f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample

General
Target

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe

Filesize

170KB

Completed

20-10-2021 09:10

Score
10/10
MD5

1bd7d1b87c5091a9653fe8005892b784

SHA1

3dcf19b833266a3591fd97c93e5b9bca4ac2c21c

SHA256

f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703

Malware Config

Extracted

Path C:\RyukReadMe.txt
Family ryuk
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures 24

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Drops startup file
    sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtRuntimeBroker.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"reg.exe
  • Enumerates connected drives
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeexplorer.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:explorer.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
  • Drops file in System32 directory
    cmd.execmd.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\System32\àù¬üécmd.exe
    File createdC:\Windows\System32\àù¬üécmd.exe
  • Drops file in Program Files directory
    sihost.exesvchost.exeRuntimeBroker.exetaskhostw.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\share_icons2x.pngsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-pl.xrm-mssvchost.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\images\cursors\win32_CopyNoDrop32x32.gifRuntimeBroker.exe
    File opened for modificationC:\Program Files\7-Zip\7zCon.sfxsihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.csssihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\WordCapabilities.jsonsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.pngsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.cssRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\ui-strings.jsRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_rename_18.svgsvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.giftaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jarsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-pl.xrm-mssihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.pngsvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_editpdf_18.svgsvchost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\tools.jartaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\ui-strings.jsRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jarsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\MEDIA\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\export.svgsvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\ui-strings.jssvchost.exe
    File opened for modificationC:\Program Files (x86)\Common Files\System\Ole DB\de-DE\sqlxmlx.rll.muisvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\bun.pngtaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019DemoR_BypassTrial180-ul-oob.xrm-mssihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.giftaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-masterfs-nio2_zh_CN.jarsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp4-pl.xrm-mssihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\THMBNAIL.PNGtaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\added.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Internet Explorer\images\bing.icosvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Templates\1033\OriginLetter.Dotxsvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Templates\1033\QuizShow.potxsvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\ui-strings.jstaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\RyukReadMe.txtsvchost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.jssvchost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PROOF\MSGR8EN.LEXtaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@3x.pngtaskhostw.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\it-it\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xmlsvchost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\db\3RDPARTYRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-masterfs-nio2.jarRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.jsRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PersonaSpy\PersonaSpy.htmltaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Trial-pl.xrm-mssihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\Fonts\private\DUBAI-LIGHT.TTFsvchost.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\ga\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ecf.identity_3.4.0.v20140827-1444.jarRuntimeBroker.exe
  • Drops file in Windows directory
    explorer.exeShellExperienceHost.exeSearchUI.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\rescache\_merged\2717123927\1713683155.priexplorer.exe
    File createdC:\Windows\rescache\_merged\4183903823\1195458082.priShellExperienceHost.exe
    File createdC:\Windows\rescache\_merged\1601268389\3068621934.priSearchUI.exe
    File createdC:\Windows\rescache\_merged\4032412167\2690874625.priShellExperienceHost.exe
    File createdC:\Windows\rescache\_merged\4032412167\2690874625.priexplorer.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    29483704WerFault.exeDllHost.exe
  • Checks SCSI registry key(s)
    explorer.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagsexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilitiesexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlagsexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilitiesexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareIDexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
  • Enumerates system info in registry
    SearchUI.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSSearchUI.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUSearchUI.exe
  • Interacts with shadow copies
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    716vssadmin.exe
    3092vssadmin.exe
    8856vssadmin.exe
    3488vssadmin.exe
    12112vssadmin.exe
    4160vssadmin.exe
    4220vssadmin.exe
    3864vssadmin.exe
    1036vssadmin.exe
    6848vssadmin.exe
    8856vssadmin.exe
    13020vssadmin.exe
    4256vssadmin.exe
    3208vssadmin.exe
    78836vssadmin.exe
    35172vssadmin.exe
    3808vssadmin.exe
    2660vssadmin.exe
    35456vssadmin.exe
    4192vssadmin.exe
    78844vssadmin.exe
    4088vssadmin.exe
    4084vssadmin.exe
    12112vssadmin.exe
    4032vssadmin.exe
    78692vssadmin.exe
    1532vssadmin.exe
    6848vssadmin.exe
    1016vssadmin.exe
    2188vssadmin.exe
    2292vssadmin.exe
    35728vssadmin.exe
    13020vssadmin.exe
    78708vssadmin.exe
    4176vssadmin.exe
    5136vssadmin.exe
    37260vssadmin.exe
    3036vssadmin.exe
    184vssadmin.exe
    2900vssadmin.exe
    4236vssadmin.exe
    3460vssadmin.exe
    1244vssadmin.exe
    3228vssadmin.exe
    2304vssadmin.exe
    1100vssadmin.exe
    44888vssadmin.exe
    2752vssadmin.exe
    872vssadmin.exe
    2920vssadmin.exe
    972vssadmin.exe
    50168vssadmin.exe
    7904vssadmin.exe
    2192vssadmin.exe
    2136vssadmin.exe
    78516vssadmin.exe
  • Modifies registry class
    explorer.exeSearchUI.exesvchost.exesihost.exetaskhostw.exesihost.exeRuntimeBroker.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortanaSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"SearchUI.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingssvchost.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortanaSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingsexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffexplorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instanceexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"sihost.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"sihost.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageStateSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\TotalSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"SearchUI.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e5070a004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000fe30231be9c2d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c0000000000000000000000003f2a181ae9c2d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e5070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000033cd62c606c1d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingstaskhostw.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settingssihost.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local SettingsRuntimeBroker.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotifyexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132786946600896572"explorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefixSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\TotalSearchUI.exe
  • Suspicious behavior: EnumeratesProcesses
    f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeWerFault.exe

