Analysis
-
max time kernel
552s -
max time network
360s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
20-10-2021 08:46
Static task
static1
Behavioral task
behavioral1
Sample
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
Resource
win10-en-20211014
General
-
Target
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
-
Size
170KB
-
MD5
1bd7d1b87c5091a9653fe8005892b784
-
SHA1
3dcf19b833266a3591fd97c93e5b9bca4ac2c21c
-
SHA256
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703
-
SHA512
4c13373a150b1e3bd12fdd9ad5c379a43e41c59ba5b6dd6982c79599839128bcbde30d7083a810d66604382f4d5aff24c22b504fdaab03f6743a7dc263d85651
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
WayneEvenson@protonmail.com
WayneEvenson@tutanota.com
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskhostw.exeRuntimeBroker.exesihost.exesvchost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff taskhostw.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff taskhostw.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff RuntimeBroker.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff svchost.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff svchost.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff taskhostw.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff RuntimeBroker.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff RuntimeBroker.exe File opened for modification C:\Users\Admin\Pictures\CopyInitialize.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\LockUnpublish.tiff sihost.exe File opened for modification C:\Users\Admin\Pictures\CompleteUnregister.tiff svchost.exe -
Drops startup file 4 IoCs
Processes:
sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt sihost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt taskhostw.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt RuntimeBroker.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" reg.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeexplorer.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\System\ado\msado20.tlb sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar svchost.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt taskhostw.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\vlc.mo taskhostw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar RuntimeBroker.exe File opened for modification C:\Program Files\CompressSplit.3g2 sihost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_zh_4.4.0.v20140623020002.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png RuntimeBroker.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_Subscription-ul-oob.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.update.configurator.nl_ja_4.4.0.v20140623020002.jar RuntimeBroker.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp3-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\ui-strings.js RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_audit_report_18.svg sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\next-arrow-hover.svg taskhostw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\ui-strings.js taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Trial-pl.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\core_icons_retina.png RuntimeBroker.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ExcelCombinedFloatieModel.bin svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\illustrations.png taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png RuntimeBroker.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\LEELAWAD.TTF RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ui-strings.js svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jetty.continuation_8.1.14.v20131031.jar taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\RyukReadMe.txt taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-ul.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg RuntimeBroker.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.registry_3.5.400.v20140428-1507.jar RuntimeBroker.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\RyukReadMe.txt svchost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\ui-strings.js sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\cstm_brand_preview2x.png sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\ui-strings.js sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\RyukReadMe.txt RuntimeBroker.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Common Files\System\Ole DB\en-US\sqloledb.rll.mui svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css taskhostw.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark@3x.png svchost.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_zh_TW.jar taskhostw.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\en_CA.dic sihost.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nb-no\ui-strings.js svchost.exe -
Drops file in Windows directory 7 IoCs
Processes:
explorer.exetaskmgr.exeShellExperienceHost.exeSearchUI.exedescription ioc process File created C:\Windows\rescache\_merged\4032412167\2690874625.pri explorer.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri taskmgr.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri taskmgr.exe File created C:\Windows\rescache\_merged\2717123927\1713683155.pri explorer.exe File created C:\Windows\rescache\_merged\4183903823\1195458082.pri ShellExperienceHost.exe File created C:\Windows\rescache\_merged\1601268389\3068621934.pri SearchUI.exe File created C:\Windows\rescache\_merged\4032412167\2690874625.pri ShellExperienceHost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4536 3752 WerFault.exe DllHost.exe -
