Analysis
-
max time kernel
101s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
17-02-2022 12:07
Static task
static1
Behavioral task
behavioral1
Sample
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Resource
win10v2004-en-20220112
General
-
Target
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
-
Size
384KB
-
MD5
5ac0f050f93f86e69026faea1fbb4450
-
SHA1
9709774fde9ec740ad6fed8ed79903296ca9d571
-
SHA256
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
-
SHA512
b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d
Malware Config
Extracted
C:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
ISiNe.exepid process 1812 ISiNe.exe -
Modifies extensions of user files 2 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
taskhost.exeDwm.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\ResolveConvertFrom.tiff taskhost.exe File opened for modification C:\Users\Admin\Pictures\ResolveConvertFrom.tiff Dwm.exe -
Deletes itself 1 IoCs
Processes:
ISiNe.exepid process 1812 ISiNe.exe -
Loads dropped DLL 1 IoCs
Processes:
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exepid process 524 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\ISiNe.exe" reg.exe -
Enumerates connected drives 3 TTPs 36 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\f: vssadmin.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\D: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\g: vssadmin.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\h: vssadmin.exe File opened (read-only) \??\e: vssadmin.exe -
Drops file in Program Files directory 64 IoCs
Processes:
taskhost.exeDwm.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\Vincennes taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Australia\Perth taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Stanley Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\Ushuaia Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0157995.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\PS9CRNRH.POC taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA00396_.WMF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Abidjan taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_ja.jar Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0280468.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Essential.thmx taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\sunec.jar taskhost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\luac.luac taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\TITLE.XSL Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT+7 taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSGR3ES.LEX taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\REC.CFG taskhost.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\Currie Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\form_edit.js Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LTHD98SP.POC Dwm.exe File opened for modification C:\Program Files\MSBuild\Microsoft\RyukReadMe.txt taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO02054_.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21295_.GIF taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\about.html Dwm.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\203x8subpicture.png taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0171847.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\BD18235_.WMF taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\Johannesburg taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187849.WMF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD07804_.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\GIFT.DPV Dwm.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt taskhost.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt taskhost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\ECLIPSE_.RSA Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HTECH_01.MID Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742G.GIF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\TAB_OFF.GIF Dwm.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\fontconfig.properties.src taskhost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Adobe\symbol.txt taskhost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif Dwm.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Pacific\Tahiti Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21366_.GIF Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF taskhost.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\WhiteDot.png Dwm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\RyukReadMe.txt Dwm.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\THMBNAIL.PNG Dwm.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_ja.jar taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00158_.GIF taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00391_.WMF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR16F.GIF Dwm.