f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample

General
Target

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe

Filesize

170KB

Completed

20-10-2021 08:55

Score
10/10
MD5

1bd7d1b87c5091a9653fe8005892b784

SHA1

3dcf19b833266a3591fd97c93e5b9bca4ac2c21c

SHA256

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703

Malware Config

Extracted

Path C:\RyukReadMe.txt
Family ryuk
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures 26

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies extensions of user files
    taskhostw.exeRuntimeBroker.exesihost.exesvchost.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\CopyInitialize.tifftaskhostw.exe
    File opened for modificationC:\Users\Admin\Pictures\LockUnpublish.tifftaskhostw.exe
    File opened for modificationC:\Users\Admin\Pictures\CompleteUnregister.tiffRuntimeBroker.exe
    File opened for modificationC:\Users\Admin\Pictures\CompleteUnregister.tiffsihost.exe
    File opened for modificationC:\Users\Admin\Pictures\CopyInitialize.tiffsvchost.exe
    File opened for modificationC:\Users\Admin\Pictures\LockUnpublish.tiffsvchost.exe
    File opened for modificationC:\Users\Admin\Pictures\CompleteUnregister.tifftaskhostw.exe
    File opened for modificationC:\Users\Admin\Pictures\LockUnpublish.tiffRuntimeBroker.exe
    File opened for modificationC:\Users\Admin\Pictures\CopyInitialize.tiffRuntimeBroker.exe
    File opened for modificationC:\Users\Admin\Pictures\CopyInitialize.tiffsihost.exe
    File opened for modificationC:\Users\Admin\Pictures\LockUnpublish.tiffsihost.exe
    File opened for modificationC:\Users\Admin\Pictures\CompleteUnregister.tiffsvchost.exe
  • Drops startup file
    sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtRuntimeBroker.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"reg.exe
  • Enumerates connected drives
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeexplorer.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\D:explorer.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
  • Drops file in Program Files directory
    sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Common Files\System\ado\msado20.tlbsihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xmlsihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jarsvchost.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\co.txttaskhostw.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.motaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jarRuntimeBroker.exe
    File opened for modificationC:\Program Files\CompressSplit.3g2sihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jarsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.pngRuntimeBroker.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.pngsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-mssvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\DataServices\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jarRuntimeBroker.exe
    File opened for modificationC:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-mssvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.jsRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svgsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-hover.svgtaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.jstaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-msRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.pngRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.binsvchost.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.pngtaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.pngRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTFRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.jssvchost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jartaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-msRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.htmlsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-mssvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-msRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svgRuntimeBroker.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\nn.txtsvchost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jarRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-mssvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-msRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.pngsihost.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\Stationery\Bears.htmRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-mssihost.exe
    File opened for modificationC:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.muisvchost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.csstaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.pngsvchost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jartaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dicsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.jssvchost.exe
  • Drops file in Windows directory
    explorer.exetaskmgr.exeShellExperienceHost.exeSearchUI.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\rescache\_merged\4032412167\2690874625.priexplorer.exe
    File createdC:\Windows\rescache\_merged\4183903823\1195458082.pritaskmgr.exe
    File createdC:\Windows\rescache\_merged\1601268389\3068621934.pritaskmgr.exe
    File createdC:\Windows\rescache\_merged\2717123927\1713683155.priexplorer.exe
    File createdC:\Windows\rescache\_merged\4183903823\1195458082.priShellExperienceHost.exe
    File createdC:\Windows\rescache\_merged\1601268389\3068621934.priSearchUI.exe
    File createdC:\Windows\rescache\_merged\4032412167\2690874625.priShellExperienceHost.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    45363752WerFault.exeDllHost.exe
  • Checks SCSI registry key(s)
    explorer.exetaskmgr.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilitiesexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000Ataskmgr.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagsexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilitiesexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000taskmgr.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyNametaskmgr.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareIDexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlagsexplorer.exe
  • Enumerates system info in registry
    SearchUI.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSSearchUI.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUSearchUI.exe
  • Interacts with shadow copies
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    47336vssadmin.exe
    79184vssadmin.exe
    78816vssadmin.exe
    4704vssadmin.exe
    2392vssadmin.exe
    79264vssadmin.exe
    29460vssadmin.exe
    41560vssadmin.exe
    78532vssadmin.exe
    79164vssadmin.exe
    79232vssadmin.exe
    79072vssadmin.exe
    43140vssadmin.exe
    3284vssadmin.exe
    79328vssadmin.exe
    79488vssadmin.exe
    4788vssadmin.exe
    79200vssadmin.exe
    79424vssadmin.exe
    3800vssadmin.exe
    3592vssadmin.exe
    78912vssadmin.exe
    1980vssadmin.exe
    78540vssadmin.exe
    79124vssadmin.exe
    79392vssadmin.exe
    3184vssadmin.exe
    4580vssadmin.exe
    79000vssadmin.exe
    1860vssadmin.exe
    3516vssadmin.exe
    78860vssadmin.exe
    34744vssadmin.exe
    3584vssadmin.exe
    79520vssadmin.exe
    2156vssadmin.exe
    78940vssadmin.exe
    79456vssadmin.exe
    3404vssadmin.exe
    79144vssadmin.exe
    78824vssadmin.exe
    3300vssadmin.exe
    3532vssadmin.exe
    78548vssadmin.exe
    1020vssadmin.exe
    67408vssadmin.exe
    79220vssadmin.exe
    5096vssadmin.exe
    79360vssadmin.exe
    79552vssadmin.exe
    79296vssadmin.exe
    3572vssadmin.exe
    78768vssadmin.exe
    2404vssadmin.exe
  • Modifies Internet Explorer settings
    explorer.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"explorer.exe
  • Modifies registry class
    SearchUI.exesvchost.exesihost.exeexplorer.exesihost.exetaskhostw.exeRuntimeBroker.exe

