Analysis Overview
SHA256
75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1
Threat Level: Known bad
The file 75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Drops desktop.ini file(s)
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:40
Reported
2022-02-20 06:30
Platform
win7-en-20211208
Max time kernel
173s
Max time network
46s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Games\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T0STXTA8\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Startup\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
"C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe"
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/1228-54-0x000000013FEA0000-0x0000000140237000-memory.dmp
memory/1940-55-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp
memory/1228-56-0x000000013FEA0000-0x0000000140237000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc.RYK
| MD5 | 307f944e977315f882ede63f9e4d6ad5 |
| SHA1 | ffcffb2bbbb876295f43b17539c088b7d7735f37 |
| SHA256 | 20b5b4b1dda4603e1a3664bb59bc07a0eeeaa6c6c39c66905a40dbcde692ebf5 |
| SHA512 | c7034b532af4e0a5dd35216e2abc7305a8bc92d286042a945b79e718fa23262726c0a199221f3481f09a37ceec0d104aad263c85c60d22f3ef5c2657022863a9 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini.RYK
| MD5 | 3b9fa5a6cfbda804238b54ce3dcdd1f2 |
| SHA1 | 725bc4d9451977ae9f17f81a54cd44b9824a94dd |
| SHA256 | 39f9e4dd887a5411453281967b6ab3681bdb72b55ccdc3d275ec2120472b4858 |
| SHA512 | a595b7bf7a78b8dea65e8c4272041d7df550ecab874badacf2da61ea5d73dc6b75511e8a7ade4e4e7e5895a73ab0698867becf2a7cae3ed1be9a43bb5cfb72a2 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | 34c2c8cb2fd81cbc4f4ec901796ffc52 |
| SHA1 | 15e435b3bc9c5e143f1bd2ce7ab535af7fb33083 |
| SHA256 | 1f5e524625871e3a4326dcecd82dd2dce332544c09e8e4e3f22096f1ac981d72 |
| SHA512 | e3cf85d77891080f6b1066e1520b277838af28a0d7c5f8f17a84860162d222cd182a98ff25b7b66c43673a8b9fab646b7412e07295a2d857a1b59c6fc93d3f7f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | d457fcf4ca5221b94db1130e1bcc5fcb |
| SHA1 | 809d4493fac32fc764dc87ba6d12309be8728290 |
| SHA256 | 088142b4ac3490b6ea0303a8a40884d62787eb089ca29c423afabf5c5e9bf33c |
| SHA512 | ff1f1cdc4d5a99e4ded854696c7c9a10322b24e88967e5a30b9525fc6d3e3a35c79ac81dc382a426f9ae122b87a96f4e9f2ca127b8eacdae6354180baad015ed |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
| MD5 | acac44ee6f5e016fdc286d22a42559d7 |
| SHA1 | 4d8fe9d1a1e7a089879b09e90515725905704e36 |
| SHA256 | 8696c7806945a95059ae4709531f64e59792dd1d815f04f07013f67993727f0e |
| SHA512 | 880e10d328fd800809bdf1e6f722fea0770e62103a9ffdc2e9777db792d3ed665a4a94d14209245d2ec13a53649df29bc4b500219696d5bbcec688d613506493 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp.RYK
| MD5 | 49d5ed46abc4a73c03ccd88557afbd78 |
| SHA1 | 6125d2ae7559f37f59b9273fe2e48c4391bf86e6 |
| SHA256 | 7f12bc6ec44f693084ea889bc471be4a76e7ea4c1c2c3d99967812d77e17efca |
| SHA512 | b27eb79b5cfcd5a3fc7cae3ef021fd6a5cf7da288ceec12b29f5addae5baac5f4f02c7353c1bdc472b38a1d698d77ee9d60726534f86319a2a34e3c873ae511f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log.RYK
