Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-gc3g6sacdm
Target 75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1
SHA256 75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1

Threat Level: Known bad

The file 75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Drops desktop.ini file(s)

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 05:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 05:40

Reported

2022-02-20 06:30

Platform

win7-en-20211208

Max time kernel

173s

Max time network

46s

Command Line

"taskhost.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1940 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\system32\taskhost.exe
PID 1940 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\system32\Dwm.exe
PID 1940 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1056 wrote to memory of 636 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1056 wrote to memory of 636 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1056 wrote to memory of 636 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1208 wrote to memory of 440 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1208 wrote to memory of 440 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1208 wrote to memory of 440 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 2008 wrote to memory of 916 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 916 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2008 wrote to memory of 916 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 2428 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 2428 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 2428 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 2428 wrote to memory of 2484 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2428 wrote to memory of 2484 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2428 wrote to memory of 2484 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1508 wrote to memory of 2704 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1508 wrote to memory of 2704 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1508 wrote to memory of 2704 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1228 wrote to memory of 2720 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 2720 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 2720 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2720 wrote to memory of 2748 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 2664 wrote to memory of 2764 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 18784 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 18784 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 18784 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 18784 wrote to memory of 18808 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18784 wrote to memory of 18808 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18784 wrote to memory of 18808 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 18844 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 18844 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 18844 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 18864 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 18864 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1228 wrote to memory of 18864 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 18844 wrote to memory of 18896 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18844 wrote to memory of 18896 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18844 wrote to memory of 18896 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18864 wrote to memory of 18904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18864 wrote to memory of 18904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 18864 wrote to memory of 18904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1940 wrote to memory of 26248 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe
PID 1940 wrote to memory of 26248 N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe C:\Windows\System32\net.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe

"C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/1228-54-0x000000013FEA0000-0x0000000140237000-memory.dmp

memory/1940-55-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

memory/1228-56-0x000000013FEA0000-0x0000000140237000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK

MD5 307f944e977315f882ede63f9e4d6ad5
SHA1 ffcffb2bbbb876295f43b17539c088b7d7735f37
SHA256 20b5b4b1dda4603e1a3664bb59bc07a0eeeaa6c6c39c66905a40dbcde692ebf5
SHA512 c7034b532af4e0a5dd35216e2abc7305a8bc92d286042a945b79e718fa23262726c0a199221f3481f09a37ceec0d104aad263c85c60d22f3ef5c2657022863a9

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK

MD5 3b9fa5a6cfbda804238b54ce3dcdd1f2
SHA1 725bc4d9451977ae9f17f81a54cd44b9824a94dd
SHA256 39f9e4dd887a5411453281967b6ab3681bdb72b55ccdc3d275ec2120472b4858
SHA512 a595b7bf7a78b8dea65e8c4272041d7df550ecab874badacf2da61ea5d73dc6b75511e8a7ade4e4e7e5895a73ab0698867becf2a7cae3ed1be9a43bb5cfb72a2

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 34c2c8cb2fd81cbc4f4ec901796ffc52
SHA1 15e435b3bc9c5e143f1bd2ce7ab535af7fb33083
SHA256 1f5e524625871e3a4326dcecd82dd2dce332544c09e8e4e3f22096f1ac981d72
SHA512 e3cf85d77891080f6b1066e1520b277838af28a0d7c5f8f17a84860162d222cd182a98ff25b7b66c43673a8b9fab646b7412e07295a2d857a1b59c6fc93d3f7f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc

MD5 d457fcf4ca5221b94db1130e1bcc5fcb
SHA1 809d4493fac32fc764dc87ba6d12309be8728290
SHA256 088142b4ac3490b6ea0303a8a40884d62787eb089ca29c423afabf5c5e9bf33c
SHA512 ff1f1cdc4d5a99e4ded854696c7c9a10322b24e88967e5a30b9525fc6d3e3a35c79ac81dc382a426f9ae122b87a96f4e9f2ca127b8eacdae6354180baad015ed