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageStateSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\TotalSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingssvchost.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingssihost.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortanaSearchUI.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffexplorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortanaSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132786946600896572"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"sihost.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"sihost.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\TotalSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingsexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotifyexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200032000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000007bfb0422e6c2d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a0047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff73ae2078e323294282c1e41cb67d5b9c000000000000000000000000391a08390ec1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033cd62c606c1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000explorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefixSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingstaskhostw.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02explorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instanceexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local SettingsRuntimeBroker.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    30724NOTEPAD.EXE
  • Suspicious behavior: EnumeratesProcesses
    f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskmgr.exeWerFault.exe

    Reported IOCs

    pidprocess
    4024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    4024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4536WerFault.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
  • Suspicious behavior: GetForegroundWindowSpam
    explorer.exetaskmgr.exe

    Reported IOCs

    pidprocess
    37136explorer.exe
    4328taskmgr.exe
  • Suspicious use of AdjustPrivilegeToken
    f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskmgr.exeWerFault.exevssvc.exeexplorer.exeRuntimeBroker.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege4024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    Token: SeDebugPrivilege4328taskmgr.exe
    Token: SeSystemProfilePrivilege4328taskmgr.exe
    Token: SeCreateGlobalPrivilege4328taskmgr.exe
    Token: SeDebugPrivilege4536WerFault.exe
    Token: SeBackupPrivilege20236vssvc.exe
    Token: SeRestorePrivilege20236vssvc.exe
    Token: SeAuditPrivilege20236vssvc.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
    Token: SeTakeOwnershipPrivilege3488RuntimeBroker.exe
    Token: SeRestorePrivilege3488RuntimeBroker.exe
    Token: SeShutdownPrivilege37136explorer.exe
    Token: SeCreatePagefilePrivilege37136explorer.exe
  • Suspicious use of FindShellTrayWindow
    taskmgr.exe

