Analysis Overview
SHA256
68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218
Threat Level: Known bad
The file 68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Drops desktop.ini file(s)
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-02-20 06:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 06:19
Reported
2022-02-20 06:55
Platform
win7-en-20211208
Max time kernel
178s
Max time network
53s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1496 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | C:\Windows\system32\taskhost.exe |
| PID 1496 wrote to memory of 1180 | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | C:\Windows\system32\Dwm.exe |
| PID 1496 wrote to memory of 1248 | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | C:\Windows\Explorer.EXE |
Processes
C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe
"C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
Network
Files
memory/1120-54-0x000000013FA80000-0x000000013FE02000-memory.dmp
memory/1120-55-0x000000013FA80000-0x000000013FE02000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst.RYK
| MD5 | 1a59196544c7ab636799f58cfc353839 |
| SHA1 | 4362149f9905d2a6ff28f47985cf94db9161c446 |
| SHA256 | 2a0acccebf41131f5c60e1f3ba00842b40a81a6b9c5863017752e22781d2c09a |
| SHA512 | de6698e6fcabc74abed2ab4459002614975671d0bd38c96a73e603e1e5b0fed1972753c6cb6abd03c36dfe070cc40f9b643b446948f538770a2bec881bee144e |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 78afcb3bcf5a46447b4cb16a4a7f1819 |
| SHA1 | a5a75f09db49ddb3adcd303d480bcb71df9d3e38 |
| SHA256 | a86651bdfb808e91381c65739cb52cc667f940596f1df9dc855bc1c6de04ffd6 |
| SHA512 | 36ea88a2fa55cd45f58a1501c17f2a07a12917327a5d92329a9650ee720ea913354824dd6ade5250934af67a988abd6177438934cb8225b0eb7bca7bd4591e5d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | 4a8e2d3813b081e865583757ccb86c10 |
| SHA1 | 5d300df715b61cd482bdccca772116252916be3a |
| SHA256 | 98b768698eb6cafae6f016253b1b31a8adb841becea68b9cfc39866d5019b2fe |
| SHA512 | fe04cb9bb690670fc8289a0b539bed4a01ee900eccc107345e6cc853f7ad069cc612095b5a1e99ca6eeaa13607f672cb09cdc9e525b8b1745d5f7d51fe3a8bae |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | f953dec612777cc94ada3d7c896f639d |
| SHA1 | cb546182899c7d3c6f6dda40c8d631fc4ee0aaeb |
| SHA256 | cc32f5daaff2595d0a44aa38d57f0edf3c7c1f545333b35c0543910084e8bdd9 |
| SHA512 | 9825e9b2e285c71b9c918dc38949d4fa8d1ad77e44dd37f5e0780b6bd4f4d46d409d01233be320537904c7b37d6a639d4ebc4afa672a6fcbf10a6ba3b6a0503e |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 65d5e3dac2c43d229b26fead39886edf |
| SHA1 | 1ffd4a8a3b71d7713a99ec5c161fcecda865f56a |
| SHA256 | 9885893de874ec6a1789b3b617d01aa16ec74fc9b1d3e68084136f48f6456736 |
| SHA512 | 7bf7550c708152e09474b6deef70bc797aa0b69f59a30acb63b19aa4f0654a90f414ba7b36a668e890f4266b07c4b1a183d5b4e0ad1b20dd64942ed701abde7e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | 9d0abd5915c6d76649965f3d1fe2e664 |
| SHA1 | 7b262b95ef25209dbc910a0661502c41b540f33d |
| SHA256 | 40d9f0fb10501679864054f86a1a1560023a7a352fa087e8ce7f5a8f8a946f72 |
| SHA512 | 63086d2b66d47c48d17b6d813adced27ed1779054b5c50813151793cdd535a6a3f2970686f3ce0ea41a303e6385bae55131718a1b18f5d6dee93c9f19b65f548 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 6ec7865a2d0803517ff3197a5088a004 |
