23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

General
Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe

Filesize

384KB

Completed

20-10-2021 12:44

Score
10/10
MD5

5ac0f050f93f86e69026faea1fbb4450

SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571

SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Malware Config

Extracted

Path C:\RyukReadMe.txt
Family ryuk
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at WayneEvenson@protonmail.com or WayneEvenson@tutanota.com BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe
Emails

WayneEvenson@protonmail.com

WayneEvenson@tutanota.com

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures 29

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Impact
Persistence
  • Process spawned unexpected child process
    OfficeC2RClient.exe

    Description

    This typically indicates the parent process was compromised via an exploit or macro.

    Reported IOCs

    descriptionpidpid_targetprocesstarget process
    Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process7943279408OfficeC2RClient.exeWINWORD.EXE
  • Ryuk

    Description

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE
    igdYM.exe

    Reported IOCs

    pidprocess
    1088igdYM.exe
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself
    igdYM.exe

    Reported IOCs

    pidprocess
    1088igdYM.exe
  • Drops startup file
    sihost.exeRuntimeBroker.exetaskhostw.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txttaskhostw.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\igdYM.exe"reg.exe
  • Enumerates connected drives
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exeexplorer.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\D:explorer.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\D:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\E:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\e:vssadmin.exe
    File opened (read-only)\??\G:vssadmin.exe
    File opened (read-only)\??\g:vssadmin.exe
    File opened (read-only)\??\F:vssadmin.exe
    File opened (read-only)\??\f:vssadmin.exe
    File opened (read-only)\??\h:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
    File opened (read-only)\??\H:vssadmin.exe
  • Drops file in Program Files directory
    RuntimeBroker.exetaskhostw.exesihost.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.moRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-mstaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-phn.xrm-mstaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XMLRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.pngsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.propertiessihost.exe
    File opened for modificationC:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INFRuntimeBroker.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\MSInfo\fr-FR\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.htmltaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_ja.jarsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Trial-ul-oob.xrm-msRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ul-phn.xrm-mstaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\db\3RDPARTYRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\bun.pngsihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\eclipse.infRuntimeBroker.exe
    File opened for modificationC:\Program Files\7-Zip\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdfsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txttaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PROOF\LTSHYPH_FR.LEXsihost.exe
    File opened for modificationC:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred.xmlRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\RyukReadMe.txttaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XMLsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files\7-Zip\7-zip.chmtaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.htmltaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.jstaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\inline-error-1x.pngtaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xmlsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svgsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Reference Assemblies\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTrial-ul-oob.xrm-mssihost.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\ext\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\cmm\sRGB.pftaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-pl.xrm-mstaskhostw.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler.nl_ja_4.4.0.v20140623020002.jarRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\core_icons.pngsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ul-phn.xrm-msRuntimeBroker.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_it_135x40.svgtaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Common Files\System\Ole DB\sqloledb.rlltaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aappsihost.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White@2x.pngsihost.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\vlc.mosihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\RyukReadMe.txtsihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.csstaskhostw.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ppd.xrm-mssihost.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\ui-strings.jssihost.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\ug.txttaskhostw.exe
    File opened for modificationC:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mosihost.exe
    File opened for modificationC:\Program Files\7-Zip\Lang\ps.txtsihost.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xmltaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svgtaskhostw.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\uk-ua\RyukReadMe.txtRuntimeBroker.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\deploy.jartaskhostw.exe
  • Drops file in Windows directory
    explorer.exeSearchUI.exeShellExperienceHost.exetaskmgr.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\rescache\_merged\2717123927\1713683155.priexplorer.exe
    File createdC:\Windows\rescache\_merged\1601268389\3068621934.priSearchUI.exe
    File createdC:\Windows\rescache\_merged\4183903823\1195458082.priShellExperienceHost.exe
    File createdC:\Windows\rescache\_merged\4032412167\2690874625.priShellExperienceHost.exe
    File createdC:\Windows\rescache\_merged\1601268389\3068621934.pritaskmgr.exe
    File createdC:\Windows\rescache\_merged\4183903823\1195458082.pritaskmgr.exe
    File createdC:\Windows\rescache\_merged\4032412167\2690874625.priexplorer.exe
    File createdC:\Windows\rescache\_merged\3720402701\2274612954.priexplorer.exe
  • Enumerates physical storage devices