| MD5 | 586581874f29ff151f56f14da77a58f5 |
| SHA1 | f86400798da5ae6859a2382cb5397a96df005e53 |
| SHA256 | 7c570696cccbeb3bd111183af3f5021b38e251be12f88b29053c3c3f281a3f63 |
| SHA512 | 765a893ce2f6bcdbc990b2da031d20c6d981fcbe18cfff266c813d0653c1b85bada21cb155e01514628f7050453216a83615c9f8c6fcc0ade0939508987c9967 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 4c8a03f38c6a27c62e0e9b346e9faa59 |
| SHA1 | 7b7156caa8db6c7b7b2f044dd616257e67902470 |
| SHA256 | 61b3526174548cb523c390b49a0b1de13d8a7de3f72b3bded44f5dceed7d93d8 |
| SHA512 | 79ef06282c737dc06e873979dc6756db5c8aa990887fc3e52c1c6c481272132f966aa04f034cfe82ea547f3a564dca76c664bc9dd69ceb507db1e594a4ea9d8a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log.RYK
| MD5 | 57c09db15c594ffb6e16e88982cbe0af |
| SHA1 | b718067412335b1b7a7fbe200b8f04829349e744 |
| SHA256 | bfab07e67f7a70e3e208d3776fc59d3f532d36d7f24a215fe86b45cc1a964ef1 |
| SHA512 | 8d2ef31068ed4be5a8f8b389251f5c7fa68af41f9dad4b1d7022d37de7e9b4b6abb6baec6dfcad4db6f538895d01b04df1cfff306e2d1bb809d840449593163f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | 51e2f19a6d196a0b7d31d902f5433081 |
| SHA1 | 95fa20decd2933a5028e076a0fe411ab271dcc4c |
| SHA256 | 0b384c28a044fb3497cf1f68ed9c5c9b2cb0edf681293f0494f9199bdacc5c98 |
| SHA512 | 971474836bc4564bba588b00015f20a6f4d314a5305e2c647d0cfbe77730326ff46f5b811ecea621ced36229c383d0f7e59fe1e9279dd2b22e024af02e9dfa03 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
| MD5 | 0702b1d6d01dc892f622e266f2444464 |
| SHA1 | 906ebc163933f1a1f65ad2f6b8d9d1cfb105fa1d |
| SHA256 | aa415e4141773dae4119fe8e2aade88086eaf8e12a813e220c623de62ada84d3 |
| SHA512 | 5caef1158c6983630648feb5ca94be5998eb7a1ef42d573b2fcca6e4c92a57923ee75a21f2f45491ed095cfa3cf91b8eddcb7a65824ae38c639e668d77ad4bb0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log.RYK
| MD5 | 3649d37a94248538fa7441d1664ad23a |
| SHA1 | a7dbdccf38d3df282ce520871446b5f4694594de |
| SHA256 | c4c4fb1109e2915f67e72b9225b1b6133b2b3ef915b0b052507951e615d3474c |
| SHA512 | 5b5de9dbedc5747f5c7a3b3ca65666a1ca7e3c7c2b27fd06f3a1850564af4f891b05805e7dceb7135d5781a5b1ea6fe8750cff33e5bc85546ce6198bab00852c |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | 07b1bf6efc6bfb7dada9bfb9168b4560 |
| SHA1 | 28cbda1d4e9e144958c399de11b3152a1c7d0691 |
| SHA256 | 967956913de09c71c6529c09d59fc861e7cd7220fd57af8e81034c61433fa5f2 |
| SHA512 | d85a39cf0a7a11acde5520639202ffe34e9cfd07de334625265f87a0bc73ec56916e7b0850c81cb4de77e620b2878d7e16a8a72c0b672f4ac5988e1d5d5c427d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini.RYK
| MD5 | 2566e7565862a99a7bd1c672988c5d2e |
| SHA1 | d5483c5b8c6195531c657b3cd3006c7d2fa1b856 |
| SHA256 | 021fc87dcb9fbe143511cf4729b4372a8cc532ad374cd4f60042208a44723cb5 |
| SHA512 | 061aca92fa00beb62c806cf9001a7009c70c414139f2dac67a2e36d137f2f45d635452e7e48a026b9ca2d6e1d8f65e6c50d102bd47a591d488ad7c2d6d5eb81f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
| MD5 | 83fe9021cd2631e3293dc451a9e4f2d6 |
| SHA1 | ba2964f1d635ede976143280c3923d156c09c631 |
