Analysis Overview
SHA256
6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827
Threat Level: Known bad
The file 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Drops desktop.ini file(s)
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 06:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 06:08
Reported
2022-02-20 06:39
Platform
win7-en-20211208
Max time kernel
196s
Max time network
149s
Command Line
Signatures
Ryuk
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Links\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\SendTo\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Recent\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Saved Games\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| File opened for modification | C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
Enumerates physical storage devices
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\taskhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe
"C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "spooler" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
C:\Windows\System32\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 stop "samss" /y
Network
Files
memory/832-55-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp
memory/1240-54-0x000000013F900000-0x000000013FC97000-memory.dmp
memory/1240-56-0x000000013F900000-0x000000013FC97000-memory.dmp
memory/1328-58-0x000000013F900000-0x000000013FC97000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc.RYK
| MD5 | 7e0c04107b794551ac6f87fbdec1cea6 |
| SHA1 | 738ad8e4b2ec288605a68b9ed9623ad3c39d2e45 |
| SHA256 | ff7dab225d0b811001be3b8777b95a8670bd570f584617de77324522a9b003b2 |
| SHA512 | fc958fe515f7b367c52f1bb078f22fd728524572d85eda72d34094456933106912aa294a021fe5a94468c1b225adaf8cef4064b6236d0cfdde7a6f76aadd386f |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK
| MD5 | 2aca90ec6646c87aae0f2240d88d9178 |
| SHA1 | e1ae98126b93a28b7c37fa5ab707db83e975d47b |
| SHA256 | ffc152170692a942c81df5eb26e3ce1a48ee1be898d95495b669fcab31ad0f66 |
| SHA512 | 2399396744469fc0f5296da134d62b7adb415b5321cec8ea62df241a78c9aa1b533b1cc958dbb8c8263c65b91b2f9d0be00cd8fdad2fbc7a628f103ac7049f15 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | f4e45b53ed6d35b527af06161d8a8bc8 |
| SHA1 | c77ae1b739ea762cfd62541b70d3bace42ad967e |
| SHA256 | 3665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6 |
| SHA512 | ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst
| MD5 | f4e45b53ed6d35b527af06161d8a8bc8 |
| SHA1 | c77ae1b739ea762cfd62541b70d3bace42ad967e |
| SHA256 | 3665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6 |
| SHA512 | ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981 |
C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst
| MD5 | f4e45b53ed6d35b527af06161d8a8bc8 |
| SHA1 | c77ae1b739ea762cfd62541b70d3bace42ad967e |
| SHA256 | 3665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6 |
| SHA512 | ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db
| MD5 | 2525cd20fa7731e042053dc80ce370d5 |
| SHA1 | 305f51a24ba50684f306afc5fae6c4ff8a12c189 |
| SHA256 | a4155a5c63acbe0975ab54ac44112421cd0e57e32efb4e6e45c87fb2442abcd7 |
| SHA512 | 0c5521a0d724af672ebee18a1476cfa99813d571fdcc4b38245281c599c7fe9cf443c6e0c84bf699452ddbe723d4e13f178a0586c5463979b055721dd4f4aee5 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log
| MD5 | 7f5e803954872aa8c4eda7025f659f49 |
| SHA1 | c301cc10cd5e1ac684bb22007c050663a731ab99 |
| SHA256 | 92b87eed678e55ed0bacf12394cd400c82d91f7a412aa9aadcd980e9560ff98a |
| SHA512 | 8f2bf2e78007442be91e48c8abedfb2014c5f1b8ed090a9729965031f3000c10090e0c96ad84de0786772d781624d223993c80251eb35b92dcc9cba6fc6abbb0 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt
| MD5 | a38d42eccc70c7a4ea260b9db44c4a9c |
| SHA1 | 7f987541e99a0d8c7d4f7f25f8f03d042ad04b6d |
| SHA256 | 5af762377a400284c4ab0ee168a6f07f352a44df4137d17fce00eed977b37305 |
| SHA512 | 4acfc87d0b7784e61f7e62ebdd29757a2e39de9ca1fc0719de343aefc661705007c74f89b972a4f0f4f3829a1f96bb5ac32762fb6ef5fb403eb0405a02630884 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log