    Reported IOCs

    pidprocess
    1420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    1420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
    2948WerFault.exe
  • Suspicious behavior: GetForegroundWindowSpam
    explorer.exe

    Reported IOCs

    pidprocess
    35580explorer.exe
  • Suspicious use of AdjustPrivilegeToken
    f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeWerFault.exevssvc.exeexplorer.exeRuntimeBroker.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    Token: SeDebugPrivilege2948WerFault.exe
    Token: SeBackupPrivilege46140vssvc.exe
    Token: SeRestorePrivilege46140vssvc.exe
    Token: SeAuditPrivilege46140vssvc.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeTakeOwnershipPrivilege3440RuntimeBroker.exe
    Token: SeRestorePrivilege3440RuntimeBroker.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
    Token: SeShutdownPrivilege35580explorer.exe
    Token: SeCreatePagefilePrivilege35580explorer.exe
  • Suspicious use of FindShellTrayWindow
    sihost.exeexplorer.exe

    Reported IOCs

    pidprocess
    78672sihost.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
  • Suspicious use of SendNotifyMessage
    explorer.exe

    Reported IOCs

    pidprocess
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
    35580explorer.exe
  • Suspicious use of SetWindowsHookEx
    ShellExperienceHost.exeSearchUI.exe

    Reported IOCs

    pidprocess
    39688ShellExperienceHost.exe
    40060SearchUI.exe
    39688ShellExperienceHost.exe
  • Suspicious use of UnmapMainImage
    sihost.exesvchost.exetaskhostw.exeRuntimeBroker.exe