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exetaskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000 taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags explorer.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe -
Interacts with shadow copies 2 TTPs 54 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 47336 vssadmin.exe 79184 vssadmin.exe 78816 vssadmin.exe 4704 vssadmin.exe 2392 vssadmin.exe 79264 vssadmin.exe 29460 vssadmin.exe 41560 vssadmin.exe 78532 vssadmin.exe 79164 vssadmin.exe 79232 vssadmin.exe 79072 vssadmin.exe 43140 vssadmin.exe 3284 vssadmin.exe 79328 vssadmin.exe 79488 vssadmin.exe 4788 vssadmin.exe 79200 vssadmin.exe 79424 vssadmin.exe 3800 vssadmin.exe 3592 vssadmin.exe 78912 vssadmin.exe 1980 vssadmin.exe 78540 vssadmin.exe 79124 vssadmin.exe 79392 vssadmin.exe 3184 vssadmin.exe 4580 vssadmin.exe 79000 vssadmin.exe 1860 vssadmin.exe 3516 vssadmin.exe 78860 vssadmin.exe 34744 vssadmin.exe 3584 vssadmin.exe 79520 vssadmin.exe 2156 vssadmin.exe 78940 vssadmin.exe 79456 vssadmin.exe 3404 vssadmin.exe 79144 vssadmin.exe 78824 vssadmin.exe 3300 vssadmin.exe 3532 vssadmin.exe 78548 vssadmin.exe 1020 vssadmin.exe 67408 vssadmin.exe 79220 vssadmin.exe 5096 vssadmin.exe 79360 vssadmin.exe 79552 vssadmin.exe 79296 vssadmin.exe 3572 vssadmin.exe 78768 vssadmin.exe 2404 vssadmin.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" explorer.exe -
Modifies registry class 35 IoCs
Processes:
SearchUI.exesvchost.exesihost.exeexplorer.exesihost.exetaskhostw.exeRuntimeBroker.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana SearchUI.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance explorer.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132786946600896572" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e5070a004100720067006a006200650078002000200032000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000007bfb0422e6c2d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a0047007500720020004e006800710076006200200046007200650069007600700072002000760066002000610062006700200065006800610061007600610074002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff73ae2078e323294282c1e41cb67d5b9c000000000000000000000000391a08390ec1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033cd62c606c1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000050000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchUI.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" SearchUI.exe Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings RuntimeBroker.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 30724 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskmgr.exeWerFault.exepid process 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe 4328 taskmgr.exe 4328 taskmgr.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4536 WerFault.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
explorer.exetaskmgr.exepid process 37136 explorer.exe 4328 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskmgr.exeWerFault.exevssvc.exeexplorer.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe Token: SeDebugPrivilege 4328 taskmgr.exe Token: SeSystemProfilePrivilege 4328 taskmgr.exe Token: SeCreateGlobalPrivilege 4328 taskmgr.exe Token: SeDebugPrivilege 4536 WerFault.exe Token: SeBackupPrivilege 20236 vssvc.exe Token: SeRestorePrivilege 20236 vssvc.exe Token: SeAuditPrivilege 20236 vssvc.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe Token: SeTakeOwnershipPrivilege 3488 RuntimeBroker.exe Token: SeRestorePrivilege 3488 RuntimeBroker.exe Token: SeShutdownPrivilege 37136 explorer.exe Token: SeCreatePagefilePrivilege 37136 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
taskmgr.exepid process 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
taskmgr.exepid process 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe 4328 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
ShellExperienceHost.exeSearchUI.exepid process 39892 ShellExperienceHost.exe 40312 SearchUI.exe 39892 ShellExperienceHost.exe -
Suspicious use of UnmapMainImage 4 IoCs
Processes:
sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exepid process 2308 sihost.exe 2316 svchost.exe 2444 taskhostw.exe 3488 RuntimeBroker.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exesihost.execmd.exesihost.exesvchost.execmd.exedescription pid process target process PID 4024 wrote to memory of 416 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 4024 wrote to memory of 416 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe cmd.exe PID 4024 wrote to memory of 2308 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe sihost.exe PID 416 wrote to memory of 4320 416 cmd.exe reg.exe PID 416 wrote to memory of 4320 416 cmd.exe reg.exe PID 4024 wrote to memory of 2316 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe svchost.exe PID 4024 wrote to memory of 2444 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe taskhostw.exe PID 4024 wrote to memory of 3224 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe ShellExperienceHost.exe PID 4024 wrote to memory of 3236 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe SearchUI.exe PID 4024 wrote to memory of 3488 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe RuntimeBroker.exe PID 4024 wrote to memory of 3752 4024 f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe DllHost.exe PID 2308 