| MD5 | 046a97dea1f0a1beaea145724b8dec85 |
| SHA1 | 0870bdcb8a736161f89d8446234c9f12b5acdcdf |
| SHA256 | aa67aad82b7ad2b5be92f970f730ea5fabaa76d6a730bc8c7148f7a19ae8a11b |
| SHA512 | e5007e46b8154422cbb4557c8112e5c2971c4df48d7b9a9631b4498004dcef3294755b28dea626b8407602e4165652ec383c0972e882345990dfd25e735dee04 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log
| MD5 | 29008b3b4aed0f5e3575b253057ccfbc |
| SHA1 | 003a2fc6f232d34e5370205b9a1168e91c870bb2 |
| SHA256 | 0f10776cdbe11cbe5bd9adec624e97a5f1bac5a253ef891241c6d84a0909c9e0 |
| SHA512 | ae684b340e9813541fc1d788a4801781a85796e0d002ffb2c7a797852990694aa4ce30d79928b72594db25e05246095c03a3ee579758ca77645feed94aea07eb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log
| MD5 | d9f39663a22c651ed238f601f37bbb21 |
| SHA1 | 142b7ec51c7db8dfefa399b1b8cb5d7ccc0a9608 |
| SHA256 | 6b23fab51ecb4269ca6e8a29e9683b44ce6e04ddf14b601c2bb006bada95436c |
| SHA512 | cc54b3ab4952fb566a9e5cf06201b5823a190c71b771c83704b5e823229e28bfe1939c50809922a758d45114a66384b60bd72b89d41a0c81e3c28e94f606676d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp
| MD5 | 1617ab2c26bb97aad3342c0ce5037c38 |
| SHA1 | 543914a4b4deaf746a593e758e65803cd829a750 |
| SHA256 | 0fc1bb56c0b4ab6d3a23f8b137640fc587e648edf25702b09e5b87a3b4b36086 |
| SHA512 | efe5e13836dd6ab02ade314c393893c5f5c6d24abe1b9a9420554d70be8f812ba4b35437b9f79bcdfac7642d7523bdf7dd0a29216b41bf46b88be088e1b6a273 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp
| MD5 | 49506be9de92dc382046beedcaf42e3f |
| SHA1 | 199203c9fccf463dc8ed12b089088b6c572f287e |
| SHA256 | bf67936cebe071f3e81cb16cebb1f9841f28ad3873838049f0d96f2d8891f87b |
| SHA512 | 4e1605b2ad6731d4b7e05b435be569b8533d3cf2d8ed67c99b035074230d5f10fc90635b52b305ef6fd59687ab26d6fd40a2cce0823f74af3a575f00f17fd6dc |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms
| MD5 | 97dd53805477b390b169b1f6958d01a0 |
| SHA1 | 0c32b1bcee17b2bb603924e9877af9c3dc43aad1 |
| SHA256 | 293a56724d4bb69f40b9035722436f2087c91a9d68bdd77a4f25acfa8e3fc4f7 |
| SHA512 | f41b7cfecaa26af15cc278d737ac4fa9b034b1d0a39d3aa756a5b663c4fdab9f549da3892132c3cd0c363ac105ed585ee20f58d5d0f61ecb3280304f8cc52387 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp
| MD5 | 050003b56d5d16471ee8b851351e8d9c |
| SHA1 | 6d3a9a02dbab6811413de958cf82fe196c09e728 |
| SHA256 | 4c2d3b7b87b82f0490b6055d72d5ec8c56eee3a1561eff6b2dc71278c825b4dc |
| SHA512 | 209229a637ea42008f7c22f8b55f2e347a597aace225389ea15ffb5e7c9d8cebb7f915d9482516e825116ac4a60f54aa80de04e965352033450cae834739a505 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini
| MD5 | 0deafe4bb43f57fcafd7fd076b498995 |
| SHA1 | 9d8ea3bdd09a13e6ab0983280ff2bc756171d4e1 |
| SHA256 | 0a6cafe59724bdf90eef0540ce3dfcd7875d2378c5b871fc3a01928b10fe8774 |
| SHA512 | 3372f13486228ad2dba79f2e873db7f15aa9084945f339830e6b4c98fe4f86779021c41eb7d15d158ec2cf64bcbee6127c74852b0fcb83e4335cc654771d389b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini
| MD5 | 60a156d6023e989bfcc9135da423fa7b |
| SHA1 | 41695f22487ade8db6d1ef05ebdae087081f5716 |
| SHA256 | 3887c5307f458cbe04e9a37f0efebea65c67d71fef81f594f6b515d0bdeecc06 |
| SHA512 | a2acb3c0c36c2d5b7e960fdd9a934a4b5c32b74dd765ceffab0b295e9c0006d083d505b3b7dae4e993d1d4f52284f46767df885e121102187525ce170ebfaa34 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini
| MD5 | 9dd72095334b0c4c6abe178ea6e12729 |
| SHA1 | 5fc2de72a5a984393713e8b5ce6b7f71e772522a |
| SHA256 | 449b834cc9981ed32fe6f808b700ea409ae9c6dfa8353c0e51b04ba82d55962d |
| SHA512 | b6e8787c9bb3d9013985ba16aad97fc1af750756a4e565ffc20e9bdb3c86c10a79d91e28783e771f6eb3408bc2ef0f811ea07a82c6ddd79f2b4e5b56ce44336e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini
| MD5 | ca68d2961ee083d0e7888bd641b13b2a |
| SHA1 | 05176030955b19007f63dce494f6f97fde026ebe |
| SHA256 | 6a9c60e41b940a676afd6d6f4be7bab62de764d74d12e1b43a2022c4cad92dc0 |
| SHA512 | 7d7e3fef50f20abbb02cea712e851b34a9a8cd5d592c9b676412060646327a6bcc1111dbf46cb54645e27e8142229d87f17fac02678c7d04e5e56acb9989f3bb |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak
| MD5 | b20d1b9a56349935a520990c1ecce4bb |
| SHA1 | 6e2d4c397128dd8dfd62036797f31c53c0131b07 |
| SHA256 | 7584a918ca041fa78f6eb1424b57e768565f352d1799360a17443eeb6622b212 |
| SHA512 | c28ba443774c29335e159e4d7175f24edc4f25a39873727b0263a2d64751257dd3fe3f7df965251279871bf64bc3eab8afed7ecfa3e32064b2a4b8538238d43d |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt
| MD5 | 45d2f0a70e5dd65a4d99f203b70b268f |
| SHA1 | 3d36fee8207ec3c4b3b2db154867668a08c5b78e |
| SHA256 | 0a8f1a6bd9b5c4be5730cb744492f6a19d345b3d77c9d7f1cf2e4f2901a4a1db |
| SHA512 | d1c91a972278bffae4dc9d296d192cc0cfd16deb81911481a2cc651dd682189131ef55dab5af4dfdfe4dcde6e726d898d0bbe59b0582f82dfdd610bacd2dc465 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt
| MD5 | b7a3cc912ef3a68406d1caeb94d35a13 |
| SHA1 | b03636f35aeee86cd6e57153831cc7b38ba3f509 |
| SHA256 | a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2 |
| SHA512 | 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml
| MD5 | 53b5c4902a981f9469818d422fa9aab0 |
| SHA1 | 942de7923f25176f2f25d6ffca13af9c6b87bfb6 |
| SHA256 | a5cf84407929b19948f45b6ff2445cc972c3693f82000ea09c2af8cf34fd0d1e |
| SHA512 | b2732ccaca8cd0b9ef30e6d5c1a977f4c8c49f6a2dc79340edb07ae46c68a9eeffa649f731d64cbf946166d3ae31d9a1020e8157896d46d7e3e87460d36bb580 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log
| MD5 | 31c995fe6426eec9c64eb27cc7017964 |
| SHA1 | dfd147f36051e7cf8e80c0ffdcd590cf19dd95df |
| SHA256 | 3c3203dd317bfee167085ce4eb65cc8ec31c2383477d01cdf4fb1a186f2074f3 |
| SHA512 | b610a042a9e12bbf3b3eef4ba610fa3849c377357102c8a015ab3d51d931cb273fbbda2b910cd5e34c8c04cfd9c76dfc84132e5d2577798c8b9ca3723d77dc7e |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs
| MD5 | 5fb6de592ccbe40598754ca3d5797938 |
| SHA1 | dd5aeaca54c5e42b017be404b3e141d1cdb97741 |
| SHA256 | a62ca1c0c710ad308a25916e2b4ee2123cace24f24f7478160a312a71dcaa7ef |
| SHA512 | 1824a0a36dab9f074162642f7425820a2fdec427af645c14ac44527f20ee57873ef8bd0af02fe1500d2d3db6af1a77d93fbf500d21adffb12786dd15c8048c92 |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs
| MD5 | 610bf49d25cc260097c3e026752d7d01 |
| SHA1 | 901ade7d129c40ad3537f1e497a9919093de91d0 |
| SHA256 | 0dd63552e9658ad8a5422cc8c4cca0d3a16cfec36375ad80f7a0f08ea3de2926 |
| SHA512 | 6f0bd38860d39b7ea1b4e8f93f38953ebdb53f24bd29b8f8a3b6fe9c29a0a7605e191150f88976344b718b2bc1d10d0cceb8775fc9448429dab68debedd68a1b |
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log
| MD5 | c88a210068f4eadccdf864fcfdf37b9f |
| SHA1 | 08e2bc98d4c755cbee14b1cd526f1f1ceae5aa09 |
| SHA256 | c50525b78a57b2040957be6beea27071cb27f3bb18dd00063d803361768f6a8f |
| SHA512 | d8ac961f6ea812abdc6bc7064e1e0a9d527e8dd7c863e5ebdd17d1c257fe8baceef0eec1e06e132d6ec8d76a639ed69a56ee38f4e99c75655a3015b0a6c08895 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 06:08
Reported
2022-02-20 06:40
Platform
win10v2004-en-20220113
Max time kernel
36s
Max time network
129s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2576 wrote to memory of 2312 | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | C:\Windows\system32\sihost.exe |
| PID 2576 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | C:\Windows\system32\svchost.exe |
| PID 2576 wrote to memory of 2424 | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | C:\Windows\system32\taskhostw.exe |
| PID 2576 wrote to memory of 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | C:\Windows\system32\svchost.exe |
| PID 2576 wrote to memory of 3368 | N/A | C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe | C:\Windows\system32\DllHost.exe |
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe
"C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"
Network
| Country | Destination | Domain | Proto |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp |
Files
memory/2312-130-0x00007FF6CE500000-0x00007FF6CE897000-memory.dmp
memory/2340-131-0x00007FF6CE500000-0x00007FF6CE897000-memory.dmp
memory/2424-132-0x00007FF6CE500000-0x00007FF6CE897000-memory.dmp