    Description

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    TTPs

    System Information Discovery
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    18363760WerFault.exeDllHost.exe
  • Checks SCSI registry key(s)
    explorer.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlagsexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareIDexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagsexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilitiesexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilitiesexplorer.exe
  • Enumerates system info in registry
    SearchUI.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSSearchUI.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUSearchUI.exe
  • Interacts with shadow copies
    vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1724vssadmin.exe
    78740vssadmin.exe
    79752vssadmin.exe
    79656vssadmin.exe
    78776vssadmin.exe
    1832vssadmin.exe
    3724vssadmin.exe
    22228vssadmin.exe
    78516vssadmin.exe
    79584vssadmin.exe
    35600vssadmin.exe
    4100vssadmin.exe
    2252vssadmin.exe
    3584vssadmin.exe
    78592vssadmin.exe
    1524vssadmin.exe
    4208vssadmin.exe
    11328vssadmin.exe
    78944vssadmin.exe
    78992vssadmin.exe
    3516vssadmin.exe
    2056vssadmin.exe
    3964vssadmin.exe
    79720vssadmin.exe
    57752vssadmin.exe
    40852vssadmin.exe
    78528vssadmin.exe
    2464vssadmin.exe
    44020vssadmin.exe
    78856vssadmin.exe
    2036vssadmin.exe
    1744vssadmin.exe
    79784vssadmin.exe
    6932vssadmin.exe
    78552vssadmin.exe
    79644vssadmin.exe
    3552vssadmin.exe
    1552vssadmin.exe
    35240vssadmin.exe
    79688vssadmin.exe
    39496vssadmin.exe
    78480vssadmin.exe
    18912vssadmin.exe
    78960vssadmin.exe
    78892vssadmin.exe
    2748vssadmin.exe
    78596vssadmin.exe
    14376vssadmin.exe
    5580vssadmin.exe
    78708vssadmin.exe
    1252vssadmin.exe
    2828vssadmin.exe
    1984vssadmin.exe
    2876vssadmin.exe
    52148vssadmin.exe
    3936vssadmin.exe
    3236vssadmin.exe
    78844vssadmin.exe
    2428vssadmin.exe
    79656vssadmin.exe
    55704vssadmin.exe
    79620vssadmin.exe
    79836vssadmin.exe
    2712vssadmin.exe
  • Modifies Internet Explorer settings
    explorer.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowserexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearchexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Toolbarexplorer.exe
  • Modifies registry class
    explorer.exeSearchUI.exesihost.exesihost.exeRuntimeBroker.exe

    Reported IOCs

    descriptioniocprocess
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002c100000000000002000000e5070a004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000324e5ddeafc5d70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e5070a004600630072006e0078007200650066003a00200036003700250000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000ffffffff73ae2078e323294282c1e41cb67d5b9c0000000000000000000000006a245a6333aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e50709004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc76000000000000000000000000218621db20aed70100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e5070900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shellexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\NodeSlot = "3"explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = ffffffffexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffffexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorageSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"SearchUI.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffffexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settingsexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instanceexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f80cb859f6720028040b29b5540cc05aab60000explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffffexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Documents"explorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageStateSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Cortana_cw5n1h2txyewy\WasEverActivated = "1"sihost.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132766168982456120"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settingssihost.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotifyexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193"explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\TotalSearchUI.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202explorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bagsexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local SettingsRuntimeBroker.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefixSearchUI.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffffexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"SearchUI.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffexplorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFoldersexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shellexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\TotalSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"sihost.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295"explorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"explorer.exe
  • Opens file in notepad (likely ransom note)
    NOTEPAD.EXE

    Tags

    Reported IOCs

    pidprocess
    78592NOTEPAD.EXE
  • Suspicious behavior: AddClipboardFormatListener
    explorer.exe

    Reported IOCs

    pidprocess
    3616explorer.exe
  • Suspicious behavior: EnumeratesProcesses
    igdYM.exeWerFault.exetaskmgr.exe

    Reported IOCs

    pidprocess
    1088igdYM.exe
    1088igdYM.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1836WerFault.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
  • Suspicious behavior: GetForegroundWindowSpam
    explorer.exetaskmgr.exe

