f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
170KB
20-10-2021 08:55
1bd7d1b87c5091a9653fe8005892b784
3dcf19b833266a3591fd97c93e5b9bca4ac2c21c
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703
Extracted
Path | C:\RyukReadMe.txt |
Family | ryuk |
Ransom Note |
Your network has been penetrated.
All files on each host in the network have been encrypted with a strong algorithm.
Backups were either encrypted or deleted or backup disks were formatted.
Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover.
We exclusively have decryption software for your situation
No decryption software is available in the public.
DO NOT RESET OR SHUTDOWN - files may be damaged.
DO NOT RENAME OR MOVE the encrypted and readme files.
DO NOT DELETE readme files.
This may lead to the impossibility of recovery of the certain files.
To get info (decrypt your files) contact us at
WayneEvenson@protonmail.com
or
WayneEvenson@tutanota.com
BTC wallet:
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Ryuk
No system is safe
|
Emails |
WayneEvenson@protonmail.com WayneEvenson@tutanota.com |
Wallets |
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk |
Filter: none
-
Ryuk
Description
Ransomware distributed via existing botnets, often Trickbot or Emotet.
Tags
-
Deletes shadow copies
Description
Ransomware often targets backup files to inhibit system recovery.
Tags
TTPs
-
Modifies Installed Components in the registry
Tags
TTPs
-
Modifies extensions of user filestaskhostw.exeRuntimeBroker.exesihost.exesvchost.exe
Description
Ransomware generally changes the extension on encrypted files.
Tags
Reported IOCs
description ioc process File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff taskhostw.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff taskhostw.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff RuntimeBroker.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff svchost.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff svchost.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff taskhostw.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff RuntimeBroker.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff RuntimeBroker.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff svchost.exe -
Drops startup filesihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe
Reported IOCs
description ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt sihost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt taskhostw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt RuntimeBroker.exe -
Reads user/profile data of web browsers
Description
Infostealers often target stored browser data, which can include saved credentials etc.
Tags
TTPs
-
Adds Run key to start applicationreg.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" reg.exe -
Enumerates connected drivesvssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeexplorer.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe
Description
Attempts to read the root path of hard drives other than the default C: drive.
TTPs
Reported IOCs
description ioc process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Drops file in Program Files directorysihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe
Reported IOCs
description ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt taskhostw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo taskhostw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar RuntimeBroker.exe File opened for modification C:\Program Files\CompressSplit.3g2 sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png RuntimeBroker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar RuntimeBroker.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-hover.svg taskhostw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png RuntimeBroker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png RuntimeBroker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg RuntimeBroker.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar RuntimeBroker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar taskhostw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js svchost.exe -
Drops file in Windows directoryexplorer.exetaskmgr.exeShellExperienceHost.exeSearchUI.exe
Reported IOCs
description ioc process File created C:\Windows\rescache\_merged\4032412167\2690874625.pri explorer.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri explorer.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe -
Enumerates physical storage devices
Description
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
TTPs
-
Program crashWerFault.exe
Reported IOCs
pid pid_target process target process 4536 3752 WerFault.exe DllHost.exe -
Checks SCSI registry key(s)explorer.exetaskmgr.exe
Description
SCSI information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe -
Enumerates system info in registrySearchUI.exe
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copiesvssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe
Description
Shadow copies are often targeted by ransomware to inhibit system recovery.
