Analysis Overview
SHA256
73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b
Threat Level: Known bad
The file 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b was found to be: Known bad.
Malicious Activity Summary
Ryuk
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 05:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 05:45
Reported
2022-02-20 06:14
Platform
win7-en-20211208
Max time kernel
190s
Max time network
89s
Command Line
Signatures
Ryuk
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Windows\\system32\\taskhost.exe" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\BwDVIKn.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
"C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" 8 LAN
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" /f
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Windows\system32\taskhost.exe" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.0.1:7 | udp | |
| NL | 154.61.71.51:7 | udp | |
| N/A | 224.0.0.22:7 | udp | |
| N/A | 224.0.0.252:7 | udp | |
| N/A | 239.255.255.250:7 | udp |
Files
memory/1488-54-0x000007FEFBE91000-0x000007FEFBE93000-memory.dmp
\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
| MD5 | c49c19e172c2c6f8390bd26258557b18 |
| SHA1 | 641d8da9c08060b04fc63b07c61e1c891d5d393a |
| SHA256 | 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b |
| SHA512 | a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc |
\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
| MD5 | c49c19e172c2c6f8390bd26258557b18 |
| SHA1 | 641d8da9c08060b04fc63b07c61e1c891d5d393a |
| SHA256 | 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b |
| SHA512 | a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc |
C:\Users\Admin\AppData\Local\Temp\BwDVIKn.exe
| MD5 | c49c19e172c2c6f8390bd26258557b18 |
| SHA1 | 641d8da9c08060b04fc63b07c61e1c891d5d393a |
| SHA256 | 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b |
| SHA512 | a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc |
memory/1260-58-0x000000013FE70000-0x000000013FFE5000-memory.dmp
memory/1260-60-0x000000013FE70000-0x000000013FFE5000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Color\ACECache10.lst.RYK
| MD5 | 7d9e3486d198ffd148f67c73079fde58 |
| SHA1 | 6f0017c90c6a3d79737bfca98f4d1ec860b7cfc2 |
| SHA256 | 26b0d4609f05016bf0121fa0c19df53a2e4328cdd4dbf944fe9aa5fc7ca1cfc3 |
| SHA512 | fc0c2c3d803369ff9e696337c162b36d4fef0efb2b90b782492467b945820613c4c593b65aed0b3ea934d0bde691ca8e81a2f6f409a90703f361a04c64b10d4f |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 19d0b3b89234480752ac8b513981ee05 |
| SHA1 | 54111398aa98c807387ced24931862f1cc9f8f13 |
| SHA256 | 40c5656680a5bc6dffb48036eee94cddf64e5f7ce4e87fc4ca4b6050d98e0134 |
| SHA512 | d754157e59242b7bd21be06fc33c9a90dad256d6a5e9a09e5d105e18d01708e8460afeb830fe330f4cb0b568308a953c1c8940f26104d6401bbbc756c89eecfb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | e94cd1e32dc0417b33af58f5c89f33d4 |
| SHA1 | 53eafcfdcebc9312177f84d892686006a3a6e72f |
| SHA256 | 966f6d081f5b89505023bdc9d1b3c14050ebb10e81fe8d9a3ad06743acbe24dd |
| SHA512 | 908ff97a11bbf978a417e82927f14015bd56c38d38b3acbf7063a327f2f6e3a52321ace98356708db7b2eb2c1d55e40499ad0acfd639a2eec0f1a296c9e90e83 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc
| MD5 | e94cd1e32dc0417b33af58f5c89f33d4 |
| SHA1 | 53eafcfdcebc9312177f84d892686006a3a6e72f |