| SHA1 | b16f4659a26a3dab476c27f05f31482fbe505a5e |
| SHA256 | a5150aae76b645b707af9719cab361bf9d374234dec05651fc655c56135b0bb0 |
| SHA512 | 4b8f1e7765eda2ea796bcb99a4d23567cb67347219ee7c946623ccb93d4035b54ed7650d83dee8a2273633ba0c2785fbd4cc42a696a19e24544bd350826a1568 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | 5a6fdfe7fa060682fecb5636be108afa |
| SHA1 | 537683ff520313d327b9b615c48e6b46b7c7b189 |
| SHA256 | 7eed3840906999c51ed9b961c935583d52372aa81e475c898137e9fc3efc1b49 |
| SHA512 | bd8aad2f078024424d48e2d3c7052784bf957a47d604d8bb49a1d560a3ad4ce8a0273b48a5f2f08217a834d129fe61b4bdbf5d20f5b211911ce045199adc47e1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | 87b51c2e694dc89f023059a946f0cb54 |
| SHA1 | a3decc2336f5acfe8353bc4064be06d34e5a6dcd |
| SHA256 | 966bfe0422d399b6d7c9941b518b47e263b54ae83dc9d22e4412af5e23dc1a4a |
| SHA512 | 52e9f4d12b3899933122219b880e4a555bc7d3e2b879f81405bc4ad1f7fbf513366f6c377c5d40cd7b2b13cf134cbe7666f8d69d6356d53d4e014934cd22737b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
| MD5 | 8fb0c640bf8afc5ca95d36271cbb0d23 |
| SHA1 | 097444b9d8b4e1233d3ecd49a4de7947a8ac22a2 |
| SHA256 | c15fb448e257babd9cf461c7176f2529d9604f0165898a308aa1d235e08f22bf |
| SHA512 | 463ad3ccc968d168ddce7d56a3f1c90bceb1e011dd42a79bb2a98c1d6e90dd291f27480604e9d8a0368c33b91731d0a2ffc43a3bda0a507ff82a2038429e8329 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | 98f50470dfa7db4c22021f51b6cabbe9 |
| SHA1 | c8bdd0877bba6e94cc099ab6dcb1e6c62769d1b4 |
| SHA256 | b2baf82eb01339e4ba629e4af34fc16d07afeba03cc59515f66c4e6a41dda4db |
| SHA512 | 6befc1d9288e47fde7861c5792a8b37389ffa2a0dd8670b7f49312931991117a4781fb83288570ae66297d64ed6a6858dfdfbc4b0e6bfbbe20dd3a17a0f102b6 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | d429fbe6a007aaf6b4d85d441fec988f |
| SHA1 | bfc99ce25feb5775740c0791d48775cb53c44cdf |
| SHA256 | d8d2d971b58b93535a182d3e3ae10235715e251aa16ead1071a7137ac4aedac4 |
| SHA512 | a810e813e51e318d280a25131b91665e369b7a11744f2216295c30683bdfbd9c3ac19dd190749fbed0c111fe3dde9534dd2dee41429795219d4bbd20ae6ae7ca |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
| MD5 | fd10062b35bea95eea31c9cb64a769ad |
| SHA1 | bcad4143b28c0eda93eb02b029f7644bfc45cc28 |
| SHA256 | 8254c2efc860c31028c08e18cce87d722447080b4c9f3b864429df3091f5974c |
| SHA512 | 4407e6c2d6123d962fe785e5c34e8075c3e7e8f5c7c0915e69572fa952541a3b5f27cbd9f24e7c0c689acf26c437cc0c610fc0bd3a32a5d984ab4da1876a6499 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
| MD5 | a43169d67b39da7f7a3b5c110e9355af |
| SHA1 | 70e9fdb49dc7d0fcf3f8648c7376e4dafef83787 |
| SHA256 | e1db6b6bd4e1e059a08d3a817f2f0d33d8975757ec964bf0f65c704c4b879045 |
| SHA512 | 320148cfbbf6d12288a84a7f60ef3263106f4c1950f8275e3e46fb121f68d994ed8b84d3d2ffd36a6072c9a9abc155e017d82433222e57b9b0dcaed6d83fb213 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
| MD5 | fb334d30ffbe5309064f4a9745eb027d |
| SHA1 | c685188087ebb6a757fd8b575b3d38a71e4e8407 |
| SHA256 | 317d3ad2a4e7775b2f56647cb9ba5785a9c4fe2d796d5f003548946310402209 |
| SHA512 | b4637e5b2462b90a4f64580ecd919a6dd8060a25776a47e90e215ded0c40de3f839db498c17fdc79eb9edc48ac80db60a1caab5b816fe1a2ab8f0618d3c88936 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
