Malware Analysis Report

2024-10-19 06:16

Sample ID 220220-gvy8gahdg5
Target 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827
SHA256 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827
Tags
ryuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827

Threat Level: Known bad

The file 6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827 was found to be: Known bad.

Malicious Activity Summary

ryuk ransomware

Ryuk

Drops desktop.ini file(s)

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-02-20 06:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-02-20 06:08

Reported

2022-02-20 06:39

Platform

win7-en-20211208

Max time kernel

196s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"

Signatures

Ryuk

ransomware ryuk

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Links\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\Sample Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links for United States\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\Sample Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\SendTo\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Desktop\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\RO7FJFDE\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Recent\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\Stationery\Desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Saved Games\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\FNOUQX38\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\T7AS43M2\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Documents\My Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini C:\Windows\system32\taskhost.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
File opened for modification C:\Documents and Settings\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\taskhost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\system32\taskhost.exe
PID 832 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\system32\Dwm.exe
PID 832 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 972 wrote to memory of 1140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 972 wrote to memory of 1140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 972 wrote to memory of 1140 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1304 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1304 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1804 wrote to memory of 1304 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1440 wrote to memory of 1172 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1440 wrote to memory of 1172 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1440 wrote to memory of 1172 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 832 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 1892 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 552 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 552 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 552 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1892 wrote to memory of 1180 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1892 wrote to memory of 1180 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1892 wrote to memory of 1180 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1880 wrote to memory of 624 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1880 wrote to memory of 624 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1880 wrote to memory of 624 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1964 wrote to memory of 1664 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1964 wrote to memory of 1664 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1964 wrote to memory of 1664 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 552 wrote to memory of 960 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 552 wrote to memory of 960 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 552 wrote to memory of 960 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1240 wrote to memory of 1172 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 1172 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 1172 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1172 wrote to memory of 580 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1172 wrote to memory of 580 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1172 wrote to memory of 580 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1240 wrote to memory of 1180 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 1180 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1240 wrote to memory of 1180 N/A C:\Windows\system32\taskhost.exe C:\Windows\System32\net.exe
PID 1180 wrote to memory of 1212 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1180 wrote to memory of 1212 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 1180 wrote to memory of 1212 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 832 wrote to memory of 8880 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 8880 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 8880 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 8880 wrote to memory of 8904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 8880 wrote to memory of 8904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 8880 wrote to memory of 8904 N/A C:\Windows\System32\net.exe C:\Windows\system32\net1.exe
PID 832 wrote to memory of 9108 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe
PID 832 wrote to memory of 9108 N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe C:\Windows\System32\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe

"C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "spooler" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "audioendpointbuilder" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

C:\Windows\System32\net.exe

"C:\Windows\System32\net.exe" stop "samss" /y

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 stop "samss" /y

Network

N/A

Files

memory/832-55-0x000007FEFBC21000-0x000007FEFBC23000-memory.dmp

memory/1240-54-0x000000013F900000-0x000000013FC97000-memory.dmp

memory/1240-56-0x000000013F900000-0x000000013FC97000-memory.dmp

memory/1328-58-0x000000013F900000-0x000000013FC97000-memory.dmp

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e

MD5 93a5aadeec082ffc1bca5aa27af70f52
SHA1 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256 a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512 df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

C:\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\Cache\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Adobe\Acrobat\9.0\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Adobe\Color\Profiles\wsRGB.icc.RYK

MD5 7e0c04107b794551ac6f87fbdec1cea6
SHA1 738ad8e4b2ec288605a68b9ed9623ad3c39d2e45
SHA256 ff7dab225d0b811001be3b8777b95a8670bd570f584617de77324522a9b003b2
SHA512 fc958fe515f7b367c52f1bb078f22fd728524572d85eda72d34094456933106912aa294a021fe5a94468c1b225adaf8cef4064b6236d0cfdde7a6f76aadd386f

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Adobe\Acrobat\9.0\Cache\AcroFnt09.lst.RYK

MD5 2aca90ec6646c87aae0f2240d88d9178
SHA1 e1ae98126b93a28b7c37fa5ab707db83e975d47b
SHA256 ffc152170692a942c81df5eb26e3ce1a48ee1be898d95495b669fcab31ad0f66
SHA512 2399396744469fc0f5296da134d62b7adb415b5321cec8ea62df241a78c9aa1b533b1cc958dbb8c8263c65b91b2f9d0be00cd8fdad2fbc7a628f103ac7049f15