    Reported IOCs

    pidprocess
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
  • Suspicious use of SendNotifyMessage
    taskmgr.exe

    Reported IOCs

    pidprocess
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
    4328taskmgr.exe
  • Suspicious use of SetWindowsHookEx
    ShellExperienceHost.exeSearchUI.exe

    Reported IOCs

    pidprocess
    39892ShellExperienceHost.exe
    40312SearchUI.exe
    39892ShellExperienceHost.exe
  • Suspicious use of UnmapMainImage
    sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe

    Reported IOCs

    pidprocess
    2308sihost.exe
    2316svchost.exe
    2444taskhostw.exe
    3488RuntimeBroker.exe
  • Suspicious use of WriteProcessMemory
    f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exesihost.execmd.exesihost.exesvchost.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4024 wrote to memory of 4164024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exe
    PID 4024 wrote to memory of 4164024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exe
    PID 4024 wrote to memory of 23084024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exesihost.exe
    PID 416 wrote to memory of 4320416cmd.exereg.exe
    PID 416 wrote to memory of 4320416cmd.exereg.exe
    PID 4024 wrote to memory of 23164024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exesvchost.exe
    PID 4024 wrote to memory of 24444024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskhostw.exe
    PID 4024 wrote to memory of 32244024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeShellExperienceHost.exe
    PID 4024 wrote to memory of 32364024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeSearchUI.exe
    PID 4024 wrote to memory of 34884024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeRuntimeBroker.exe
    PID 4024 wrote to memory of 37524024f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeDllHost.exe
    PID 2308 wrote to memory of 787602308sihost.execmd.exe
    PID 2308 wrote to memory of 787602308sihost.execmd.exe
    PID 78760 wrote to memory of 7881678760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7881678760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 357278760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 357278760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7854878760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7854878760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7854078760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7854078760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 509678760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 509678760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 470478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 470478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7876878760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 7876878760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 328478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 328478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 240478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 240478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 3474478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 3474478760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 359278760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 359278760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 458078760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 458078760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 102078760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 102078760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 239278760cmd.exevssadmin.exe
    PID 78760 wrote to memory of 239278760cmd.exevssadmin.exe
    PID 78624 wrote to memory of 3713678624sihost.exeexplorer.exe
    PID 78624 wrote to memory of 3713678624sihost.exeexplorer.exe
    PID 2316 wrote to memory of 790762316svchost.execmd.exe
    PID 2316 wrote to memory of 790762316svchost.execmd.exe
    PID 79076 wrote to memory of 7912479076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7912479076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7916479076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7916479076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7920079076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7920079076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7923279076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7923279076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7926479076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7926479076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7929679076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7929679076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7932879076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7932879076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7936079076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7936079076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7939279076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7939279076cmd.exevssadmin.exe
    PID 79076 wrote to memory of 7942479076cmd.exevssadmin.exe
Processes 78
  • c:\windows\system32\sihost.exe
    sihost.exe
    Modifies extensions of user files
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2308
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      Suspicious use of WriteProcessMemory
      PID:78760
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:78816
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:3572
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:78548
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:78540
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:5096
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:4704
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78768
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3284
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:2404
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:34744
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3592
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:4580
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:1020
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:2392
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    PID:3224
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3752
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3752 -s 812
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4536
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    Modifies extensions of user files
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of UnmapMainImage
    PID:3488
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:2164
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:1980
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:1860
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:78532
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3800
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78824
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3184
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:4788
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3300
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3584
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:43140
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3532
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3516
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3404
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:2156
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    PID:3236
  • c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    Modifies extensions of user files
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    PID:2444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:42856
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:29460
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:41560
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:47336
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:67408
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78860
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:78940
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78912
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79000
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79072
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79144
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79184
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79220
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    Modifies extensions of user files
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      Suspicious use of WriteProcessMemory
      PID:79076
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:79124
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:79164
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:79200
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79232
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79264
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79296
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79328
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79360
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79392
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79424
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79456
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:79488
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:79520
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:79552
  • C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f
      Suspicious use of WriteProcessMemory
      PID:416
      • C:\Windows\system32\reg.exe
        REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f
        Adds Run key to start application
        PID:4320
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    Drops file in Windows directory
    Checks SCSI registry key(s)
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:4328
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:20236
  • \??\c:\windows\system32\sihost.exe
    sihost.exe
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:78624
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      Enumerates connected drives
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:37136
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt
        Opens file in notepad (likely ransom note)
        PID:30724
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    Drops file in Windows directory
    Suspicious use of SetWindowsHookEx
    PID:39892
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Drops file in Windows directory
    Enumerates system info in registry
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:40312
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:79584
  • \??\c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:42636
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Boot\BOOTSTAT.DAT