| SHA256 | 966f6d081f5b89505023bdc9d1b3c14050ebb10e81fe8d9a3ad06743acbe24dd |
| SHA512 | 908ff97a11bbf978a417e82927f14015bd56c38d38b3acbf7063a327f2f6e3a52321ace98356708db7b2eb2c1d55e40499ad0acfd639a2eec0f1a296c9e90e83 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wscRGB.icc
| MD5 | 91a1eb913ac6307e9c87bbf69b69e97a |
| SHA1 | e46dbee2fc7a3fa60a4b1ae22c60a150feb29391 |
| SHA256 | c7595af9cd74daf9e46d23f65133bf117c8118c40813570f64081c7f5f339b51 |
| SHA512 | 1d58c1e7070e337a8793ab3a16834420bdb44e2d7f948f06449c304f1ed66c84f64d820b3b2626d927e5eb3304966fd07972c3e3a5ef52410e0eaff2492e49ad |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | f1867c9548f5f0422eae73e1ae710d8f |
| SHA1 | d5550b2b58fbfb6dd889f5e0c07510ec96bde8c7 |
| SHA256 | 793a93ecb984c6a2a689e5797352be79822e33ae4865b77e77abd5332a7d2b1b |
| SHA512 | 2fc2245b782ca357ff634004ec51492486ea145eda63aec3f506a8d9c50623a1f09e0543cdd2f3e7aed9d0d4440af331b68777dee719328758773f931c60dede |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_vcredistUI37AD.txt
| MD5 | 74ce4d44fcf9ac144908544af46a54be |
| SHA1 | 0eee2c0649fd41a6586d17b310b330771bdf604b |
| SHA256 | b7aa3cd3eff5f5cc4bf0f9a29513934fbcbe6508032451fa704f82ece2cde695 |
| SHA512 | 16e73573117f009805474d58e5bfcc290c8ec8bb08dfb34f6ddfe573e674225ba8bd2534950e444fda1182fff509c9688566e7c55902ad1cbe74b2dc82e3570d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 09ddd83903b3550bd0a5db604268abd9 |
| SHA1 | 85fccec4f05df0a7b74b2dcbbb8ce4e6f26fb327 |
| SHA256 | 52b3bcd51e0ecfd4e5eddea77fd7c1147638500ec3b93f686e40ed047cb4d866 |
| SHA512 | a678fe5e99b509ef7296edc1fc035b5dbf4aa910f35e84be78d5bcce342c7f66d3512ab95db4846292c37f99fb9d14738d3483934526acb2dab2c9537e90e41f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
| MD5 | c76bee51f4a7ce9764b4a11933d3dc54 |
| SHA1 | 3ea952514ad5969d3e0c994936ca4a483352e070 |
| SHA256 | 3a433c531c801a883d85a6b7184340ba4da8f8f03c9a124f4f49d43eadbd0ca1 |
| SHA512 | 642b05bfb713efed3947bf1e9acd123aa04ce45d2a9574bce7898dca6a367bb0a85c9706f54475dfd1a27b371e24657b0d9bd236600119323276571765844791 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | 768bb1472937e6b129510bed855c9e34 |
| SHA1 | d97b989f6ee47e47901278a2c77012b91e3be4be |
| SHA256 | 95d631531d08559577554747d8a2d82111c6f12699c4533f2a180d01fae94732 |
| SHA512 | e9d02f9b752610291209704f02e697d1c9ef43022991cb48a5ad0f83f44cd1272eac2a9d4a53169b0c4d55d80b69b9bdf7fd9d240fa63d461db0177edb67a13a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jusched.log
| MD5 | 1cb1fa6d5ce2f42fd429c3cbc2d24903 |
| SHA1 | 80be16803f2780e2b04504dcdf70f5f6af44b2c3 |
| SHA256 | 787e719df0dd0ae9861cbadae2d85b82ee54bc82dc4399642959d5300dc1c678 |
| SHA512 | d14e1a35abade9f2e05b6a1de26f3e1eee0cc792c4d19360efc868bc2a8e0ee3512a7558fd2a016686b49c4c00649032ce127a3a3d887d74fe322a19a7b2f1a1 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
| MD5 | 331a524eabac175897f4c43f50cb7a2c |
| SHA1 | 72b621973793acd6309214f1fc342f88dc060239 |
| SHA256 | 37ae99537b9078a0c274cf4680d5ead28cea74cd229ded2ad077ff59766be28a |
| SHA512 | eb40018fdc953cb31eaf9c1ce0b4e9d3b4ad7a4ab04f5df04efaec2ab34fa799eb64a6dc164161082bd6367b446c746f090c30b58ddffb50f8d8f6b638312efe |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp
| MD5 | 70742f35bf266ead9efaba36410aeda0 |
| SHA1 | 00fafbfe805a98931ac10be2fe4b2d3225ff2fd6 |
| SHA256 | 01fdfca19cb7a2309b432979a1a467e40935ae833ece0a7e2d67dbdfd2787c8c |