    Reported IOCs

    pidprocess
    3616explorer.exe
    1780taskmgr.exe
  • Suspicious use of AdjustPrivilegeToken
    igdYM.exeWerFault.exevssvc.exeexplorer.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1088igdYM.exe
    Token: SeDebugPrivilege1836WerFault.exe
    Token: SeBackupPrivilege78808vssvc.exe
    Token: SeRestorePrivilege78808vssvc.exe
    Token: SeAuditPrivilege78808vssvc.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
    Token: SeCreatePagefilePrivilege3616explorer.exe
    Token: SeShutdownPrivilege3616explorer.exe
  • Suspicious use of FindShellTrayWindow
    taskmgr.exe

    Reported IOCs

    pidprocess
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
  • Suspicious use of SendNotifyMessage
    taskmgr.exe

    Reported IOCs

    pidprocess
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
    1780taskmgr.exe
  • Suspicious use of SetWindowsHookEx
    ShellExperienceHost.exeSearchUI.exeexplorer.exe

    Reported IOCs

    pidprocess
    5380ShellExperienceHost.exe
    4260SearchUI.exe
    5380ShellExperienceHost.exe
    3616explorer.exe
    3616explorer.exe
    3616explorer.exe
    3616explorer.exe
    3616explorer.exe
    3616explorer.exe
    3616explorer.exe
    3616explorer.exe
  • Suspicious use of UnmapMainImage
    sihost.exeRuntimeBroker.exe