Tags
TTPs
Reported IOCs
pid process 47336 vssadmin.exe 79184 vssadmin.exe 78816 vssadmin.exe 4704 vssadmin.exe 2392 vssadmin.exe 79264 vssadmin.exe 29460 vssadmin.exe 41560 vssadmin.exe 78532 vssadmin.exe 79164 vssadmin.exe 79232 vssadmin.exe 79072 vssadmin.exe 43140 vssadmin.exe 3284 vssadmin.exe 79328 vssadmin.exe 79488 vssadmin.exe 4788 vssadmin.exe 79200 vssadmin.exe 79424 vssadmin.exe 3800 vssadmin.exe 3592 vssadmin.exe 78912 vssadmin.exe 1980 vssadmin.exe 78540 vssadmin.exe 79124 vssadmin.exe 79392 vssadmin.exe 3184 vssadmin.exe 4580 vssadmin.exe 79000 vssadmin.exe 1860 vssadmin.exe 3516 vssadmin.exe 78860 vssadmin.exe 34744 vssadmin.exe 3584 vssadmin.exe 79520 vssadmin.exe 2156 vssadmin.exe 78940 vssadmin.exe 79456 vssadmin.exe 3404 vssadmin.exe 79144 vssadmin.exe 78824 vssadmin.exe 3300 vssadmin.exe 3532 vssadmin.exe 78548 vssadmin.exe 1020 vssadmin.exe 67408 vssadmin.exe 79220 vssadmin.exe 5096 vssadmin.exe 79360 vssadmin.exe 79552 vssadmin.exe 79296 vssadmin.exe 3572 vssadmin.exe 78768 vssadmin.exe 2404 vssadmin.exe -
Modifies Internet Explorer settingsexplorer.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe -
Modifies registry classSearchUI.exesvchost.exesihost.exeexplorer.exesihost.exetaskhostw.exeRuntimeBroker.exe
Reported IOCs
description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132786946600896572" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200032000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000007bfb0422e6c2d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a0047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff73ae2078e323294282c1e41cb67d5b9c000000000000000000000000391a08390ec1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033cd62c606c1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings RuntimeBroker.exe -
Opens file in notepad (likely ransom note)NOTEPAD.EXE
Tags
Reported IOCs
pid process 30724 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcessesf130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskmgr.exeWerFault.exe
Reported IOCs
pid process 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 4328 taskmgr.exe 4328 taskmgr.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpamexplorer.exetaskmgr.exe
Reported IOCs
pid process 37136 explorer.exe 4328 taskmgr.exe -
Suspicious use of AdjustPrivilegeTokenf130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskmgr.exeWerFault.exevssvc.exeexplorer.exeRuntimeBroker.exe
Reported IOCs
description pid process Token: SeDebugPrivilege 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe Token: SeDebugPrivilege 4328 taskmgr.exe Token: SeSystemProfilePrivilege 4328 taskmgr.exe Token: SeCreateGlobalPrivilege 4328 taskmgr.exe Token: SeDebugPrivilege 4536 WerFault.exe Token: SeBackupPrivilege 20236 vssvc.exe Token: SeRestorePrivilege 20236 vssvc.exe Token: SeAuditPrivilege 20236 vssvc.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeTakeOwnershipPrivilege 3488 RuntimeBroker.exe Token: SeRestorePrivilege 3488 RuntimeBroker.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe -
Suspicious use of FindShellTrayWindowtaskmgr.exe
Reported IOCs
pid process 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe -
Suspicious use of SendNotifyMessagetaskmgr.exe
Reported IOCs
pid process 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe -
Suspicious use of SetWindowsHookExShellExperienceHost.exeSearchUI.exe
Reported IOCs
pid process 39892 ShellExperienceHost.exe 40312 SearchUI.exe 39892 ShellExperienceHost.exe -
Suspicious use of UnmapMainImagesihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe
Reported IOCs
pid process 2308 sihost.exe 2316 svchost.exe 2444 taskhostw.exe 3488 RuntimeBroker.exe -
Suspicious use of WriteProcessMemoryf130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exesihost.execmd.exesihost.exesvchost.execmd.exe
Reported IOCs
description pid process target process PID 4024 wrote to memory of 416 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 4024 wrote to memory of 416 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 4024 wrote to memory of 2308 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe sihost.exe PID 416 wrote to memory of 4320 416 cmd.exe reg.exe PID 416 wrote to memory of 4320 416 cmd.exe reg.exe PID 4024 wrote to memory of 2316 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 4024 wrote to memory of 2444 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe taskhostw.exe PID 4024 wrote to memory of 3224 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe ShellExperienceHost.exe PID 4024 wrote to memory of 3236 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe SearchUI.exe PID 4024 wrote to memory of 3488 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe RuntimeBroker.exe PID 4024 wrote to memory of 3752 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe DllHost.exe PID 2308 wrote to memory of 78760 2308 sihost.exe cmd.exe PID 2308 wrote to memory of 78760 2308 sihost.exe cmd.exe PID 78760 wrote to memory of 78816 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78816 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3572 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3572 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78548 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78548 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78540 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78540 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 5096 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 5096 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4704 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4704 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78768 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78768 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3284 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3284 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2404 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2404 