| MD5 | a2d3958447c9cbc1f0641825c73f96f8 |
| SHA1 | d1549c4c0518e0a6b0cf6186c2446d4e3a60a278 |
| SHA256 | bb0dc6aae0a5129e05318fc158e9a59f726de94cea7a2a9435fd95e1ac7eae62 |
| SHA512 | 41705b30e51a4dd6c12fe95b9ed4e4acaa858877281cb79647a8c296a54fd12560a85fbae574e4e79e6ea4a81eb3685d8e99f6617f47cdc6e1e7425fe6e577eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
| MD5 | ec61b9a984102a1fab7c3d393411e763 |
| SHA1 | 80eb568c3bed6e41800a2c7202f617ecb661d03a |
| SHA256 | 6b8bd0b0eb816ee6547a41c7b604c4a69c3d99a552062882fcee610a74072717 |
| SHA512 | cce14ecfbdfab6eea67ff0a643e842dbe44f94b80ae3b76a9354a712e2af731566fdb6fca64907fce96ae1bcec1ad8539ec47b7ff4cc55d097aaab9f6297b2cd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
| MD5 | 711f030ff01f566f93fc5f1c44856251 |
| SHA1 | f4d0a1107c55fad870986420283eaa4d4385a9c1 |
| SHA256 | 1ce41afe1e9ee7df41e44eff7a31c8996ecbc5e78e75378a943db7edf77b69b6 |
| SHA512 | 2cb3b2a044db20219c2bcb62da640a143fe5118b70d855a67b5ad5f7b4b98ddc73f81c17acce2f910d44d915797a29bfe8f90ed2c487776bd30b238cfb5e9656 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
| MD5 | f87a9ade8600c86310998326396dd8d8 |
| SHA1 | 7153e21091495c08744feab0164c8453e38cf11d |
| SHA256 | e96a8a94974c0babd2bbdd716c230751b8c51d032d8e4657eab541fc6334c55e |
| SHA512 | 06cc60bb14803fd54be11a1df80d468719e203c4801cd565b93e91c5f5a5f9c53eff5153fe982f612da41b1bf48af199be4ff80da07c4baa6f16733efa787807 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.chk
| MD5 | e7204f6fa76b2befcc653d09ea3b4ff4 |
| SHA1 | 8b392f7cfb5353b9c90065ae2c6b1c6b1483b884 |
| SHA256 | 820736a13312143d1bc06918277c4b66b707cab4fefca1a2cbbac0e43f136e9c |
| SHA512 | 2f550392d321f02d33db3058a4de3d150ddb69fb0a0895a1fe4809f0df75d63dc2e8e0b554e39f63ae425c175779e0dd45fdeba9cadccd4f78fb1a99ccc84c95 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.htm
| MD5 | 4915b3d00521f24f9c1531a5a035a9af |
| SHA1 | 9930d5d08d6d4665ba400980b716621df767fc57 |
| SHA256 | 14c2131743023cd1e48b2f4d53fcc111ceadfb9d3a787e1cba8afbb53b3f06e0 |
| SHA512 | af14b57b9a185192b25dac0c59ad1408ccb08eda0a501bbbda6a93362dc6e326df7d9b07db239342116be8c6365437e0e19a80bef27f1d774fbe2aae6a15dba2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Music.emf
| MD5 | 13cff22f223760ec785675b976f639bc |
| SHA1 | b2064d53d57381e4f60e7a509baef8ad82710cfc |
| SHA256 | f53abff656d2d58d5a640b41503953380c4a595cb0c1bdbd4f3248b9e803c3fb |
| SHA512 | 2473752000d9eb26b12afbd5e580cb6005c093469b36c9ca8b33fad404912cb8384ce523156c9afb80e566886015d279c0ffeab9a8daefa32754c1c971346bb4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Monet.jpg
| MD5 | 8a92419885d0ec5ac867370c7bc339fe |
| SHA1 | 23b0f82b53bce350f0bd3d868aa83a23a928f3c5 |
| SHA256 | 8802f59821ba0d87b2830285f631468921d9fe45f16f510530919658a0f3294d |
| SHA512 | 509a94afb4dea3b25c9eda354f503fa5a0460fa663d0b814e55ab0367528940d846f979e81d8d95a955a54e85dc507c23b83464337bafb6ba0526f0f9339b9fe |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
| MD5 | 52732c8dec1556d840806fb89890278b |
| SHA1 | 85ac8bc7e4459c72b057b73a2dd5bafdc77ddb02 |
| SHA256 | 89367670c9e351a86f8ac8760e5af3427c6cb1e56ba77d69c34e4f283bb143f4 |
| SHA512 | d7c4eacf93138c9c21f72c2eea258dd2a9e9f63ae6eee87b70da7fde62dbf767e2aa4b88419d629f42904195faf2a5c989aa6543672cab16fddecc30f8e708af |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.txt