    Reported IOCs

    pidprocess
    2316sihost.exe
    2348svchost.exe
    2748taskhostw.exe
    3440RuntimeBroker.exe
  • Suspicious use of WriteProcessMemory
    f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exesihost.execmd.exesihost.exesvchost.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1420 wrote to memory of 33121420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exe
    PID 1420 wrote to memory of 33121420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.execmd.exe
    PID 1420 wrote to memory of 23161420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exesihost.exe
    PID 3312 wrote to memory of 33403312cmd.exereg.exe
    PID 3312 wrote to memory of 33403312cmd.exereg.exe
    PID 1420 wrote to memory of 23481420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exesvchost.exe
    PID 1420 wrote to memory of 27481420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exetaskhostw.exe
    PID 1420 wrote to memory of 32201420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeShellExperienceHost.exe
    PID 1420 wrote to memory of 32321420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeSearchUI.exe
    PID 1420 wrote to memory of 34401420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeRuntimeBroker.exe
    PID 1420 wrote to memory of 37041420f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exeDllHost.exe
    PID 2316 wrote to memory of 787882316sihost.execmd.exe
    PID 2316 wrote to memory of 787882316sihost.execmd.exe
    PID 78788 wrote to memory of 7884478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7884478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7851678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7851678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 386478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 386478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7870878788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7870878788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7883678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 7883678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 101678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 101678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 408478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 408478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 348878788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 348878788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 346078788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 346078788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 110078788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 110078788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 124478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 124478788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 97278788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 97278788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 71678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 71678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 303678788cmd.exevssadmin.exe
    PID 78788 wrote to memory of 303678788cmd.exevssadmin.exe
    PID 78672 wrote to memory of 3558078672sihost.exeexplorer.exe
    PID 78672 wrote to memory of 3558078672sihost.exeexplorer.exe
    PID 2348 wrote to memory of 22282348svchost.execmd.exe
    PID 2348 wrote to memory of 22282348svchost.execmd.exe
    PID 2228 wrote to memory of 501682228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 501682228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 786922228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 786922228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 1842228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 1842228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 79042228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 79042228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 40882228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 40882228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 21882228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 21882228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 22922228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 22922228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 15322228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 15322228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 351722228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 351722228cmd.exevssadmin.exe
    PID 2228 wrote to memory of 32082228cmd.exevssadmin.exe
Processes 78
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:50168
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:78692
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:184
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Interacts with shadow copies
        PID:7904
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:4088
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2188
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:2292
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:1532
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:35172
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3208
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Interacts with shadow copies
        PID:3092
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2192
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:872
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:4032
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    PID:3220
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3704
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3704 -s 812
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of UnmapMainImage
    PID:3440
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:1364
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Enumerates connected drives
        Interacts with shadow copies
        PID:6848
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:8856
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:12112
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:13020
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:2304
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:35456
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:4236
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:4160
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:37260
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:4176
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:4192
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:4220
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:5136
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:4256
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    PID:3232
  • c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    PID:2748
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:3508
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:1036
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:44888
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:2900
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2752
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:2920
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2136
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3808
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2660
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:35728
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3228
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Interacts with shadow copies
        PID:6848
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Interacts with shadow copies
        PID:8856
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Interacts with shadow copies
        PID:12112
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:13020
  • c:\windows\system32\sihost.exe
    sihost.exe
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2316
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:78788
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:78844
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:78516
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:3864
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:78708
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78836
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:1016
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:4084
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3488
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3460
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:1100
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:1244
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:972
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:716
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:3036
  • C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe
    "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe"
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f
      Suspicious use of WriteProcessMemory
      PID:3312
      • C:\Windows\system32\reg.exe
        REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\f130530949c0e3adca48ba558980b634c0a78c8faa5572718b665cc7abfd7703.bin.sample.exe" /f
        Adds Run key to start application
        PID:3340
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:46140
  • \??\c:\windows\system32\sihost.exe
    sihost.exe
    Modifies registry class
    Suspicious use of FindShellTrayWindow
    Suspicious use of WriteProcessMemory
    PID:78672
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      Enumerates connected drives
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Modifies registry class
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:35580
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    Drops file in Windows directory
    Suspicious use of SetWindowsHookEx
    PID:39688
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Drops file in Windows directory
    Enumerates system info in registry
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:40060
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:396
  • \??\c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:78792
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Boot\BOOTSTAT.DAT