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate.css Dwm.exe File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\enu-dsk\M1033DSK.APL taskhost.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0299171.WMF taskhost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Interacts with shadow copies 2 TTPs 28 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 832 vssadmin.exe 1992 vssadmin.exe 1812 vssadmin.exe 2160 vssadmin.exe 1696 vssadmin.exe 860 vssadmin.exe 1520 vssadmin.exe 1688 vssadmin.exe 57268 vssadmin.exe 2096 vssadmin.exe 2144 vssadmin.exe 2336 vssadmin.exe 70628 vssadmin.exe 1680 vssadmin.exe 948 vssadmin.exe 996 vssadmin.exe 67248 vssadmin.exe 2060 vssadmin.exe 1840 vssadmin.exe 992 vssadmin.exe 56352 vssadmin.exe 2388 vssadmin.exe 1876 vssadmin.exe 1488 vssadmin.exe 2372 vssadmin.exe 964 vssadmin.exe 1852 vssadmin.exe 2428 vssadmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ISiNe.exepid process 1812 ISiNe.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
ISiNe.exevssvc.exedescription pid process Token: SeDebugPrivilege 1812 ISiNe.exe Token: SeBackupPrivilege 70552 vssvc.exe Token: SeRestorePrivilege 70552 vssvc.exe Token: SeAuditPrivilege 70552 vssvc.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
taskhost.exeDwm.exepid process 1116 taskhost.exe 1184 Dwm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exeISiNe.execmd.exetaskhost.execmd.exeDwm.execmd.exedescription pid process target process PID 524 wrote to memory of 1812 524 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe ISiNe.exe PID 524 wrote to memory of 1812 524 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe ISiNe.exe PID 524 wrote to memory of 1812 524 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe ISiNe.exe PID 524 wrote to memory of 1812 524 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe ISiNe.exe PID 1812 wrote to memory of 460 1812 ISiNe.exe cmd.exe PID 1812 wrote to memory of 460 1812 ISiNe.exe cmd.exe PID 1812 wrote to memory of 460 1812 ISiNe.exe cmd.exe PID 1812 wrote to memory of 1116 1812 ISiNe.exe taskhost.exe PID 460 wrote to memory of 1740 460 cmd.exe reg.exe PID 460 wrote to memory of 1740 460 cmd.exe reg.exe PID 460 wrote to memory of 1740 460 cmd.exe reg.exe PID 1812 wrote to memory of 1184 1812 ISiNe.exe Dwm.exe PID 1116 wrote to memory of 70584 1116 taskhost.exe cmd.exe PID 1116 wrote to memory of 70584 1116 taskhost.exe cmd.exe PID 1116 wrote to memory of 70584 1116 taskhost.exe cmd.exe PID 70584 wrote to memory of 70628 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 70628 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 70628 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 832 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 832 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 832 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1680 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1680 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1680 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 948 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 948 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 948 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1876 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1876 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1876 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1840 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1840 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1840 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1992 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1992 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1992 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1520 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1520 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1520 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 964 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 964 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 964 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 996 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 996 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 996 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1688 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1688 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1688 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 992 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 992 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 992 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 860 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 860 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 860 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1488 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1488 70584 cmd.exe vssadmin.exe PID 70584 wrote to memory of 1488 70584 cmd.exe vssadmin.exe PID 1184 wrote to memory of 43536 1184 Dwm.exe cmd.exe PID 1184 wrote to memory of 43536 1184 Dwm.exe cmd.exe PID 1184 wrote to memory of 43536 1184 Dwm.exe cmd.exe PID 43536 wrote to memory of 57268 43536 cmd.exe vssadmin.exe PID 43536 wrote to memory of 57268 43536 cmd.exe vssadmin.exe PID 43536 wrote to memory of 57268 43536 cmd.exe vssadmin.exe PID 43536 wrote to memory of 67248 43536 cmd.exe vssadmin.exe