| SHA512 | aeca60adbcce54e17077a00e3649f1687095e1084f07592bc1ac510e9c2954d31b19e303edec28f5f667bfdfe59673f984ca469c32441be154990d1e177c2322 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install.log
| MD5 | fecda2e7727aad12e1499782412b0e21 |
| SHA1 | 78692bf123ac4eb5fcbe59e7bb47901c98839867 |
| SHA256 | fd096d9c2f7843c07240de833a5e16f6e224ea5bf4732c63d3bf377b478e99ab |
| SHA512 | 2e924ba5af65e65dcae6a34f42e1549d735ceefe79ad31a3d470a52b8667be9ed988830a2529f35a3826cc74b2f133536da3ead3594919e8a85e20ab1324252f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\java_install_reg.log
| MD5 | ab7b69045f9151d8abf87a286ab381b0 |
| SHA1 | cdb1f385e27feabb1d735e401d013bb5ff822675 |
| SHA256 | 1682fdd5ecf580ac40bed70ecc720ad6f7ebf74bf7a1be5184dc1e2b7c95eaf9 |
| SHA512 | ef211f4aeb298ddbe8234a0261b3a264ac3b187d2bd0f2b47e6cf29e1a13ab9af0cb090628db1ce5b57f966a5284a29ce4a8284495c1daf81acb3987ba68d52f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\JavaDeployReg.log
| MD5 | d6d9ea261bdea3feb7e7df9f29e6a458 |
| SHA1 | 1a4d0c1e09cdf5df576c55fb90b3483e76e395c3 |
| SHA256 | af960ef1352022038686eae69a592738ca2ae61a77b78597a7dd0326904f02ef |
| SHA512 | 84bc76e7bfc759855f78bc29161a2e035ecff6ea4fbc3ebb445df42d78bdf38f39960f73023620ec549bebed91f7e90d02cf5015558143ae3bfbe9fa6089c148 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms.RYK
| MD5 | 89656b5143edbd214f2b3a9237d8bd4d |
| SHA1 | 53b309709c4f51537dd4bcae4ccbb68a9558ecda |
| SHA256 | 5fc975cee9fdce794508050bdbc928a4f66c2f1f9501cdc8b06dd299da3c3cfa |
| SHA512 | 3619cbb171b2db99d1e0285305a05ca2f6cee828c14091b56c70c69b1b236c21e9dccebf9aae6af64137f0ccdb1410b0f60f8d823bcf1444f3e42cca46b55d3e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt.RYK
| MD5 | eba00c9dd9208b14869fcfdd6cc71522 |
| SHA1 | f7927c20b43ab4f2fa50770517d07c7f832b030f |
| SHA256 | 65857bae586ecb687047f9ce6d98e3a4dab7ecd08b71a574dccb851329cebb4d |
| SHA512 | 892c727ec97cd9cb5435ac4e1360d1a14b7be90dcf658ab91a488f9a3e8c1fdac48cfe5a8266f52bf7999397a8f3d20f0312c6650b972bc8c56b763270390b3e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak.RYK
| MD5 | 658752e015378aa15a5410a51fde75a0 |
| SHA1 | e0424aa69de8b3118625f93533e63ae962cf4b79 |
| SHA256 | a164ec417cee5196ffe0f093ae52854e00b42fbf664d05d73eda8f7791c7a012 |
| SHA512 | d0d8d30acd8cc7b0890f8feb1bb401bc130fb48210701381c34132912e5ed39a7a36cf6dea7d5ec35ae3c3dfa1eac159504c1baa4f92b20a8a0b0a2f4b789986 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\LocalMLS_3.wmdb
| MD5 | 111f6c5a6972ddb596f9af525e3ffb98 |
| SHA1 | ed3719d62274c342e1a3f0870a3065959631184a |
| SHA256 | a76c8ce21de9f18326597b8170d829871655dfdc23d9e9c4e773a6744ad2a6f5 |
| SHA512 | 6881ede0a83b8bd09e022f8e6a7024effadc4457ac8dac727c90b05cff06f3b1065aff989c4e009f0851a7e65998455634e3602fd83ed7b88055cd6d2629c6ce |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
| MD5 | 81f06adee36cff78baffa40278483df6 |
| SHA1 | ace6aaafcaad0fbe87a9c080c1c3b8d826b1bc1f |
| SHA256 | 25e52384ae3b9cee4e361d719b7d3a066b5c717ad5ffc724da9e9477a6f074d8 |
| SHA512 | fe7bc1449c3f23d74bd7e379724d93bbe5dd9860a2165e03edacd5c6e401603bac7b747f1228e7045d95c8f459c8570c8e7b8304f005058466b5dc72d0831170 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\12.0\WMSDKNS.DTD
| MD5 | d6ae4eb4a3f384a56b52c6110af40bfa |
| SHA1 | 019b40c3e94ebbdd9c120fa31a4a2695aa0e4409 |
| SHA256 | 0bce0b98d4d2246dd8088d4c80b5ca4d6fa7216927f57b4180501c942bfb27c1 |