                MD5

                819d4a41854cee506f9b0cfc5a5c538e

                SHA1

                cf1ad33b7661c4f292a37512ef79378cdb70cae1

                SHA256

                b0db9a6c45054b7720e2c3516edd4dd2f686b83e54306d09eb6f4f8cca10b194

                SHA512

                8762bd096d17675ff18f7e871d13217e05f04af3b04c5f2c6a52406a67d7ca16ad0cf067a1cf9b5306339c58e5b26664d72af00d49ed12e1d2eb28a4693b56b6

              • C:\Boot\Fonts\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\Resources\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\Resources\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\bg-BG\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\cs-CZ\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\da-DK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\de-DE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\el-GR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\en-GB\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\es-ES\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\es-MX\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\et-EE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fi-FI\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fr-CA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fr-FR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\hr-HR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\hu-HU\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\it-IT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ja-JP\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ko-KR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\lt-LT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\lv-LV\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\nb-NO\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\nl-NL\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pl-PL\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pt-BR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pt-PT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\qps-ploc\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ro-RO\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ru-RU\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sk-SK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sl-SI\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sr-Latn-RS\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sv-SE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\tr-TR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\uk-UA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\zh-CN\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\zh-TW\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Documents and Settings\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\PerfLogs\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\Lang\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_2c818d6f-6b05-478c-8ce1-9d49a3874096

                MD5

                3c1d317da4e850f8e2be3c1e90347005

                SHA1

                f0159ce8e2835a0b371c335875372129f596c614

                SHA256

                d23c10f67c81520a126007c77f22887269e635715290544bf841bb49d1492249

                SHA512

                970f3643d3c42801e8c0f90e57030e34ff1a7cbc4427238558c67c0992d0a2d4456c0ca14a1f23f9907b2fba567e261f3a9245b4abfc54588e7eda8df1c60861

              • C:\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\odt\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\users\Public\window.bat

                MD5

                d2aba3e1af80edd77e206cd43cfd3129

                SHA1

                3116da65d097708fad63a3b73d1c39bffa94cb01

                SHA256

                8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

                SHA512

                0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

              • \??\c:\BOOTSECT.BAK

                MD5

                dde993c92d8efccd4e037b025ed90ccc

                SHA1

                52c179e1cbec1a04c90e47206dae43e45547e716

                SHA256

                a0b69d8f94916748588b86cc026bd5163b56dda9b1bb9349d53dc8de1d87ce81

                SHA512

                f41169015d22af59c9f6b675c61a8759c4ccc91b183ed0da27dfa56b5d3e2037bab8c35be7d258c12ebed9a2fab654c5de1ab29a05577118edb97dc53b108f18