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 acac44ee6f5e016fdc286d22a42559d7
SHA1 4d8fe9d1a1e7a089879b09e90515725905704e36
SHA256 8696c7806945a95059ae4709531f64e59792dd1d815f04f07013f67993727f0e
SHA512 880e10d328fd800809bdf1e6f722fea0770e62103a9ffdc2e9777db792d3ed665a4a94d14209245d2ec13a53649df29bc4b500219696d5bbcec688d613506493

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK

MD5 49d5ed46abc4a73c03ccd88557afbd78
SHA1 6125d2ae7559f37f59b9273fe2e48c4391bf86e6
SHA256 7f12bc6ec44f693084ea889bc471be4a76e7ea4c1c2c3d99967812d77e17efca
SHA512 b27eb79b5cfcd5a3fc7cae3ef021fd6a5cf7da288ceec12b29f5addae5baac5f4f02c7353c1bdc472b38a1d698d77ee9d60726534f86319a2a34e3c873ae511f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK

MD5 586581874f29ff151f56f14da77a58f5
SHA1 f86400798da5ae6859a2382cb5397a96df005e53
SHA256 7c570696cccbeb3bd111183af3f5021b38e251be12f88b29053c3c3f281a3f63
SHA512 765a893ce2f6bcdbc990b2da031d20c6d981fcbe18cfff266c813d0653c1b85bada21cb155e01514628f7050453216a83615c9f8c6fcc0ade0939508987c9967

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 4c8a03f38c6a27c62e0e9b346e9faa59
SHA1 7b7156caa8db6c7b7b2f044dd616257e67902470
SHA256 61b3526174548cb523c390b49a0b1de13d8a7de3f72b3bded44f5dceed7d93d8
SHA512 79ef06282c737dc06e873979dc6756db5c8aa990887fc3e52c1c6c481272132f966aa04f034cfe82ea547f3a564dca76c664bc9dd69ceb507db1e594a4ea9d8a

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK

MD5 57c09db15c594ffb6e16e88982cbe0af
SHA1 b718067412335b1b7a7fbe200b8f04829349e744
SHA256 bfab07e67f7a70e3e208d3776fc59d3f532d36d7f24a215fe86b45cc1a964ef1
SHA512 8d2ef31068ed4be5a8f8b389251f5c7fa68af41f9dad4b1d7022d37de7e9b4b6abb6baec6dfcad4db6f538895d01b04df1cfff306e2d1bb809d840449593163f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK

MD5 51e2f19a6d196a0b7d31d902f5433081
SHA1 95fa20decd2933a5028e076a0fe411ab271dcc4c
SHA256 0b384c28a044fb3497cf1f68ed9c5c9b2cb0edf681293f0494f9199bdacc5c98
SHA512 971474836bc4564bba588b00015f20a6f4d314a5305e2c647d0cfbe77730326ff46f5b811ecea621ced36229c383d0f7e59fe1e9279dd2b22e024af02e9dfa03

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log

MD5 0702b1d6d01dc892f622e266f2444464
SHA1 906ebc163933f1a1f65ad2f6b8d9d1cfb105fa1d
SHA256 aa415e4141773dae4119fe8e2aade88086eaf8e12a813e220c623de62ada84d3
SHA512 5caef1158c6983630648feb5ca94be5998eb7a1ef42d573b2fcca6e4c92a57923ee75a21f2f45491ed095cfa3cf91b8eddcb7a65824ae38c639e668d77ad4bb0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK

MD5 3649d37a94248538fa7441d1664ad23a
SHA1 a7dbdccf38d3df282ce520871446b5f4694594de
SHA256 c4c4fb1109e2915f67e72b9225b1b6133b2b3ef915b0b052507951e615d3474c
SHA512 5b5de9dbedc5747f5c7a3b3ca65666a1ca7e3c7c2b27fd06f3a1850564af4f891b05805e7dceb7135d5781a5b1ea6fe8750cff33e5bc85546ce6198bab00852c