| SHA512 | ade41a40b0dffacd5b67c3777b556ab622c0c5545b4085a56be9fe588380de686fc57206c7bf070bd5e9849bfd6aeb7301681c285287c39bbd7a049db2cd01f6 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Media\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
| MD5 | 1f3a542e0a6716a4050e24018e87be43 |
| SHA1 | ad06bd77b36f2985143fd2da9183193963b8a04f |
| SHA256 | 4e546fcce6d81d3944d7d31be784bfc510ea837f7c9916ab62eb500507ebfe1c |
| SHA512 | 0549c3ae2a8b4f7e21125b8d79416078191e5775881db5306318839fdaaeb03437a847e29484e47e00c36c26fc4a5bf9f07f524212481479c8bbe6b37bf7ab8a |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\174997711\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\WindowsMail.pat
| MD5 | 43597a612d922202e6de38b8a555b569 |
| SHA1 | a8b8566d132f8814e74ca44db7c2a36817d67e52 |
| SHA256 | 63afa6fe1a03ee6651b91f4c0c14b73830dc5e1fde2eeb9e25421c9350ecdc4f |
| SHA512 | 2eca45ad8c9b72a1b70b9741e91522a04a5e60939f5a2045853c5f1225e7c1edd0fa5449f9b7bd3d43a0e78069c5685bfd4ca8b380a5f826714540388b9acbf3 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\hsperfdata_Admin\RyukReadMe.html
| MD5 | 5cedf73dbf75099b8abcefc3f07e9975 |
| SHA1 | 2ecabc828715573e9d7aefaf82bfb0e7379e92cc |
| SHA256 | beb3695bb9be64d641570104a56889b776cdbebd9c132045c52b9543d1f82b63 |
| SHA512 | dfe8485e7138ee9d0a03b9f3000bc8513856f82b51d2ef9f7c6be66b28ea0df86521c2b3b3c575f11061b3820758f280a99fbf77e482fa34c3a53c40c3928c56 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | b77d8b04939d8bf78358996fa11ccc59 |
| SHA1 | 5e2931781996e1c26eb2dab0915696ecdebc5909 |
| SHA256 | c43e54e8db49c679cd7a4d41e64986ecc72cbbe2cad90fe350cc82a7536771b5 |
| SHA512 | 256efe9def79c4816a8e87db80ef224be7bc76db4ddb021f48d5e16bc4ef1244ae2245bfeb600db1ca9de2864c5702d32ef165608424b002488a41ddc5eca536 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | 2d3b7c5a823586b6de170a4bca61b376 |
| SHA1 | f281d49b342f82378f170fe1e612d1106edb2625 |
| SHA256 | e59ba8a596ba9e56666e7699bdfd9ec0ce1045a83a41faf0cda936bb4e91b87c |
| SHA512 | 806c46210b2f4f81e824fee54e0319189b63da1b258ca372bf9f39d21fb7d9e20962ac9973bef6c67036a8cfc9e66d79c6b339f7b838a258b0690ac276f6eddf |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 05:45
Reported
2022-02-20 06:14
Platform
win10v2004-en-20220113
Max time kernel
33s
Max time network
66s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe
"C:\Users\Admin\AppData\Local\Temp\73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b.exe"
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
"C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe" 8 LAN
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
| Country | Destination | Domain | Proto |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
| MD5 | c49c19e172c2c6f8390bd26258557b18 |
| SHA1 | 641d8da9c08060b04fc63b07c61e1c891d5d393a |
| SHA256 | 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b |
| SHA512 | a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc |
C:\Users\Admin\AppData\Local\Temp\KuMihCH.exe
| MD5 | c49c19e172c2c6f8390bd26258557b18 |
| SHA1 | 641d8da9c08060b04fc63b07c61e1c891d5d393a |
| SHA256 | 73dba5d04608fbc2fc53ea986585f0b35bdc24a7bb30c6b43e83a5a9278cd16b |
| SHA512 | a66789da1fd31f46f04937ed507662ec0bf68c13f27f1cb0a63ddcc977f33073f3769abdcb4206651781f0e2151c93d7155358367dd1a43d4216200968e220bc |
memory/2396-132-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmp
memory/2424-133-0x00007FF6C62E0000-0x00007FF6C6455000-memory.dmp