    Reported IOCs

    pidprocess
    2640sihost.exe
    3480RuntimeBroker.exe
  • Suspicious use of WriteProcessMemory
    23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeigdYM.execmd.exesihost.execmd.exeRuntimeBroker.execmd.exesihost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3772 wrote to memory of 1088377223f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeigdYM.exe
    PID 3772 wrote to memory of 1088377223f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeigdYM.exe
    PID 1088 wrote to memory of 39761088igdYM.execmd.exe
    PID 1088 wrote to memory of 39761088igdYM.execmd.exe
    PID 1088 wrote to memory of 26401088igdYM.exesihost.exe
    PID 3976 wrote to memory of 16643976cmd.exereg.exe
    PID 3976 wrote to memory of 16643976cmd.exereg.exe
    PID 1088 wrote to memory of 26961088igdYM.exesvchost.exe
    PID 1088 wrote to memory of 28921088igdYM.exetaskhostw.exe
    PID 1088 wrote to memory of 32521088igdYM.exeShellExperienceHost.exe
    PID 1088 wrote to memory of 32721088igdYM.exeSearchUI.exe
    PID 1088 wrote to memory of 34801088igdYM.exeRuntimeBroker.exe
    PID 1088 wrote to memory of 37601088igdYM.exeDllHost.exe
    PID 1088 wrote to memory of 17801088igdYM.exetaskmgr.exe
    PID 2640 wrote to memory of 787162640sihost.execmd.exe
    PID 2640 wrote to memory of 787162640sihost.execmd.exe
    PID 78716 wrote to memory of 7877678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7877678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7848078716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7848078716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 4085278716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 4085278716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7852878716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7852878716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7851678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7851678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7859678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7859678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7884478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 7884478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 246478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 246478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 205678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 205678716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 242878716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 242878716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 183278716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 183278716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 172478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 172478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 152478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 152478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 198478716cmd.exevssadmin.exe
    PID 78716 wrote to memory of 198478716cmd.exevssadmin.exe
    PID 3480 wrote to memory of 42043480RuntimeBroker.execmd.exe
    PID 3480 wrote to memory of 42043480RuntimeBroker.execmd.exe
    PID 4204 wrote to memory of 42084204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 42084204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 15524204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 15524204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 8444204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 8444204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 28764204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 28764204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 39644204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 39644204cmd.exevssadmin.exe
    PID 1100 wrote to memory of 36161100sihost.exeexplorer.exe
    PID 1100 wrote to memory of 36161100sihost.exeexplorer.exe
    PID 4204 wrote to memory of 37244204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 37244204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 36324204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 36324204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 143764204cmd.exevssadmin.exe
    PID 4204 wrote to memory of 143764204cmd.exevssadmin.exe
Processes 99
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    Suspicious behavior: GetForegroundWindowSpam
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:1780
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:3692
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:78708
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:1252
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:2252
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Interacts with shadow copies
        PID:3584
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Interacts with shadow copies
        PID:1744
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Interacts with shadow copies
        PID:2712
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        PID:1688
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Interacts with shadow copies
        PID:3552
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Interacts with shadow copies
        PID:4100
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Interacts with shadow copies
        PID:2748
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Interacts with shadow copies
        PID:2036
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Interacts with shadow copies
        PID:3516
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Interacts with shadow copies
        PID:2828
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:78592
  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    PID:3760
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 3760 -s 812
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      Suspicious use of WriteProcessMemory
      PID:4204
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:4208
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:1552
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        PID:844
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2876
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:3964
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:3724
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        PID:3632
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:14376
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:18912
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:22228
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:35240
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    PID:3272
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    PID:3252
  • c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    Drops startup file
    Drops file in Program Files directory
    PID:2892
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:79532
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:79584
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:79620
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:79656
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Interacts with shadow copies
        PID:79688
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Interacts with shadow copies
        PID:79720
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Interacts with shadow copies
        PID:79752
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Interacts with shadow copies
        PID:79784
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Interacts with shadow copies
        PID:79836
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Interacts with shadow copies
        PID:39496
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Interacts with shadow copies
        PID:6932
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Interacts with shadow copies
        PID:11328
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Interacts with shadow copies
        PID:5580
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Interacts with shadow copies
        PID:78552
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:55704
  • c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
    PID:2696
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      PID:31620
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:78740
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:44020
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:3236
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Interacts with shadow copies
        PID:52148
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Interacts with shadow copies
        PID:57752
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Interacts with shadow copies
        PID:35600
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Interacts with shadow copies
        PID:78856
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Interacts with shadow copies
        PID:78892
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Interacts with shadow copies
        PID:78944
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Interacts with shadow copies
        PID:78960
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Interacts with shadow copies
        PID:78992
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Interacts with shadow copies
        PID:3936
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Interacts with shadow copies
        PID:79644
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:79656
  • c:\windows\system32\sihost.exe
    sihost.exe
    Drops startup file
    Drops file in Program Files directory
    Modifies registry class
    Suspicious use of UnmapMainImage
    Suspicious use of WriteProcessMemory
    PID:2640
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
      Suspicious use of WriteProcessMemory
      PID:78716
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:78776
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
        Interacts with shadow copies
        PID:78480
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
        Interacts with shadow copies
        PID:40852
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:78528
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78516
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:78596
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:78844
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2464
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:2056
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:2428
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:1832
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
        Enumerates connected drives
        Interacts with shadow copies
        PID:1724
      • C:\Windows\system32\vssadmin.exe
        vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
        Enumerates connected drives
        Interacts with shadow copies
        PID:1524
      • C:\Windows\system32\vssadmin.exe
        vssadmin Delete Shadows /all /quiet
        Interacts with shadow copies
        PID:1984
  • C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
    "C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
    Suspicious use of WriteProcessMemory
    PID:3772
    • C:\users\Public\igdYM.exe
      "C:\users\Public\igdYM.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
      Executes dropped EXE
      Deletes itself
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\igdYM.exe" /f
        Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\system32\reg.exe
          REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\igdYM.exe" /f
          Adds Run key to start application
          PID:1664
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\RyukReadMe.txt
    Opens file in notepad (likely ransom note)
    PID:78592
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:78808
  • \??\c:\windows\system32\sihost.exe
    sihost.exe
    Modifies registry class
    Suspicious use of WriteProcessMemory
    PID:1100
    • C:\Windows\explorer.exe
      explorer.exe /LOADSAVEDWINDOWS
      Enumerates connected drives
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3616
      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\ClearComplete.pdf"
        PID:79300
      • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""
        PID:79408
        • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
          OfficeC2RClient.exe /error PID=79408 ProcessName="Microsoft Word" UIType=3 ErrorSource=0x8b10082a ErrorCode=0x80004005 ShowUI=1
          Process spawned unexpected child process
          PID:79432
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Drops file in Windows directory
    Enumerates system info in registry
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:4260
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    Drops file in Windows directory
    Suspicious use of SetWindowsHookEx
    PID:5380
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    PID:8072
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    PID:79260
  • \??\c:\windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    PID:79816
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    PID:79688
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0 /state0:0xa3a92855 /state1:0x41c64e6d
    PID:4196
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Execution
      Exfiltration
        Initial Access
          Lateral Movement
            Privilege Escalation
              Replay Monitor
              00:00 00:00
              Downloads
              • C:\Boot\Fonts\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\Resources\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\Resources\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\bg-BG\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\cs-CZ\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\da-DK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\de-DE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\el-GR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\en-GB\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\en-US\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\es-ES\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\es-MX\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\et-EE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fi-FI\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fr-CA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\fr-FR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\hr-HR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\hu-HU\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\it-IT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ja-JP\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ko-KR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\lt-LT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\lv-LV\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\nb-NO\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\nl-NL\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pl-PL\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pt-BR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\pt-PT\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\qps-ploc\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ro-RO\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\ru-RU\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sk-SK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sl-SI\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sr-Latn-RS\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\sv-SE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\tr-TR\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\uk-UA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\zh-CN\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Boot\zh-TW\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Documents and Settings\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\PerfLogs\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\Lang\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\7-Zip\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\DESIGNER\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ClickToRun\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\ar-SA\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\bg-BG\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\da-DK\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\Common Files\microsoft shared\ink\de-DE\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Program Files\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_820f872d-98d3-48ae-bed7-778ac98992bc