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 f4e45b53ed6d35b527af06161d8a8bc8
SHA1 c77ae1b739ea762cfd62541b70d3bace42ad967e
SHA256 3665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6
SHA512 ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Adobe\Color\ACECache10.lst

MD5 f4e45b53ed6d35b527af06161d8a8bc8
SHA1 c77ae1b739ea762cfd62541b70d3bace42ad967e
SHA256 3665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6
SHA512 ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981

C:\Documents and Settings\Admin\AppData\Local\Adobe\Color\ACECache10.lst

MD5 f4e45b53ed6d35b527af06161d8a8bc8
SHA1 c77ae1b739ea762cfd62541b70d3bace42ad967e
SHA256 3665a7da8d54c0a9c5b7a39fc38225dc1595fa7c95fbe173df3498bccb5c5ac6
SHA512 ca7cd513bfe73b221d299ddba6959025e0c4beb29244ab58cd4abcea248c8ece1b5c95c7840eaf803f0e52d7811630d5abe35df541965821f04de8e04860e981

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\Low\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\IconCache.db

MD5 2525cd20fa7731e042053dc80ce370d5
SHA1 305f51a24ba50684f306afc5fae6c4ff8a12c189
SHA256 a4155a5c63acbe0975ab54ac44112421cd0e57e32efb4e6e45c87fb2442abcd7
SHA512 0c5521a0d724af672ebee18a1476cfa99813d571fdcc4b38245281c599c7fe9cf443c6e0c84bf699452ddbe723d4e13f178a0586c5463979b055721dd4f4aee5

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00000.log

MD5 7f5e803954872aa8c4eda7025f659f49
SHA1 c301cc10cd5e1ac684bb22007c050663a731ab99
SHA256 92b87eed678e55ed0bacf12394cd400c82d91f7a412aa9aadcd980e9560ff98a
SHA512 8f2bf2e78007442be91e48c8abedfb2014c5f1b8ed090a9729965031f3000c10090e0c96ad84de0786772d781624d223993c80251eb35b92dcc9cba6fc6abbb0

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\dd_SetupUtility.txt

MD5 a38d42eccc70c7a4ea260b9db44c4a9c
SHA1 7f987541e99a0d8c7d4f7f25f8f03d042ad04b6d
SHA256 5af762377a400284c4ab0ee168a6f07f352a44df4137d17fce00eed977b37305
SHA512 4acfc87d0b7784e61f7e62ebdd29757a2e39de9ca1fc0719de343aefc661705007c74f89b972a4f0f4f3829a1f96bb5ac32762fb6ef5fb403eb0405a02630884

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Low\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\WPDNSE\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\wmsetup.log

MD5 046a97dea1f0a1beaea145724b8dec85
SHA1 0870bdcb8a736161f89d8446234c9f12b5acdcdf
SHA256 aa67aad82b7ad2b5be92f970f730ea5fabaa76d6a730bc8c7148f7a19ae8a11b
SHA512 e5007e46b8154422cbb4557c8112e5c2971c4df48d7b9a9631b4498004dcef3294755b28dea626b8407602e4165652ec383c0972e882345990dfd25e735dee04

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\chrome_installer.log

MD5 29008b3b4aed0f5e3575b253057ccfbc
SHA1 003a2fc6f232d34e5370205b9a1168e91c870bb2
SHA256 0f10776cdbe11cbe5bd9adec624e97a5f1bac5a253ef891241c6d84a0909c9e0
SHA512 ae684b340e9813541fc1d788a4801781a85796e0d002ffb2c7a797852990694aa4ce30d79928b72594db25e05246095c03a3ee579758ca77645feed94aea07eb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Credentials\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\ASPNETSetup_00001.log

MD5 d9f39663a22c651ed238f601f37bbb21
SHA1 142b7ec51c7db8dfefa399b1b8cb5d7ccc0a9608
SHA256 6b23fab51ecb4269ca6e8a29e9683b44ce6e04ddf14b601c2bb006bada95436c
SHA512 cc54b3ab4952fb566a9e5cf06201b5823a190c71b771c83704b5e823229e28bfe1939c50809922a758d45114a66384b60bd72b89d41a0c81e3c28e94f606676d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp-tmp

MD5 1617ab2c26bb97aad3342c0ce5037c38
SHA1 543914a4b4deaf746a593e758e65803cd829a750
SHA256 0fc1bb56c0b4ab6d3a23f8b137640fc587e648edf25702b09e5b87a3b4b36086
SHA512 efe5e13836dd6ab02ade314c393893c5f5c6d24abe1b9a9420554d70be8f812ba4b35437b9f79bcdfac7642d7523bdf7dd0a29216b41bf46b88be088e1b6a273