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:43536 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:57268 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:67248 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:56352 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1852 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1696 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1812 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2060 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2096 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2144 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2428 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2388 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2372 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:2160 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2336
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies extensions of user files
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:70584 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:70628 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB3⤵
- Interacts with shadow copies
PID:832 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded3⤵
- Interacts with shadow copies
PID:1680 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:948 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1876 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1840 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1992 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1520 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:964 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:996 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:1688 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:992 -
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
PID:860 -
C:\Windows\system32\vssadmin.exevssadmin Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1488
-
C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\users\Public\ISiNe.exe"C:\users\Public\ISiNe.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe2⤵
- Executes dropped EXE
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ISiNe.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:460 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\ISiNe.exe" /f4⤵
- Adds Run key to start application
PID:1740
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:70552
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1716
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Documents and Settings\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cabMD5
a7557406d504a868f311878960b580eb
SHA1a7e640d75b9e0449efe7b807dbcd7c195fb4fdac
SHA25655e188297d45ae3ab7b89541a912657252be252072de0a052bec12d781babc7a
SHA51259da7720e6f8b8bc838878e3a75ddb28f2be0e500bf1f5e2d6b49c2337715dfa2b7540fc67b5a022bf2d788a026cb05eb5549f79a52bfa21c2e71b46c9f41667
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msiMD5
7883e933b950e23aede2e410ec5b274a
SHA1f29d044848eb7aa16f78161354ba1d9d2bb42e93
SHA25608116b7959d31130cad2d8c374a00c1f7d499e60b11a666c2cc6f6cfbd7047ec
SHA51210f4bfdd4744af7694fa4b13c8a2f61c4946b2ab1036c607158daec495e5d9460a445eb1a8af17db4ee9c7f42ed02531d67490822489e2bc6f162f8e94cb6cbf
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xmlMD5
91f5533b7a94ff0082c9f56951ec994a
SHA1f2722e1fde300bf242bf0c723887f7e6afa1421e
SHA256aa4b575450393cda9017e540b34c4b37c55bb80ab791034ce1b97150605a3c59
SHA5128857ac1fbe4f431ec6799da32f47a5d19a9ff78051fa6849972e37c92c80f3b3d50f349cc3983e0a8764624d17ddfaac4d4af8a14bab5d4b83c5b6721076dcf0
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msiMD5
e7684b2a8453f696225e8b2a8f3aa5f3
SHA1a616637ab5c66de835e1670b476bdd36103c97f6
SHA2560aa947ef3bbd241544a3accc370b35c9bddb279cb659523a192519f547cd6aa0
SHA5127a55139333c688934db17f5b907dd2e9957b29dfc5f9603dd33cdc1c73501db40f34f04155600be5ca89ee4d612ef5deda1ae45a4bcf7df2950e878bc0764470
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xmlMD5
ff7eead0b88f39163ca037d8aa323b29
SHA1ba9851cc4b723bac9c1a0153b81683a63f128ed4
SHA2563b8967a0a651d5ed6a51a8060e1c5ed1f2081ba38781cfff90214fc6b9449b19
SHA512939171bc04a04805a07859a05b8968c52b64913dac4ac975d1580e19a4e592e1ce03a8b165a4138576f2cd4c3f72eab3f622c842c468231dcc89954c9d16e9c8
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cabMD5
793fd0364c4c830f0bf4630b56c5967c
SHA171f720d2173809324f6f30a29557037a3c1da7a3
SHA256d854d0a35ee1636894c7a2a20edda85745bf50e6d7e4188c6f6cdc4559b5dbb7
SHA5121700905fd16592532cf8f67c0608cc87196beab03a071a7560fa69f92ad681dcb57de4c7a6c89a3a6c25242abeaf551bb7d070e0f0a82934b5fa548e075e7b5a