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 07b1bf6efc6bfb7dada9bfb9168b4560
SHA1 28cbda1d4e9e144958c399de11b3152a1c7d0691
SHA256 967956913de09c71c6529c09d59fc861e7cd7220fd57af8e81034c61433fa5f2
SHA512 d85a39cf0a7a11acde5520639202ffe34e9cfd07de334625265f87a0bc73ec56916e7b0850c81cb4de77e620b2878d7e16a8a72c0b672f4ac5988e1d5d5c427d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK

MD5 2566e7565862a99a7bd1c672988c5d2e
SHA1 d5483c5b8c6195531c657b3cd3006c7d2fa1b856
SHA256 021fc87dcb9fbe143511cf4729b4372a8cc532ad374cd4f60042208a44723cb5
SHA512 061aca92fa00beb62c806cf9001a7009c70c414139f2dac67a2e36d137f2f45d635452e7e48a026b9ca2d6e1d8f65e6c50d102bd47a591d488ad7c2d6d5eb81f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini

MD5 83fe9021cd2631e3293dc451a9e4f2d6
SHA1 ba2964f1d635ede976143280c3923d156c09c631
SHA256 914a9c6067e677e82d45beffbf1097872680d5a8519f24620ef54661e8549d13
SHA512 9c218c69fa4db5d7c770031d09dc04c3c00c8050c727fccbb424b0eb0094f0e96240ab73f26b50cdb19490da570c9d52db33dafb6f5c5573febb483de2fc10db

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK

MD5 d3fd2dc73238e22409689d5a384dd962
SHA1 404f9292e7ba522e24f47ac0774cdca0214297fe
SHA256 fb3da24d830045b2f7ae9c35d7f4dd2cf3839dce461ca557b6ead5d0aed9a16d
SHA512 4da2d5aa5b3eb4d18461130a2df356983bcb7a16a7afb621ce64f831d2d1bd8e23c43cf53b050b9082c31cf5f0b09db7f9197aeceaf40cddce87cfe98856495b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini

MD5 f3dd8c50f531ae58c8791e10958f23e3
SHA1 16bc9912d39284d7f7ff2a819830b2ca021cd2d6
SHA256 af3551b1f38e38dc431a6e7b6d839214c22664793e9013c52e8072f8b6eb98bb
SHA512 a76ef2a35a6bd97fc47ce52790a535b3457c867ff7d968136442c73a4aaaa206d4c60814c5555802d34f43deb81f5eff58fd8d04edc20138dd0f2a29405f04de

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK

MD5 9ceb6264e149ca3d13e25fa69524b566
SHA1 3a0004333dca658f30e22de74b45d9c737f40677
SHA256 1f0a4cae687b0f0b44f55ae58ae88f0e25f5e9af6e1bf90d3f872df26555a008
SHA512 eb8fb4099d0d33ba2bb5d48d3b91a42b7d35f3ec465c9bff05877b30193426bd37c2f5610ec82cb2124b1917e70d793ab589353aea83c0776081d67ec2d9c0a5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp.RYK

MD5 34e8ce4f9348cd38a05b31a4e3e8df5d
SHA1 df4c06b9ff60b3ac9ace04e8fb16ea6a46884e9b
SHA256 53885d10a5f97854cc25f58563143617cba390e8c0c48263c72bb18adaa01ecd
SHA512 5311aba9d5416992ea33cd70d4f620e5588a15e07b6acdc61a656b23dd2fef3f72e27b0eb4d8d2d90f9f79d3eab269002c98d9662ae6e03884e500b4bac7440b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp.RYK

MD5 6f61ea1c282a3336ecf45577ca3dc9be
SHA1 e8feb844f5f35b43ba3a0fc090fd4b080c542f05
SHA256 7a119c6519d68683f15ae124b77c626968909ec4386e12345ec7b06fcff57902
SHA512 a77a90bef914c73599b8645a6fb89d51f1deba5ef177e099539519e6d9caa0d489759446a6b91775236e1a6ea2f1a06bacaf74066dcbec7ecd526e5a24f78de4