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Admin.bmp

MD5 49506be9de92dc382046beedcaf42e3f
SHA1 199203c9fccf463dc8ed12b089088b6c572f287e
SHA256 bf67936cebe071f3e81cb16cebb1f9841f28ad3873838049f0d96f2d8891f87b
SHA512 4e1605b2ad6731d4b7e05b435be569b8533d3cf2d8ed67c99b035074230d5f10fc90635b52b305ef6fd59687ab26d6fd40a2cce0823f74af3a575f00f17fd6dc

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms

MD5 97dd53805477b390b169b1f6958d01a0
SHA1 0c32b1bcee17b2bb603924e9877af9c3dc43aad1
SHA256 293a56724d4bb69f40b9035722436f2087c91a9d68bdd77a4f25acfa8e3fc4f7
SHA512 f41b7cfecaa26af15cc278d737ac4fa9b034b1d0a39d3aa756a5b663c4fdab9f549da3892132c3cd0c363ac105ed585ee20f58d5d0f61ecb3280304f8cc52387

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\RGID605.tmp

MD5 050003b56d5d16471ee8b851351e8d9c
SHA1 6d3a9a02dbab6811413de958cf82fe196c09e728
SHA256 4c2d3b7b87b82f0490b6055d72d5ec8c56eee3a1561eff6b2dc71278c825b4dc
SHA512 209229a637ea42008f7c22f8b55f2e347a597aace225389ea15ffb5e7c9d8cebb7f915d9482516e825116ac4a60f54aa80de04e965352033450cae834739a505

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\NK9YD4KU\desktop.ini

MD5 0deafe4bb43f57fcafd7fd076b498995
SHA1 9d8ea3bdd09a13e6ab0983280ff2bc756171d4e1
SHA256 0a6cafe59724bdf90eef0540ce3dfcd7875d2378c5b871fc3a01928b10fe8774
SHA512 3372f13486228ad2dba79f2e873db7f15aa9084945f339830e6b4c98fe4f86779021c41eb7d15d158ec2cf64bcbee6127c74852b0fcb83e4335cc654771d389b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\K819CMRP\desktop.ini

MD5 60a156d6023e989bfcc9135da423fa7b
SHA1 41695f22487ade8db6d1ef05ebdae087081f5716
SHA256 3887c5307f458cbe04e9a37f0efebea65c67d71fef81f594f6b515d0bdeecc06
SHA512 a2acb3c0c36c2d5b7e960fdd9a934a4b5c32b74dd765ceffab0b295e9c0006d083d505b3b7dae4e993d1d4f52284f46767df885e121102187525ce170ebfaa34

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\S3IV548V\desktop.ini

MD5 9dd72095334b0c4c6abe178ea6e12729
SHA1 5fc2de72a5a984393713e8b5ce6b7f71e772522a
SHA256 449b834cc9981ed32fe6f808b700ea409ae9c6dfa8353c0e51b04ba82d55962d
SHA512 b6e8787c9bb3d9013985ba16aad97fc1af750756a4e565ffc20e9bdb3c86c10a79d91e28783e771f6eb3408bc2ef0f811ea07a82c6ddd79f2b4e5b56ce44336e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Feeds Cache\QDAZQ7UR\desktop.ini

MD5 ca68d2961ee083d0e7888bd641b13b2a
SHA1 05176030955b19007f63dce494f6f97fde026ebe
SHA256 6a9c60e41b940a676afd6d6f4be7bab62de764d74d12e1b43a2022c4cad92dc0
SHA512 7d7e3fef50f20abbb02cea712e851b34a9a8cd5d592c9b676412060646327a6bcc1111dbf46cb54645e27e8142229d87f17fac02678c7d04e5e56acb9989f3bb

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.bak

MD5 b20d1b9a56349935a520990c1ecce4bb
SHA1 6e2d4c397128dd8dfd62036797f31c53c0131b07
SHA256 7584a918ca041fa78f6eb1424b57e768565f352d1799360a17443eeb6622b212
SHA512 c28ba443774c29335e159e4d7175f24edc4f25a39873727b0263a2d64751257dd3fe3f7df965251279871bf64bc3eab8afed7ecfa3e32064b2a4b8538238d43d

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Internet Explorer\brndlog.txt