| SHA256 | 914a9c6067e677e82d45beffbf1097872680d5a8519f24620ef54661e8549d13 |
| SHA512 | 9c218c69fa4db5d7c770031d09dc04c3c00c8050c727fccbb424b0eb0094f0e96240ab73f26b50cdb19490da570c9d52db33dafb6f5c5573febb483de2fc10db |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | d3fd2dc73238e22409689d5a384dd962 |
| SHA1 | 404f9292e7ba522e24f47ac0774cdca0214297fe |
| SHA256 | fb3da24d830045b2f7ae9c35d7f4dd2cf3839dce461ca557b6ead5d0aed9a16d |
| SHA512 | 4da2d5aa5b3eb4d18461130a2df356983bcb7a16a7afb621ce64f831d2d1bd8e23c43cf53b050b9082c31cf5f0b09db7f9197aeceaf40cddce87cfe98856495b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
| MD5 | f3dd8c50f531ae58c8791e10958f23e3 |
| SHA1 | 16bc9912d39284d7f7ff2a819830b2ca021cd2d6 |
| SHA256 | af3551b1f38e38dc431a6e7b6d839214c22664793e9013c52e8072f8b6eb98bb |
| SHA512 | a76ef2a35a6bd97fc47ce52790a535b3457c867ff7d968136442c73a4aaaa206d4c60814c5555802d34f43deb81f5eff58fd8d04edc20138dd0f2a29405f04de |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini.RYK
| MD5 | 9ceb6264e149ca3d13e25fa69524b566 |
| SHA1 | 3a0004333dca658f30e22de74b45d9c737f40677 |
| SHA256 | 1f0a4cae687b0f0b44f55ae58ae88f0e25f5e9af6e1bf90d3f872df26555a008 |
| SHA512 | eb8fb4099d0d33ba2bb5d48d3b91a42b7d35f3ec465c9bff05877b30193426bd37c2f5610ec82cb2124b1917e70d793ab589353aea83c0776081d67ec2d9c0a5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp.RYK
| MD5 | 34e8ce4f9348cd38a05b31a4e3e8df5d |
| SHA1 | df4c06b9ff60b3ac9ace04e8fb16ea6a46884e9b |
| SHA256 | 53885d10a5f97854cc25f58563143617cba390e8c0c48263c72bb18adaa01ecd |
| SHA512 | 5311aba9d5416992ea33cd70d4f620e5588a15e07b6acdc61a656b23dd2fef3f72e27b0eb4d8d2d90f9f79d3eab269002c98d9662ae6e03884e500b4bac7440b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp.RYK
| MD5 | 6f61ea1c282a3336ecf45577ca3dc9be |
| SHA1 | e8feb844f5f35b43ba3a0fc090fd4b080c542f05 |
| SHA256 | 7a119c6519d68683f15ae124b77c626968909ec4386e12345ec7b06fcff57902 |
| SHA512 | a77a90bef914c73599b8645a6fb89d51f1deba5ef177e099539519e6d9caa0d489759446a6b91775236e1a6ea2f1a06bacaf74066dcbec7ecd526e5a24f78de4 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log.RYK
| MD5 | fc56b52b2431499279be0889505813c3 |
| SHA1 | 652c1fb916f4fae221603d336918f787a98a4b75 |
| SHA256 | 22b1f6dc3baa2909b5f27c2bed0b346b7240e4dc48e93ab8ffcdb0966bd85568 |
| SHA512 | 396ef023dcd9f1778b6cc7c964b74086db132242034ef30c3ce30010b3a8bcb9fc5dc80b4108f8c4fea8b671f021aa600a23806d9ceff260dc5d1f90a6136f90 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | d1d8e9458832ffb62cf4ddaf8ef481c8 |
| SHA1 | 98823524d728b4859fad3d95d060030faa31f38e |
| SHA256 | 465f405fc7a27a01f467303109d903b5a007b8283a5efb903f8c243816e0f283 |
| SHA512 | d568c5f899a8d51d985550fab205f9742676ab85e0b0bf5b77aa38df7999c1ff464182fe267cefdbf431d3acf2bb395ba872083d6c6b3406657200260a2299cd |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
| MD5 | 1c0cc40ed75a19a99926c32eba7a58b1 |
| SHA1 | 3a1bd0d1ffc7456fb527e759cd0235525d440a20 |
| SHA256 | ab3bcc3e2f4569912a33b1b9f12230671b0724503a1e4d73375a27f714e5a826 |
