b33ad6bcc897645cf0ad4db4c7f0b6626e2ccb6f1e6f513c82372fe407caf75eb063cf1467c683ba6a92c739f5d18

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5 e7dc7eda57723c7b4ee20a1d24281d6b
SHA1 f061975f9cb1299aba7b133cb1db1be713240800
SHA256 950c36365c938e40989d2136b910094b4d0aeb77e85212731fb5eb345c797572
SHA512 7bdc0cf34ed570cfb00fa5d7b3e9c9b6a03661d02f621dd9fca3969fb496d4d981582c36b97241458ad6776b49630b9b6a94eff3d16b0dfb6f875e91edd41b1f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2BC9.tmp

MD5 941c6153d7fd4f5099e334e621b16c01
SHA1 94eba97eef327b6fd1c10884e57581270036ec6e
SHA256 9a55760c732460376ba6add08a3326affdc32688aceadc3f2e796a696df9e86b
SHA512 36ce9be9d5b18d74de3f96beda4be9b6039abead4e9476de4f719e970cedd0dea673b27b0beb1ad3234e3695304711d5daab5c9f797a7a330e091f101a88c2b3

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USSres00002.jrs

MD5 e7dc7eda57723c7b4ee20a1d24281d6b
SHA1 f061975f9cb1299aba7b133cb1db1be713240800
SHA256 950c36365c938e40989d2136b910094b4d0aeb77e85212731fb5eb345c797572
SHA512 7bdc0cf34ed570cfb00fa5d7b3e9c9b6a03661d02f621dd9fca3969fb496d4d981582c36b97241458ad6776b49630b9b6a94eff3d16b0dfb6f875e91edd41b1f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log

MD5 ab583a8f5282ac4d535632641a5c8da6
SHA1 22507edd43b193886897c9abba6d3fa519eeea8d
SHA256 184cc9925aa80a9fee59b1613915354ffd8fa38f1055a96e6871bae18b83e293
SHA512 f4f12f9d55cb029c8d7564662d1ad82e62d111c276c640d93698f7782aa400a0ae0c121f1c70ad08ef02f50542f8af1695aa5f3cd332ab1a0a02d19f90608094

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct530C.tmp

MD5 e119bd2dae97c0e266d882b41413ddfe
SHA1 b3806772fb4ce96025ebbff16dc91e20db526866
SHA256 6b6911f05874994b52ad852eee9721b3e6496f3080d18c753dbffe7b057ceca1
SHA512 e16f525022f274580951f54f54eb8ce89c79d5458d2493fbae208471cc53db2d62549f826e792e3585e92b2ce2f0551f544c832370bbd06a2f0264eace2f390c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wct2D5A.tmp

MD5 aca60af2cc09738d013e6632dc22be5d
SHA1 273bcc9f84c95f26a7a3ca7787140fb32816610c
SHA256 bf8ad68b610f1718a7fcb1700bc3f100b1bc9aa4100b550eb7c68d3e20446c2d
SHA512 37d808a058d0fbc2a54097437bf9993c83c6e6ae288d59d355160b30fda2e06429f8cbfc1da0602991a59f2aa79d470c977929c7362175f149fb68d60578f86a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3097.tmp

MD5 370773f0115ab92444862ccd15ac0d37
SHA1 c3b569019bbd9167d7465c419c9281015db2bd65
SHA256 31a8c150003f5ed5949cb8ebd1b7206877313fc3b59aa8466a478c7644fda477
SHA512 a79c8ebbd4997c5d6a041f7c14864a40c36578f32dcbc4d46689a6ab274ad94df84bac42dd51f4e9de90a245ef009fae961ec0087cfcfc8cd5534cfd91334698

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\CLR_v4.0_32\RyukReadMe.html

MD5 7aca9a85f47666aeb858d5c5c7d1ea44
SHA1 4e1921a90b9f972aaa4859ca3128da9de876bc8a
SHA256 b0be99bc59bb81464487aa6bc63d147eea716dc2758aa843ea8891015403356c
SHA512 6ed02d7993424f68ef03e32c58127e227744721341892e44e0b0c80c33fb0f169accc74c6498120d211c8ed3c1bcd9beffbfb85e2a44fd9f446df0524dc82d2c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wctEFCE.tmp

MD5 07cee0e68d6373090fc64bc2667452ae
SHA1 78e13d070192446ad0376e313a079723560c3fd6
SHA256 1b44769f7f20751ecf6dd4177195637c56e33a7ceb037d383d38465021058f63
SHA512 6bf624361f713abdbc1580ba3d66453f3bea24dbbe0ffd964a962600507b47e5e15e7b370906e6f67197f95b63ee260ff4335c7f4ff6af3dbd0f35d706e15907

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\tmp3384.tmp

MD5 5924f4ba540df8d9de78295b3aabc635
SHA1 e2c7d8ad188d9bfbc3fdf361084b2d7cd2c543e5
SHA256 9d6881ce139ff5f8661ba340d8db50daa49a7a8793397d0f6960b440f854370d
SHA512 5ce826c6784f86232b5662b1e3d7b4ebac9eeede1eabd7a964f92d67925cdf9909d735b0d207c0ca02325b98be893c26f825aebe50eda0b22cb0c1a39235aebd