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK

MD5 fc56b52b2431499279be0889505813c3
SHA1 652c1fb916f4fae221603d336918f787a98a4b75
SHA256 22b1f6dc3baa2909b5f27c2bed0b346b7240e4dc48e93ab8ffcdb0966bd85568
SHA512 396ef023dcd9f1778b6cc7c964b74086db132242034ef30c3ce30010b3a8bcb9fc5dc80b4108f8c4fea8b671f021aa600a23806d9ceff260dc5d1f90a6136f90

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 d1d8e9458832ffb62cf4ddaf8ef481c8
SHA1 98823524d728b4859fad3d95d060030faa31f38e
SHA256 465f405fc7a27a01f467303109d903b5a007b8283a5efb903f8c243816e0f283
SHA512 d568c5f899a8d51d985550fab205f9742676ab85e0b0bf5b77aa38df7999c1ff464182fe267cefdbf431d3acf2bb395ba872083d6c6b3406657200260a2299cd

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini

MD5 1c0cc40ed75a19a99926c32eba7a58b1
SHA1 3a1bd0d1ffc7456fb527e759cd0235525d440a20
SHA256 ab3bcc3e2f4569912a33b1b9f12230671b0724503a1e4d73375a27f714e5a826
SHA512 52f910a0ce555cd5c087dc7e0f35f52b99258a0f08136736b3fe550d9b916da8617e2b079281bc08c7b99bc425f4db953d7f19a2b3d4c5eb4f2f7788d326c1df

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini

MD5 d20de5d52708b76b9cd389f25c07ace6
SHA1 7833d5b56c9fb377623f6ac67134386f18f2a052
SHA256 6bab7500bc86242e5492ec45206ccb9704df279180c8e414b13c51eabc2a6728
SHA512 d3ad1138e2a7643c2f03d1729ebdfe039a97fd38aa2df8e51ad6e2cf62d61fe21bc40e37baf03d8d73d3a8ffa6b336c23ef479b74024faa97da564513b02ca59

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt

MD5 4a1763a38b43dec55711bb2be626039a
SHA1 0d3a0163b63c7f13dd49f11cde5a3574512c41ac
SHA256 57069b429b71c22f212448de64841e8d49590b6fa1c0128c024801c8be373aa7
SHA512 d733ba3017317dba6f43803172a09c01a11d126b8552772d64290a3e35023c3c0d72fd43a22dacd2ffdf52a727449f1630832ad2ba919b16e457bc1f18532942

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK

MD5 3df6cfc7091b21a96f33391efedfb572
SHA1 21ebf419846bcd8c9cf6fd0cb7cf19b2ba80b51c
SHA256 a4fa55b4f028e27f77a3cbb01f7f959c6d1f341f74b9b4fb5e427bdc63b3cf98
SHA512 687f73781cc88658e497667d2b50448b11a396cc77b2f4956670c481fec30c30b6d94179aac2c058e55bdaf1521c28f198139a227d4dc8a5d0bfce58691db666

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb

MD5 dbb9a2e318e3445b0bd49ce874b09150
SHA1 7b7d53ad7461c152fcb6bf078d2b670c2998becd
SHA256 1efc058ccaaeaa953153044ef4ca721da3ab2b9e010368f3f472dcd58885d512
SHA512 83c0e21a976fbbde40a44ded8524b86d67eaf7f8f5352412b361f531e661782c365dbfa1c3e02408a1dcee8f68a988df65c015514eba6d8d9e3ce0d05f27645d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5 ae40d03c8fdd305fe8d19a1969a8d02f
SHA1 3995332251a42db3d7a9a91ec9a783724f5bf27d
SHA256 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34
SHA512 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 05:40

Reported

2022-02-20 06:29

Platform

win10v2004-en-20220113

Max time kernel

64s

Max time network

86s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe N/A

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe

"C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe"

Network

Files

memory/2340-131-0x00007FF7DA9D0000-0x00007FF7DAD67000-memory.dmp

memory/2356-132-0x00007FF7DA9D0000-0x00007FF7DAD67000-memory.dmp