MD5 45d2f0a70e5dd65a4d99f203b70b268f
SHA1 3d36fee8207ec3c4b3b2db154867668a08c5b78e
SHA256 0a8f1a6bd9b5c4be5730cb744492f6a19d345b3d77c9d7f1cf2e4f2901a4a1db
SHA512 d1c91a972278bffae4dc9d296d192cc0cfd16deb81911481a2cc651dd682189131ef55dab5af4dfdfe4dcde6e726d898d0bbe59b0582f82dfdd610bacd2dc465

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Media Player\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\Groove\User\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\PlayReady\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Burn\Burn\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\WebCache\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\RyukReadMe.txt

MD5 b7a3cc912ef3a68406d1caeb94d35a13
SHA1 b03636f35aeee86cd6e57153831cc7b38ba3f509
SHA256 a89cf8f8e61ddca0d77f7b126857aa639f9ffb54f9da08443e903375156ec3c2
SHA512 97ac79f82fa07423200b4855a2cbfcd93adef30461004b001ba4f12684c6c8c01f84225ef8dd80b2f8a0045af73453f30030a22dff9ffd50d9e235efc5534b3b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\oeold.xml

MD5 53b5c4902a981f9469818d422fa9aab0
SHA1 942de7923f25176f2f25d6ffca13af9c6b87bfb6
SHA256 a5cf84407929b19948f45b6ff2445cc972c3693f82000ea09c2af8cf34fd0d1e
SHA512 b2732ccaca8cd0b9ef30e6d5c1a977f4c8c49f6a2dc79340edb07ae46c68a9eeffa649f731d64cbf946166d3ae31d9a1020e8157896d46d7e3e87460d36bb580

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb.log

MD5 31c995fe6426eec9c64eb27cc7017964
SHA1 dfd147f36051e7cf8e80c0ffdcd590cf19dd95df
SHA256 3c3203dd317bfee167085ce4eb65cc8ec31c2383477d01cdf4fb1a186f2074f3
SHA512 b610a042a9e12bbf3b3eef4ba610fa3849c377357102c8a015ab3d51d931cb273fbbda2b910cd5e34c8c04cfd9c76dfc84132e5d2577798c8b9ca3723d77dc7e

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00002.jrs

MD5 5fb6de592ccbe40598754ca3d5797938
SHA1 dd5aeaca54c5e42b017be404b3e141d1cdb97741
SHA256 a62ca1c0c710ad308a25916e2b4ee2123cace24f24f7478160a312a71dcaa7ef
SHA512 1824a0a36dab9f074162642f7425820a2fdec427af645c14ac44527f20ee57873ef8bd0af02fe1500d2d3db6af1a77d93fbf500d21adffb12786dd15c8048c92

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edbres00001.jrs

MD5 610bf49d25cc260097c3e026752d7d01
SHA1 901ade7d129c40ad3537f1e497a9919093de91d0
SHA256 0dd63552e9658ad8a5422cc8c4cca0d3a16cfec36375ad80f7a0f08ea3de2926
SHA512 6f0bd38860d39b7ea1b4e8f93f38953ebdb53f24bd29b8f8a3b6fe9c29a0a7605e191150f88976344b718b2bc1d10d0cceb8775fc9448429dab68debedd68a1b

C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Mail\edb00001.log

MD5 c88a210068f4eadccdf864fcfdf37b9f
SHA1 08e2bc98d4c755cbee14b1cd526f1f1ceae5aa09
SHA256 c50525b78a57b2040957be6beea27071cb27f3bb18dd00063d803361768f6a8f
SHA512 d8ac961f6ea812abdc6bc7064e1e0a9d527e8dd7c863e5ebdd17d1c257fe8baceef0eec1e06e132d6ec8d76a639ed69a56ee38f4e99c75655a3015b0a6c08895

Analysis: behavioral2

Detonation Overview

Submitted

2022-02-20 06:08

Reported

2022-02-20 06:40

Platform

win10v2004-en-20220113

Max time kernel

36s

Max time network

129s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe N/A

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe

"C:\Users\Admin\AppData\Local\Temp\6c816118b8a9f6a7e3a4fffdcf793b35537b58aaa05d887595629eee5bf75827.exe"

Network

Country Destination Domain Proto
US 72.21.81.240:80 tcp
US 72.21.81.240:80 tcp

Files

memory/2312-130-0x00007FF6CE500000-0x00007FF6CE897000-memory.dmp

memory/2340-131-0x00007FF6CE500000-0x00007FF6CE897000-memory.dmp

memory/2424-132-0x00007FF6CE500000-0x00007FF6CE897000-memory.dmp