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 34744 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 34744 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3592 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3592 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4580 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4580 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 1020 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 1020 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2392 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2392 78760 cmd.exe vssadmin.exe PID 78624 wrote to memory of 37136 78624 sihost.exe explorer.exe PID 78624 wrote to memory of 37136 78624 sihost.exe explorer.exe PID 2316 wrote to memory of 79076 2316 svchost.exe cmd.exe PID 2316 wrote to memory of 79076 2316 svchost.exe cmd.exe PID 79076 wrote to memory of 79124 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79124 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79164 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79164 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79200 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79200 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79232 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79232 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79264 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79264 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79296 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79296 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79328 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79328 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79360 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79360 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79392 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79392 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79424 79076 cmd.exe vssadmin.exe
-
c:\windows\system32\sihost.exesihost.exeModifies extensions of user filesDrops startup fileDrops file in Program Files directoryModifies registry classSuspicious use of UnmapMainImageSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MBInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unboundedInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3752 -s 812Program crashSuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -EmbeddingModifies extensions of user filesDrops startup fileDrops file in Program Files directoryModifies registry classSuspicious use of AdjustPrivilegeTokenSuspicious use of UnmapMainImage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MBInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unboundedInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}Modifies extensions of user filesDrops startup fileDrops file in Program Files directoryModifies registry classSuspicious use of UnmapMainImage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MBInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unboundedInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvcModifies extensions of user filesDrops startup fileDrops file in Program Files directoryModifies registry classSuspicious use of UnmapMainImageSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MBInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unboundedInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MBEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unboundedEnumerates connected drivesInteracts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quietInteracts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"Suspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeTokenSuspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /fSuspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /fAdds Run key to start application
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /4Drops file in Windows directoryChecks SCSI registry key(s)Suspicious behavior: EnumeratesProcessesSuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeTokenSuspicious use of FindShellTrayWindowSuspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeSuspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\sihost.exesihost.exeModifies registry classSuspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWSEnumerates connected drivesDrops file in Windows directoryChecks SCSI registry key(s)Modifies Internet Explorer settingsModifies registry classSuspicious behavior: GetForegroundWindowSpamSuspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txtOpens file in notepad (likely ransom note)
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaDrops file in Windows directorySuspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mcaDrops file in Windows directoryEnumerates system info in registryModifies registry classSuspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
-
C:\Boot\BOOTSTAT.DAT
MD5819d4a41854cee506f9b0cfc5a5c538e
SHA1cf1ad33b7661c4f292a37512ef79378cdb70cae1
SHA256b0db9a6c45054b7720e2c3516edd4dd2f686b83e54306d09eb6f4f8cca10b194
SHA5128762bd096d17675ff18f7e871d13217e05f04af3b04c5f2c6a52406a67d7ca16ad0cf067a1cf9b5306339c58e5b26664d72af00d49ed12e1d2eb28a4693b56b6
-