              • memory/416-115-0x0000000000000000-mapping.dmp

              • memory/1020-132-0x0000000000000000-mapping.dmp

              • memory/1860-230-0x0000000000000000-mapping.dmp

              • memory/1980-229-0x0000000000000000-mapping.dmp

              • memory/2156-242-0x0000000000000000-mapping.dmp

              • memory/2164-228-0x0000000000000000-mapping.dmp

              • memory/2308-117-0x00007FF6CEA60000-0x00007FF6CEDEE000-memory.dmp

              • memory/2392-133-0x0000000000000000-mapping.dmp

              • memory/2404-128-0x0000000000000000-mapping.dmp

              • memory/3184-234-0x0000000000000000-mapping.dmp

              • memory/3284-127-0x0000000000000000-mapping.dmp

              • memory/3300-236-0x0000000000000000-mapping.dmp

              • memory/3404-241-0x0000000000000000-mapping.dmp

              • memory/3516-240-0x0000000000000000-mapping.dmp

              • memory/3532-239-0x0000000000000000-mapping.dmp

              • memory/3572-121-0x0000000000000000-mapping.dmp

              • memory/3584-237-0x0000000000000000-mapping.dmp

              • memory/3592-130-0x0000000000000000-mapping.dmp

              • memory/3800-232-0x0000000000000000-mapping.dmp

              • memory/4320-116-0x0000000000000000-mapping.dmp

              • memory/4580-131-0x0000000000000000-mapping.dmp

              • memory/4704-125-0x0000000000000000-mapping.dmp

              • memory/4788-235-0x0000000000000000-mapping.dmp

              • memory/5096-124-0x0000000000000000-mapping.dmp

              • memory/29460-216-0x0000000000000000-mapping.dmp

              • memory/30724-214-0x0000000000000000-mapping.dmp

              • memory/34744-129-0x0000000000000000-mapping.dmp

              • memory/37136-197-0x0000000000000000-mapping.dmp

              • memory/37136-198-0x0000000002B50000-0x0000000002B51000-memory.dmp

              • memory/41560-217-0x0000000000000000-mapping.dmp

              • memory/42856-215-0x0000000000000000-mapping.dmp

              • memory/43140-238-0x0000000000000000-mapping.dmp

              • memory/47336-218-0x0000000000000000-mapping.dmp

              • memory/67408-219-0x0000000000000000-mapping.dmp

              • memory/78532-231-0x0000000000000000-mapping.dmp

              • memory/78540-123-0x0000000000000000-mapping.dmp

              • memory/78548-122-0x0000000000000000-mapping.dmp

              • memory/78760-118-0x0000000000000000-mapping.dmp

              • memory/78768-126-0x0000000000000000-mapping.dmp

              • memory/78816-120-0x0000000000000000-mapping.dmp

              • memory/78824-233-0x0000000000000000-mapping.dmp

              • memory/78860-220-0x0000000000000000-mapping.dmp

              • memory/78912-222-0x0000000000000000-mapping.dmp

              • memory/78940-221-0x0000000000000000-mapping.dmp

              • memory/79000-223-0x0000000000000000-mapping.dmp

              • memory/79072-224-0x0000000000000000-mapping.dmp

              • memory/79076-199-0x0000000000000000-mapping.dmp

              • memory/79124-200-0x0000000000000000-mapping.dmp

              • memory/79144-225-0x0000000000000000-mapping.dmp

              • memory/79164-201-0x0000000000000000-mapping.dmp

              • memory/79184-226-0x0000000000000000-mapping.dmp

              • memory/79200-202-0x0000000000000000-mapping.dmp

              • memory/79220-227-0x0000000000000000-mapping.dmp

              • memory/79232-203-0x0000000000000000-mapping.dmp

              • memory/79264-204-0x0000000000000000-mapping.dmp

              • memory/79296-205-0x0000000000000000-mapping.dmp

              • memory/79328-206-0x0000000000000000-mapping.dmp

              • memory/79360-207-0x0000000000000000-mapping.dmp

              • memory/79392-208-0x0000000000000000-mapping.dmp

              • memory/79424-209-0x0000000000000000-mapping.dmp

              • memory/79456-210-0x0000000000000000-mapping.dmp

              • memory/79488-211-0x0000000000000000-mapping.dmp

              • memory/79520-212-0x0000000000000000-mapping.dmp

              • memory/79552-213-0x0000000000000000-mapping.dmp