| MD5 | 9a090335ed651038187d3f8975b32217 |
| SHA1 | b7b976a645baf4e917e696a1e1415a1761b67793 |
| SHA256 | adf6be779af5f277dee54bcce605d6f83242740136b3f9d348401131369061bc |
| SHA512 | f02546c314e16772efec72f19ca3d9742c669c54d7f6af6634167244133ef25919889864f509b6e6663f055277b46979121092087c9d4cb613ae4804fdd146a4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Stars.htm
| MD5 | 28a75f051e0e17e9c13bfaf3ecf184ed |
| SHA1 | 38912daceafbf040ba1e56fb41001d8a4de175d5 |
| SHA256 | 8dba26621640adef1bcfa840e4ddbb04e9bf5760f45565f540f5f01abda36773 |
| SHA512 | 4cb14aea58726d9058494184d3b417e7b6cafd50a1dfff0c323d397e8ea781402c92769e4a2632d410c0e4afb401fc0467db8a424e7ff5288abba649ebf2e74f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Bears.jpg
| MD5 | 3825900e6fa3dcfe89cee5c5645bd0d2 |
| SHA1 | cea78a34bba004df600bb0845b8d43f0e928f78e |
| SHA256 | 8f5517e5ad3ab7c65c7443b511a5ed6216121567c5918d1d800e04f7803bbdfb |
| SHA512 | 83e9d3326cf12f7f5bf11f52d241e772817b815488ec8e56d0d46df37e5ce458960f253bbc8dd4f999da168e0977ba784da296688fe5ed9ec175d2ebba0b8790 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Roses.jpg
| MD5 | 95b6937db8417960b94297cc974c51f6 |
| SHA1 | e663ff48b551d933222d841220b8824fcd7f1596 |
| SHA256 | 4eae4519cb6dd723d85691d413b4afd33c57977b284ba147689f6be5d7924d69 |
| SHA512 | b9bb548c5b04dd0ae53a7eeb70ec31f7d61eb16d5ae533f67d9325e07631cb0b67fcce73e11ea2ccd52554b4d32c33dd14799634a068150af735688e7b3df186 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Graph.emf
| MD5 | f0af69fd0bb3bd54b238e86a5655d9f2 |
| SHA1 | 00e71e0eb2bb04dcec6f962169218a180dd65cfe |
| SHA256 | 03e083550af244cbbe910d9f65fc3146a028d92f8d1ff5cab0a2f7424eba8980 |
| SHA512 | b44957f7d3ebca349c5b7c6c271299527a49dfd5fa55dd2fd7d3a18dfadb915bfa377c3919ed8af93fad65d4623e2d215e917fb7dac48831d879666fa79d1c12 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Memo.emf
| MD5 | cdfea5e695743060c673e578dc5be5f5 |
| SHA1 | 1b05b6a6cdcf198e66b3e280542ebf4f655e60b2 |
| SHA256 | c828891271298e3cc7678d6401afc6e12e086749286815b126639e8618542c6e |
| SHA512 | bb99fac30ee2d303092000961b69a761b83852cb1635133a0deabc6b845859775254dd4a6f3e4a7e0342b49c23a2904dfe626aa376196e2866f53cdb80f999bc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat
| MD5 | b23b6944cdd882d4c781219866608eb7 |
| SHA1 | 5b85d36f46004791fb1a1d06edf03a8219efcc1b |
| SHA256 | f36b14172c8862e5dd6f715ffbccf5a2442a84bf4040de0cc16d0e6aabe9238f |
| SHA512 | e2b59899d095c4c11fb0eec5ea1b7930964baeb07d50301e7c7706629c2d7ad6ae01fb468efae7a17f16d71b80e3894284b3498c43fa7f8beda4735de4ab1c98 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 06:19
Reported
2022-02-20 06:54
Platform
win10v2004-en-20220113
Max time kernel
36s
Max time network
130s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe
"C:\Users\Admin\AppData\Local\Temp\68c11bb87583954ebfaa576a49ff91344e011c2717686f152442b0036a69d218.exe"
Network
| Country | Destination | Domain | Proto |
| US | 13.107.4.50:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.7:443 | tcp | |
| NL | 104.110.191.140:80 | tcp | |
| NL | 104.110.191.140:80 | tcp |
Files
memory/2344-133-0x00007FF759F50000-0x00007FF75A2D2000-memory.dmp
memory/2372-134-0x00007FF759F50000-0x00007FF75A2D2000-memory.dmp