| SHA512 | 52f910a0ce555cd5c087dc7e0f35f52b99258a0f08136736b3fe550d9b916da8617e2b079281bc08c7b99bc425f4db953d7f19a2b3d4c5eb4f2f7788d326c1df |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
| MD5 | d20de5d52708b76b9cd389f25c07ace6 |
| SHA1 | 7833d5b56c9fb377623f6ac67134386f18f2a052 |
| SHA256 | 6bab7500bc86242e5492ec45206ccb9704df279180c8e414b13c51eabc2a6728 |
| SHA512 | d3ad1138e2a7643c2f03d1729ebdfe039a97fd38aa2df8e51ad6e2cf62d61fe21bc40e37baf03d8d73d3a8ffa6b336c23ef479b74024faa97da564513b02ca59 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
| MD5 | 4a1763a38b43dec55711bb2be626039a |
| SHA1 | 0d3a0163b63c7f13dd49f11cde5a3574512c41ac |
| SHA256 | 57069b429b71c22f212448de64841e8d49590b6fa1c0128c024801c8be373aa7 |
| SHA512 | d733ba3017317dba6f43803172a09c01a11d126b8552772d64290a3e35023c3c0d72fd43a22dacd2ffdf52a727449f1630832ad2ba919b16e457bc1f18532942 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | 3df6cfc7091b21a96f33391efedfb572 |
| SHA1 | 21ebf419846bcd8c9cf6fd0cb7cf19b2ba80b51c |
| SHA256 | a4fa55b4f028e27f77a3cbb01f7f959c6d1f341f74b9b4fb5e427bdc63b3cf98 |
| SHA512 | 687f73781cc88658e497667d2b50448b11a396cc77b2f4956670c481fec30c30b6d94179aac2c058e55bdaf1521c28f198139a227d4dc8a5d0bfce58691db666 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | dbb9a2e318e3445b0bd49ce874b09150 |
| SHA1 | 7b7d53ad7461c152fcb6bf078d2b670c2998becd |
| SHA256 | 1efc058ccaaeaa953153044ef4ca721da3ab2b9e010368f3f472dcd58885d512 |
| SHA512 | 83c0e21a976fbbde40a44ded8524b86d67eaf7f8f5352412b361f531e661782c365dbfa1c3e02408a1dcee8f68a988df65c015514eba6d8d9e3ce0d05f27645d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Ringtones\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | ae40d03c8fdd305fe8d19a1969a8d02f |
| SHA1 | 3995332251a42db3d7a9a91ec9a783724f5bf27d |
| SHA256 | 8658551c9949d3672e36f529e31333a33304b60df7d1b7df453697e826e2eb34 |
| SHA512 | 14de02d05d03ff40baac69c335e20c1d46dbd1c59d23d3b92e395e3c4f399a0d1a82d6c94360747ada7cee572ac11a2e5c7f61fa01a17c6a5d6ea6484e1caa3b |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:40
Reported
2022-02-20 06:29
Platform
win10v2004-en-20220113
Max time kernel
64s
Max time network
86s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4556 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | C:\Windows\system32\sihost.exe |
| PID 4556 wrote to memory of 2356 | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | C:\Windows\system32\svchost.exe |
| PID 4556 wrote to memory of 2432 | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | C:\Windows\system32\taskhostw.exe |
| PID 4556 wrote to memory of 2800 | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | C:\Windows\system32\svchost.exe |
| PID 4556 wrote to memory of 3252 | N/A | C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe | C:\Windows\system32\DllHost.exe |
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe
"C:\Users\Admin\AppData\Local\Temp\75b37b61fbbd2e474e235398bf9aafe4ee978ba13f24e0e2343a656d705315c1.exe"
Network
Files
memory/2340-131-0x00007FF7DA9D0000-0x00007FF7DAD67000-memory.dmp
memory/2356-132-0x00007FF7DA9D0000-0x00007FF7DAD67000-memory.dmp