                MD5

                1975f0421684541b228f62162b1bd63d

                SHA1

                282383d618e0702ad30c534a0c5cd85bd3f94315

                SHA256

                09e740a95a8950d38b61972205babea51275470bfd3746bd480d482ab32c95e7

                SHA512

                e7646d786a54b88af913461501b35ef2693b6526ee14eb603f28b35f5598d002c4403daa1a5f1ce8a459e5599b388fee11778059f385f031dc1b0ca188308c13

              • C:\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Users\Public\Desktop\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\Users\Public\igdYM.exe

                MD5

                31bd0f224e7e74eee2847f43aae23974

                SHA1

                92e331e1e8ad30538f38dd7ba31386afafa14a58

                SHA256

                8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

                SHA512

                a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

              • C:\odt\RyukReadMe.txt

                MD5

                cd99cba6153cbc0b14b7a849e4d0180f

                SHA1

                375961866404a705916cbc6cd4915de7d9778923

                SHA256

                74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

                SHA512

                0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

              • C:\users\Public\igdYM.exe

                MD5

                31bd0f224e7e74eee2847f43aae23974

                SHA1

                92e331e1e8ad30538f38dd7ba31386afafa14a58

                SHA256

                8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

                SHA512

                a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

              • C:\users\Public\window.bat

                MD5

                d2aba3e1af80edd77e206cd43cfd3129

                SHA1

                3116da65d097708fad63a3b73d1c39bffa94cb01

                SHA256

                8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

                SHA512

                0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

              • \??\c:\BOOTSECT.BAK

                MD5

                437caa1075d0dabb6e60d7d335e68fcf

                SHA1

                5071a908b473bea724a872d3d3410b0432f3a504

                SHA256

                4aee3a5ced4454d572f3bfc671557e3ee057303df5fc82fc09507d72e11642f5

                SHA512

                150b2b236b29c9d205ca24061ff12e209b4d610bf50da45d823cfeee909bfadcfacf3f726d2d52d3bde912bf74d9cac67415890b597531207fb413ab150936ff

              • \??\c:\Program Files\BackupDisconnect.fon

                MD5

                05f5ff5b43950f56c0362d341b5cb773

                SHA1

                f455b2ba139360be4ae9c1fc97b673912c330432

                SHA256

                721af14dfc62473c7c7db4923abf945a0879140d1b07ac1c9243be323c832e78

                SHA512

                5615cb5d21c03082ccb008b031f518b8ef84517667cefe31b4f2adee600f82b9c41836e695d54accdf90321f68a4118a1fa5146945af1e7a1b4f393a3fe2d0be