                MD5

                8e93465dfb9b10612291136e552eb74e

                SHA1

                8e3f583fea6de160d08747f2e87cb46ca36fefee

                SHA256

                0c5930fca13bdebe606cc5e75fb82eeff4103bc9de8325c6435defaa70b6c115

                SHA512

                0956f35dc6d21236cb60545374560a4081de21339a02c3ab4f94f14ca10f6b21566928a1831070a6e7234a31e831aff5d8d3e4b87c312791cb717e84371ab197

              • C:\Boot\Fonts\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\Resources\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\Resources\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\bg-BG\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\cs-CZ\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\da-DK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\de-DE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\el-GR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\en-GB\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\es-ES\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\es-MX\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\et-EE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fi-FI\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fr-CA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fr-FR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\hr-HR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\hu-HU\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\it-IT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ja-JP\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ko-KR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\lt-LT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\lv-LV\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\nb-NO\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\nl-NL\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pl-PL\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pt-BR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pt-PT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\qps-ploc\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ro-RO\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ru-RU\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sk-SK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sl-SI\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sr-Latn-RS\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sv-SE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\tr-TR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\uk-UA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\zh-CN\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\zh-TW\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Documents and Settings\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\PerfLogs\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\7-zip.chm

                MD5

                6a4486f69674b76311c4e45c26ca41f8

                SHA1

                f62bdd781a2e5e188d6bcea83e4252f3ccb27c7c

                SHA256

                e2d1aeb277f63fb031b052e5a433efefe08cb8a7dadd14d92361791b2e389af4

                SHA512

                504039d77f907ae933ffce5754761c1d079f394d35b63e3c6ec559001a301a207cdd1808a41b8ab510e6cff4b1b1c351ff62ca48c746026debc7e112e8391258

              • C:\Program Files\7-Zip\7z.sfx

                MD5

                979f96951c5b6f769f01182d100ce9c0

                SHA1

                6686d8aaa3059cb7fd2de8b7fb715bea30eb2224

                SHA256

                2c04b4f63a4286809a91554e8e770a6ad66706c051cce1863bb24df99adc4271

                SHA512

                1917cb004f4e7a7e1d19b0c79fef2519cd0b5d6123ac620baf76c399994fe7da0271e91f35b21ad17c34b01417f8aff94b4374cf06fb6e887d40d61898c653bc

              • C:\Program Files\7-Zip\7zCon.sfx

                MD5

                0fbd59adec735df03b2130c9ed96b615

                SHA1

                577b3a664cb198c1eaa43c6e7941c7dcf7190a43

                SHA256

                4f007646dbb5d6c4e820cdc4e4a1dca2e87640310ed4272d8f0bb9e309814450

                SHA512

                d5b05b6673bb345f49af5cf588f60cf991b83dccec118d6f1089d17cff2c6a220906038340eeecc36576114350fadb56fea180581a03b9570e7a3f5c82806030

              • C:\Program Files\7-Zip\History.txt

                MD5

                1ae047d63f852bf646dbfbc793bfb1a6

                SHA1

                80f82c610888ea07914b233e9c226cc10500ff1d

                SHA256

                02bd5ac58698c26be1815243f3794346b4a91e3dee6d0b2c315131c541af921a

                SHA512

                0a1c99a1dc7d49deb5d4b478c2fc20f989c09fadb9fc8ce8cb3e5025cf3ad979daf11ec478a43459f7d597e8371d5651175a359a1467bfbbaa08e50a5668ac1b

              • C:\Program Files\7-Zip\Lang\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\Lang\af.txt

                MD5

                bcb00849dc840df244da8e5c2f22e834

                SHA1

                a9bd8ebc63805322087710fe67d995de6295adf2

                SHA256

                28d3d23372578fe7b31278afa397c333967f3b5ef14e84c06b9ede56de01dfa6

                SHA512

                4fbfe6d5d53ffc47e370009c4e412fafe15cd6eb1ed207b3dc0ebbc212de2092ebf80d34d8691e8cb11321874a9d9ab33b757e3087c48190877ea2774e6b352d