wrote to memory of 78760 2308 sihost.exe cmd.exe PID 2308 wrote to memory of 78760 2308 sihost.exe cmd.exe PID 78760 wrote to memory of 78816 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78816 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3572 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3572 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78548 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78548 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78540 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78540 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 5096 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 5096 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4704 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4704 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78768 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 78768 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3284 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3284 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2404 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2404 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 34744 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 34744 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3592 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 3592 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4580 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 4580 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 1020 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 1020 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2392 78760 cmd.exe vssadmin.exe PID 78760 wrote to memory of 2392 78760 cmd.exe vssadmin.exe PID 78624 wrote to memory of 37136 78624 sihost.exe explorer.exe PID 78624 wrote to memory of 37136 78624 sihost.exe explorer.exe PID 2316 wrote to memory of 79076 2316 svchost.exe cmd.exe PID 2316 wrote to memory of 79076 2316 svchost.exe cmd.exe PID 79076 wrote to memory of 79124 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79124 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79164 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79164 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79200 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79200 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79232 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79232 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79264 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79264 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79296 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79296 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79328 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79328 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79360 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79360 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79392 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79392 79076 cmd.exe vssadmin.exe PID 79076 wrote to memory of 79424 79076 cmd.exe vssadmin.exe
Processes
-
c:\windows\system32\sihost.exesihost.exe1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3752 -s 8122⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
- Modifies extensions of user files
- Drops startup file
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵
- Enumerates connected drives
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt3⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
\??\c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Boot\BOOTSTAT.DATMD5
819d4a41854cee506f9b0cfc5a5c538e
SHA1cf1ad33b7661c4f292a37512ef79378cdb70cae1
SHA256b0db9a6c45054b7720e2c3516edd4dd2f686b83e54306d09eb6f4f8cca10b194
SHA5128762bd096d17675ff18f7e871d13217e05f04af3b04c5f2c6a52406a67d7ca16ad0cf067a1cf9b5306339c58e5b26664d72af00d49ed12e1d2eb28a4693b56b6
-
C:\Boot\Fonts\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\Resources\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\Resources\en-US\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\bg-BG\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\cs-CZ\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\da-DK\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\de-DE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\el-GR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\en-GB\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\en-US\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\es-ES\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\es-MX\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\et-EE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fi-FI\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fr-CA\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\fr-FR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\hr-HR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\hu-HU\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\it-IT\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ja-JP\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ko-KR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\lt-LT\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\lv-LV\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\nb-NO\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\nl-NL\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pl-PL\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pt-BR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\pt-PT\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\qps-ploc\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ro-RO\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\ru-RU\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sk-SK\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sl-SI\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sr-Latn-RS\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\sv-SE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\tr-TR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\uk-UA\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\zh-CN\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Boot\zh-TW\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Documents