              • memory/844-201-0x0000000000000000-mapping.dmp

              • memory/1088-115-0x0000000000000000-mapping.dmp

              • memory/1524-137-0x0000000000000000-mapping.dmp

              • memory/1552-200-0x0000000000000000-mapping.dmp

              • memory/1664-119-0x0000000000000000-mapping.dmp

              • memory/1724-136-0x0000000000000000-mapping.dmp

              • memory/1832-135-0x0000000000000000-mapping.dmp

              • memory/1984-138-0x0000000000000000-mapping.dmp

              • memory/2056-133-0x0000000000000000-mapping.dmp

              • memory/2428-134-0x0000000000000000-mapping.dmp

              • memory/2464-132-0x0000000000000000-mapping.dmp

              • memory/2640-120-0x00007FF66FBF0000-0x00007FF66FF7E000-memory.dmp

              • memory/2876-202-0x0000000000000000-mapping.dmp

              • memory/3236-233-0x0000000000000000-mapping.dmp

              • memory/3616-204-0x0000000000000000-mapping.dmp

              • memory/3616-210-0x00000000040D0000-0x00000000040D1000-memory.dmp

              • memory/3632-206-0x0000000000000000-mapping.dmp

              • memory/3724-205-0x0000000000000000-mapping.dmp

              • memory/3936-242-0x0000000000000000-mapping.dmp

              • memory/3964-203-0x0000000000000000-mapping.dmp

              • memory/3976-118-0x0000000000000000-mapping.dmp

              • memory/4204-198-0x0000000000000000-mapping.dmp

              • memory/4208-199-0x0000000000000000-mapping.dmp

              • memory/5580-227-0x0000000000000000-mapping.dmp

              • memory/6932-225-0x0000000000000000-mapping.dmp

              • memory/11328-226-0x0000000000000000-mapping.dmp

              • memory/14376-207-0x0000000000000000-mapping.dmp

              • memory/18912-208-0x0000000000000000-mapping.dmp

              • memory/22228-209-0x0000000000000000-mapping.dmp

              • memory/31620-230-0x0000000000000000-mapping.dmp

              • memory/35240-211-0x0000000000000000-mapping.dmp

              • memory/35600-236-0x0000000000000000-mapping.dmp

              • memory/39496-224-0x0000000000000000-mapping.dmp

              • memory/40852-127-0x0000000000000000-mapping.dmp

              • memory/44020-232-0x0000000000000000-mapping.dmp

              • memory/52148-234-0x0000000000000000-mapping.dmp

              • memory/55704-229-0x0000000000000000-mapping.dmp

              • memory/57752-235-0x0000000000000000-mapping.dmp

              • memory/78480-126-0x0000000000000000-mapping.dmp

              • memory/78516-129-0x0000000000000000-mapping.dmp

              • memory/78528-128-0x0000000000000000-mapping.dmp

              • memory/78552-228-0x0000000000000000-mapping.dmp

              • memory/78596-130-0x0000000000000000-mapping.dmp

              • memory/78716-122-0x0000000000000000-mapping.dmp

              • memory/78740-231-0x0000000000000000-mapping.dmp

              • memory/78776-124-0x0000000000000000-mapping.dmp

              • memory/78844-131-0x0000000000000000-mapping.dmp

              • memory/78856-237-0x0000000000000000-mapping.dmp

              • memory/78892-238-0x0000000000000000-mapping.dmp

              • memory/78944-239-0x0000000000000000-mapping.dmp

              • memory/78960-240-0x0000000000000000-mapping.dmp

              • memory/78992-241-0x0000000000000000-mapping.dmp

              • memory/79300-212-0x0000000000000000-mapping.dmp

              • memory/79408-213-0x0000000000000000-mapping.dmp

              • memory/79432-214-0x0000000000000000-mapping.dmp

              • memory/79532-215-0x0000000000000000-mapping.dmp

              • memory/79584-216-0x0000000000000000-mapping.dmp

              • memory/79620-217-0x0000000000000000-mapping.dmp

              • memory/79644-243-0x0000000000000000-mapping.dmp

              • memory/79656-244-0x0000000000000000-mapping.dmp

              • memory/79656-218-0x0000000000000000-mapping.dmp

              • memory/79688-219-0x0000000000000000-mapping.dmp

              • memory/79720-220-0x0000000000000000-mapping.dmp

              • memory/79752-221-0x0000000000000000-mapping.dmp

              • memory/79784-222-0x0000000000000000-mapping.dmp

              • memory/79836-223-0x0000000000000000-mapping.dmp