              • C:\Program Files\7-Zip\Lang\an.txt

                MD5

                6159bea1a46bbef9c3b91431bb725391

                SHA1

                87f27474b29987a7816231f7059ca4bf4b65193d

                SHA256

                2d060961eda31f2bdd162700e74ba22596197dc5ae6eeb68ecb57657700d505b

                SHA512

                f15817c304f60bad07dc7cc433b7d87cf13699854652202594116a1d1211abdde25f0ef6419c0c47b9468ddd60adc2cc0c05d34c5b8489207182dcd991e2f0d7

              • C:\Program Files\7-Zip\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\descript.ion

                MD5

                e1dfdef3bc0921f6e33750ae0a0ed7f1

                SHA1

                5f9b3329fd32bcfbc9954d58257012d921a47c83

                SHA256

                531144b342524d97eefac4f7a3635c489323454e7a37878ba692a8aa4ca32ea1

                SHA512

                11d7da7fec9c98773094a76a2f2c632c5414fd0aa6662af3d709cbaaadd560597250ec6e02acbc4e6b99e60b9ce8add23021c2e2d63522918834cbe664be7dc2

              • C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_2c818d6f-6b05-478c-8ce1-9d49a3874096

                MD5

                ee1e32a271661cbf016b3bef6bc8c842

                SHA1

                8d73ef523b23cb0b3caa90fae3a1aad8a623fb6c

                SHA256

                241266ec461fd7369026272a6cf8bdbd74276a7a3ce3b6bddd3bd91dd310244d

                SHA512

                bce8a2dd487478f675c8fbef6de1f25d042cd53bcb97d14409ee8a57b0db766db01fe3a062b01cd1b8d25db01b53ddf7df8acf407769efae0fc2cf9e7215cbce

              • C:\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\odt\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\odt\config.xml

                MD5

                41729f0616fca66616d3620bee378c35

                SHA1

                db7f03af33a5aa7f10ec442944db5f2fbba29896

                SHA256

                16c225df2c7ec380ebe2dcaded5277ed997bd0aeff36d0eab760c8bfd869412a

                SHA512

                d638351d0761dbf831b4b712a634749363c668ddd38d257d7808bcb8a2b3463d45b6066b9aa636947da5de7ba79ef4a419ff5d40e4bcfa9783d255de47e8dae6

              • C:\users\Public\window.bat

                MD5

                d2aba3e1af80edd77e206cd43cfd3129

                SHA1

                3116da65d097708fad63a3b73d1c39bffa94cb01

                SHA256

                8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

                SHA512

                0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

              • \??\c:\BOOTSECT.BAK

                MD5

                45f148ac5ef8d334b30885d9b00dca43

                SHA1

                1100b9555cbafb3bf428e31a169e9a00c4a72a08

                SHA256

                235bd63b77ce5ba809283f70734e0788f9e93b98eb6dd3eb8314c8a585c77cb3

                SHA512

                b6cf029cccc664581dc126e6e5dfb127044a69a86140501641ab6ca47de813c95a038135a497e8d6b9f3462c30d8a053c8644b09a443bda0ea2a55e04ff95d13