and Settings\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\PerfLogs\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\7-Zip\Lang\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\7-Zip\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\DESIGNER\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\el-GR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\en-GB\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\microsoft shared\ink\en-US\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_2c818d6f-6b05-478c-8ce1-9d49a3874096MD5
3c1d317da4e850f8e2be3c1e90347005
SHA1f0159ce8e2835a0b371c335875372129f596c614
SHA256d23c10f67c81520a126007c77f22887269e635715290544bf841bb49d1492249
SHA512970f3643d3c42801e8c0f90e57030e34ff1a7cbc4427238558c67c0992d0a2d4456c0ca14a1f23f9907b2fba567e261f3a9245b4abfc54588e7eda8df1c60861
-
C:\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\odt\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\users\Public\window.batMD5
d2aba3e1af80edd77e206cd43cfd3129
SHA13116da65d097708fad63a3b73d1c39bffa94cb01
SHA2568940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA5120059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec
-
\??\c:\BOOTSECT.BAKMD5
dde993c92d8efccd4e037b025ed90ccc
SHA152c179e1cbec1a04c90e47206dae43e45547e716
SHA256a0b69d8f94916748588b86cc026bd5163b56dda9b1bb9349d53dc8de1d87ce81
SHA512f41169015d22af59c9f6b675c61a8759c4ccc91b183ed0da27dfa56b5d3e2037bab8c35be7d258c12ebed9a2fab654c5de1ab29a05577118edb97dc53b108f18
-
memory/416-115-0x0000000000000000-mapping.dmp
-
memory/1020-132-0x0000000000000000-mapping.dmp
-
memory/1860-230-0x0000000000000000-mapping.dmp
-
memory/1980-229-0x0000000000000000-mapping.dmp
-
memory/2156-242-0x0000000000000000-mapping.dmp
-
memory/2164-228-0x0000000000000000-mapping.dmp
-
memory/2308-117-0x00007FF6CEA60000-0x00007FF6CEDEE000-memory.dmpFilesize
3.6MB
-
memory/2392-133-0x0000000000000000-mapping.dmp
-
memory/2404-128-0x0000000000000000-mapping.dmp
-
memory/3184-234-0x0000000000000000-mapping.dmp
-
memory/3284-127-0x0000000000000000-mapping.dmp
-
memory/3300-236-0x0000000000000000-mapping.dmp
-
memory/3404-241-0x0000000000000000-mapping.dmp
-
memory/3516-240-0x0000000000000000-mapping.dmp
-
memory/3532-239-0x0000000000000000-mapping.dmp
-
memory/3572-121-0x0000000000000000-mapping.dmp
-
memory/3584-237-0x0000000000000000-mapping.dmp
-
memory/3592-130-0x0000000000000000-mapping.dmp
-
memory/3800-232-0x0000000000000000-mapping.dmp
-
memory/4320-116-0x0000000000000000-mapping.dmp
-
memory/4580-131-0x0000000000000000-mapping.dmp
-
memory/4704-125-0x0000000000000000-mapping.dmp
-
memory/4788-235-0x0000000000000000-mapping.dmp
-
memory/5096-124-0x0000000000000000-mapping.dmp
-
memory/29460-216-0x0000000000000000-mapping.dmp
-
memory/30724-214-0x0000000000000000-mapping.dmp
-
memory/34744-129-0x0000000000000000-mapping.dmp
-
memory/37136-197-0x0000000000000000-mapping.dmp
-
memory/37136-198-0x0000000002B50000-0x0000000002B51000-memory.dmpFilesize
4KB
-
memory/41560-217-0x0000000000000000-mapping.dmp
-
memory/42856-215-0x0000000000000000-mapping.dmp
-
memory/43140-238-0x0000000000000000-mapping.dmp
-
memory/47336-218-0x0000000000000000-mapping.dmp
-
memory/67408-219-0x0000000000000000-mapping.dmp
-
memory/78532-231-0x0000000000000000-mapping.dmp
-
memory/78540-123-0x0000000000000000-mapping.dmp
-
memory/78548-122-0x0000000000000000-mapping.dmp
-
memory/78760-118-0x0000000000000000-mapping.dmp
-
memory/78768-126-0x0000000000000000-mapping.dmp
-
memory/78816-120-0x0000000000000000-mapping.dmp
-
memory/78824-233-0x0000000000000000-mapping.dmp
-
memory/78860-220-0x0000000000000000-mapping.dmp
-
memory/78912-222-0x0000000000000000-mapping.dmp
-
memory/78940-221-0x0000000000000000-mapping.dmp
-
memory/79000-223-0x0000000000000000-mapping.dmp
-
memory/79072-224-0x0000000000000000-mapping.dmp
-
memory/79076-199-0x0000000000000000-mapping.dmp
-
memory/79124-200-0x0000000000000000-mapping.dmp
-
memory/79144-225-0x0000000000000000-mapping.dmp
-
memory/79164-201-0x0000000000000000-mapping.dmp
-
memory/79184-226-0x0000000000000000-mapping.dmp
-
memory/79200-202-0x0000000000000000-mapping.dmp
-
memory/79220-227-0x0000000000000000-mapping.dmp
-
memory/79232-203-0x0000000000000000-mapping.dmp
-
memory/79264-204-0x0000000000000000-mapping.dmp
-
memory/79296-205-0x0000000000000000-mapping.dmp
-
memory/79328-206-0x0000000000000000-mapping.dmp
-
memory/79360-207-0x0000000000000000-mapping.dmp
-
memory/79392-208-0x0000000000000000-mapping.dmp
-
memory/79424-209-0x0000000000000000-mapping.dmp
-
memory/79456-210-0x0000000000000000-mapping.dmp
-
memory/79488-211-0x0000000000000000-mapping.dmp
-
memory/79520-212-0x0000000000000000-mapping.dmp
-
memory/79552-213-0x0000000000000000-mapping.dmp