C:\Boot\Fonts\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\Resources\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\Resources\en-US\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\bg-BG\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\cs-CZ\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\da-DK\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\de-DE\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\el-GR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\en-GB\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\en-US\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\es-ES\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\es-MX\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\et-EE\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fi-FI\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fr-CA\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fr-FR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\hr-HR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\hu-HU\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\it-IT\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ja-JP\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ko-KR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\lt-LT\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\lv-LV\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\nb-NO\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\nl-NL\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pl-PL\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pt-BR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pt-PT\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\qps-ploc\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ro-RO\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ru-RU\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sk-SK\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sl-SI\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sr-Latn-RS\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sv-SE\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\tr-TR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\uk-UA\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\zh-CN\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\zh-TW\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Documents and Settings\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\PerfLogs\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\7-Zip\Lang\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\7-Zip\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_2c818d6f-6b05-478c-8ce1-9d49a3874096
MD53c1d317da4e850f8e2be3c1e90347005
SHA1f0159ce8e2835a0b371c335875372129f596c614
SHA256d23c10f67c81520a126007c77f22887269e635715290544bf841bb49d1492249
SHA512970f3643d3c42801e8c0f90e57030e34ff1a7cbc4427238558c67c0992d0a2d4456c0ca14a1f23f9907b2fba567e261f3a9245b4abfc54588e7eda8df1c60861
-
C:\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\odt\RyukReadMe.txt
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\users\Public\window.bat
MD5d2aba3e1af80edd77e206cd43cfd3129
SHA13116da65d097708fad63a3b73d1c39bffa94cb01
SHA2568940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA5120059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec
-
\??\c:\BOOTSECT.BAK
MD5dde993c92d8efccd4e037b025ed90ccc
SHA152c179e1cbec1a04c90e47206dae43e45547e716
SHA256a0b69d8f94916748588b86cc026bd5163b56dda9b1bb9349d53dc8de1d87ce81
SHA512f41169015d22af59c9f6b675c61a8759c4ccc91b183ed0da27dfa56b5d3e2037bab8c35be7d258c12ebed9a2fab654c5de1ab29a05577118edb97dc53b108f18
-
memory/416-115-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1860-230-0x0000000000000000-mapping.dmp
-
memory/1980-229-0x0000000000000000-mapping.dmp
-
memory/2156-242-0x0000000000000000-mapping.dmp
-
memory/2164-228-0x0000000000000000-mapping.dmp
-
memory/2308-117-0x00007FF6CEA60000-0x00007FF6CEDEE000-memory.dmp
-
memory/2392-133-0x0000000000000000-mapping.dmp
-
memory/2404-128-0x0000000000000000-mapping.dmp
-
memory/3184-234-0x0000000000000000-mapping.dmp
-
memory/3284-127-0x0000000000000000-mapping.dmp
-
memory/3300-236-0x0000000000000000-mapping.dmp
-
memory/3404-241-0x0000000000000000-mapping.dmp
-
memory/3516-240-0x0000000000000000-mapping.dmp
-
memory/3532-239-0x0000000000000000-mapping.dmp
-
memory/3572-121-0x0000000000000000-mapping.dmp
-
memory/3584-237-0x0000000000000000-mapping.dmp
-
memory/3592-130-0x0000000000000000-mapping.dmp
-
memory/3800-232-0x0000000000000000-mapping.dmp
-
memory/4320-116-0x0000000000000000-mapping.dmp
-
memory/4580-131-0x0000000000000000-mapping.dmp
-
memory/4704-125-0x0000000000000000-mapping.dmp
-
memory/4788-235-0x0000000000000000-mapping.dmp
-
memory/5096-124-0x0000000000000000-mapping.dmp
-
memory/29460-216-0x0000000000000000-mapping.dmp
-
memory/30724-214-0x0000000000000000-mapping.dmp
-
memory/34744-129-0x0000000000000000-mapping.dmp
-
memory/37136-197-0x0000000000000000-mapping.dmp
-
memory/37136-198-0x0000000002B50000-0x0000000002B51000-memory.dmp
-
memory/41560-217-0x0000000000000000-mapping.dmp
-
memory/42856-215-0x0000000000000000-mapping.dmp
-
memory/43140-238-0x0000000000000000-mapping.dmp
-
memory/47336-218-0x0000000000000000-mapping.dmp
-
memory/67408-219-0x0000000000000000-mapping.dmp
-
memory/78532-231-0x0000000000000000-mapping.dmp
-
memory/78540-123-0x0000000000000000-mapping.dmp
-
memory/78548-122-0x0000000000000000-mapping.dmp
-
memory/78760-118-0x0000000000000000-mapping.dmp
-
memory/78768-126-0x0000000000000000-mapping.dmp
-
memory/78816-120-0x0000000000000000-mapping.dmp
-
memory/78824-233-0x0000000000000000-mapping.dmp
-
memory/78860-220-0x0000000000000000-mapping.dmp
-
memory/78912-222-0x0000000000000000-mapping.dmp
-
memory/78940-221-0x0000000000000000-mapping.dmp
-
memory/79000-223-0x0000000000000000-mapping.dmp
-
memory/79072-224-0x0000000000000000-mapping.dmp
-
memory/79076-199-0x0000000000000000-mapping.dmp
-
memory/79124-200-0x0000000000000000-mapping.dmp
-
memory/79144-225-0x0000000000000000-mapping.dmp
-
memory/79164-201-0x0000000000000000-mapping.dmp
-
memory/79184-226-0x0000000000000000-mapping.dmp
-
memory/79200-202-0x0000000000000000-mapping.dmp
-
memory/79220-227-0x0000000000000000-mapping.dmp
-
memory/79232-203-0x0000000000000000-mapping.dmp
-
memory/79264-204-0x0000000000000000-mapping.dmp
-
memory/79296-205-0x0000000000000000-mapping.dmp
-
memory/79328-206-0x0000000000000000-mapping.dmp
-
memory/79360-207-0x0000000000000000-mapping.dmp
-
memory/79392-208-0x0000000000000000-mapping.dmp
-
memory/79424-209-0x0000000000000000-mapping.dmp
-
memory/79456-210-0x0000000000000000-mapping.dmp
-
memory/79488-211-0x0000000000000000-mapping.dmp
-
memory/79520-212-0x0000000000000000-mapping.dmp
-
memory/79552-213-0x0000000000000000-mapping.dmp