              • memory/184-202-0x0000000000000000-mapping.dmp

              • memory/716-132-0x0000000000000000-mapping.dmp

              • memory/872-212-0x0000000000000000-mapping.dmp

              • memory/972-131-0x0000000000000000-mapping.dmp

              • memory/1016-125-0x0000000000000000-mapping.dmp

              • memory/1036-215-0x0000000000000000-mapping.dmp

              • memory/1100-129-0x0000000000000000-mapping.dmp

              • memory/1244-130-0x0000000000000000-mapping.dmp

              • memory/1364-229-0x0000000000000000-mapping.dmp

              • memory/1532-207-0x0000000000000000-mapping.dmp

              • memory/2136-220-0x0000000000000000-mapping.dmp

              • memory/2188-205-0x0000000000000000-mapping.dmp

              • memory/2192-211-0x0000000000000000-mapping.dmp

              • memory/2228-199-0x0000000000000000-mapping.dmp

              • memory/2292-206-0x0000000000000000-mapping.dmp

              • memory/2304-234-0x0000000000000000-mapping.dmp

              • memory/2316-117-0x00007FF721640000-0x00007FF7219CE000-memory.dmp

              • memory/2660-222-0x0000000000000000-mapping.dmp

              • memory/2752-218-0x0000000000000000-mapping.dmp

              • memory/2900-217-0x0000000000000000-mapping.dmp

              • memory/2920-219-0x0000000000000000-mapping.dmp

              • memory/3036-133-0x0000000000000000-mapping.dmp

              • memory/3092-210-0x0000000000000000-mapping.dmp

              • memory/3208-209-0x0000000000000000-mapping.dmp

              • memory/3228-224-0x0000000000000000-mapping.dmp

              • memory/3312-115-0x0000000000000000-mapping.dmp

              • memory/3340-116-0x0000000000000000-mapping.dmp

              • memory/3460-128-0x0000000000000000-mapping.dmp

              • memory/3488-127-0x0000000000000000-mapping.dmp

              • memory/3508-214-0x0000000000000000-mapping.dmp

              • memory/3808-221-0x0000000000000000-mapping.dmp

              • memory/3864-122-0x0000000000000000-mapping.dmp

              • memory/4032-213-0x0000000000000000-mapping.dmp

              • memory/4084-126-0x0000000000000000-mapping.dmp

              • memory/4088-204-0x0000000000000000-mapping.dmp

              • memory/4160-237-0x0000000000000000-mapping.dmp

              • memory/4176-239-0x0000000000000000-mapping.dmp

              • memory/4192-240-0x0000000000000000-mapping.dmp

              • memory/4220-241-0x0000000000000000-mapping.dmp

              • memory/4236-236-0x0000000000000000-mapping.dmp

              • memory/4256-243-0x0000000000000000-mapping.dmp

              • memory/5136-242-0x0000000000000000-mapping.dmp

              • memory/6848-225-0x0000000000000000-mapping.dmp

              • memory/6848-230-0x0000000000000000-mapping.dmp

              • memory/7904-203-0x0000000000000000-mapping.dmp

              • memory/8856-231-0x0000000000000000-mapping.dmp

              • memory/8856-226-0x0000000000000000-mapping.dmp

              • memory/12112-227-0x0000000000000000-mapping.dmp

              • memory/12112-232-0x0000000000000000-mapping.dmp

              • memory/13020-233-0x0000000000000000-mapping.dmp

              • memory/13020-228-0x0000000000000000-mapping.dmp

              • memory/35172-208-0x0000000000000000-mapping.dmp

              • memory/35456-235-0x0000000000000000-mapping.dmp

              • memory/35580-198-0x00000000012B0000-0x00000000012B1000-memory.dmp

              • memory/35580-197-0x0000000000000000-mapping.dmp

              • memory/35728-223-0x0000000000000000-mapping.dmp

              • memory/37260-238-0x0000000000000000-mapping.dmp

              • memory/44888-216-0x0000000000000000-mapping.dmp

              • memory/50168-200-0x0000000000000000-mapping.dmp

              • memory/78516-121-0x0000000000000000-mapping.dmp

              • memory/78692-201-0x0000000000000000-mapping.dmp

              • memory/78708-123-0x0000000000000000-mapping.dmp

              • memory/78788-118-0x0000000000000000-mapping.dmp

              • memory/78836-124-0x0000000000000000-mapping.dmp

              • memory/78844-120-0x0000000000000000-mapping.dmp