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cabMD5
155f39a11e705467a07de1f1707b5e48
SHA138002fbea1bb66c3e80d502d737e9745eba88a64
SHA256a9b07e69b0c119747e9126aa1e665947d78df8c30c6e9900a873ba184bf2f3e9
SHA5128fa177fb29b84e28f17cf97bf633752fa9e2cf283bb1825f6825f183358755bdf9d5e1471925eb5e6ce018873b3e74065349baa6a92e731b7a7b1db15e7d5ca2
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xmlMD5
d6f0d8d3f88ebc70e328d497f357df05
SHA18bcd8dbedd0a2eff3c306c3c124d59edac417b52
SHA256392379d2c7dd5f1f3e3981ac59f86512f974194362fabcc97dad25e274ce43d4
SHA512014b79be96744d233d81640cc397ada44b35577731ff04c39ea929fa427871139554cabea0033968da9be8800151fd5a88216007ddac8b99f1bf9430ddd151ef
-
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-msMD5
1bb4b751ee59e1bca3d1d991d5168d8c
SHA1c8aa2981a4a71cdbe8ccb7294678887f419dc1e7
SHA256e034e0ca684fe75fd1d0cdab26393ffcd4944aa74939226fdc8ac2e54c851b45
SHA512dfef346a04d62c81f345c514a3f7dd6563d07dc7b0295a1507cd6b120517ce394f7418d590f0e8e156ddabf1f92ceba14ae4e3f7366891f20a92e41ab05b24d1
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cabMD5
3b9e529d66812825b1cd108fed21a1d3
SHA146f3974bc8a5026de06cc7835ec15b1a0eabca15
SHA256fed71107d63e8e0e92b77ea898081d504904f66426dba93ebd2b9896d246bee6
SHA512318eac45cedf2789135a6c1c9a972b4794d4335a135a7ce6b134605834f041772ea0f01b7a5e6f205a7dfc7ca3165044397095b60dc82bdd7bcdba4fa415d966
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msiMD5
2c0378b52db5b43397dc758356c31d9e
SHA1d7ee05c4f9852de47c7f36939a9463c1ab95ead0
SHA256b47b6ae1f6ea7335770b0053ef4056d2b8fb585871176779a341e45b1f64838c
SHA512c852568e8b15e94dcada9c59d6e5b4551d59e082963a4437c87109ace105af24176c9ba6004302cccbb30a72b61a66968c353aebc51eafc7c459bf7fab627083
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xmlMD5
7211589e865ef4400dc918b05bc6d55b
SHA13a3a359ef0614c327a9f2ba04b4524778cbf6c44
SHA2564283899b94822e589173b239e18bd6d872bd0de5b9174b3b167e4d14ebb018bc
SHA5124215517a5bc285464b37c5c061634fd062dc276eca0ef3a2c0c207c3e9992387518ddece1a6b9c853169d151eab51b372b78de956a45ddb4142d3f3adad5fe53
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
f64121b675dc7607560c5c5a05ea3174
SHA1a30b1ba668d17f9ed7ea866ae3b756d755074a4d
SHA256eb5b7a70f312aad84baa8438702eacf16015201bf72d91f1f9405a1a77b5c4b2
SHA51245f7c93c0b3be65d4de3296ffe7d02633bf909d90fd16d6d901edef58ae6569cc9c91a32397d381d9970b5f6bcc966f5638f41b2683331be2fb61555358d446a
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msiMD5
ec4f7e380cca6ed54fbe9a63696933e6
SHA174152af45e5a98f0a0d8c3b84bc6ce935ad7a869
SHA256b350094ecd5702e25c92556094182f51dbd89884dfb75c9a5d1de6704240adb0
SHA512f57788077559fd24c1010ea7a7cf3fa51f927323cd1d052869ba8f077aa2034786c506f937959a982ceefc217a5ec28a70252846054ee07edc8435afc5ccab0a
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xmlMD5
d3d584fdc0269b1a2f75b7f752bbd27c
SHA17ff61d139a6363957799d56474953327e78a7be2
SHA2565a4e6013cbaa08617a54cb9138e8ca5b36f770e6fe3adf5355c94e35d76b1d32
SHA51228c7586dc16e4f589683775cf092a15566040fe33e4b1d4e4e777ad38602560655183fee8453a311853eef00021ac4aea512061a076d3203586f6d67369746bb
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cabMD5
65a35f3bde5f424cc4c5a1aa8c2b9bb4
SHA16c348f0f6aa93f3ec5cc18170741b050e8639fd3
SHA2566d7484c89daa48944bc4445ce1c364d1d455260ca562e1c39c3516233258a2e3
SHA512a1f42621cfc1149b6de24923996f4023e7afaa846254330a3887a7c6627d1fe3d864f590b5a6fcaba7860b57f229d4bf54e4da0c3b59647a2b202ef8311c3a4b
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
e0849e89907c8c9e41c17b5b0e84afc0
SHA115817e2b0d8e2c5b0e2f3bf64a77235cb432abcc
SHA256231a09bd5c5cf9c2479b9552f39c6ede125de213c4df3f346fe1fc2e9b9a51eb
SHA512d92ae4cc081d81795b412c493e7fb1620880157b1e4ec898b2b020e53f99600f5c4f20f73ba5a72271ebcfe45e9022b80f9993af363806533fc4584dcd6d356e
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cabMD5
62bb2d0b8596d74845b3869567dd0a55
SHA1d4e4c9e156bce3d5104ab93e95e4f09704e3dbeb
SHA2568fd785830564313d925f21ca83cb954c150cfb0441b05d0d82708ec2e1fab477
SHA5125bae9ef4f6d0ff8374a876715b4133ecbcd44652b2e45258126f23c63d9c8888cc3b5175aae2571850ba9b06ca3ac6c1e304011f38f44f90648dd7b499ffd473
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msiMD5
725ce5349297f6585ac64bcb8c7d4bc7
SHA15cd1977addf761dedef813b42c491fea9ced0ad5
SHA25674dadfe7d9f697c9c8a35554879227d61921578561f572ad9b4cc91479b711f1
SHA512ae1144704a0f632bd705fa01e67b9e3763bb52c80117ca07aeec80756155e102049c4c9c5eb739324518742e33a73cfe60eb4b5f5432cd30cb2953b3d2cc8516
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xmlMD5
714e80f8e9c39d125950504878c70767
SHA1fb6117b7e526fcadb1458a74c3211bd3a8961461
SHA25677dd1405cdc0b853f825646a2617aff08231e7b51cff65df6b9d92492d58fd3d
SHA5125b84d2f7f1e2c78f7ad0706809e72488606123133d2556a53cea3e8573b375967947f04c1bf5e7114b767b9999e916e2b0168f21fb6574ea877388b2471c4524
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xmlMD5
7e07532d0170c442baa67bcf72a2a8de
SHA14142eb9915a0a1ce17f80244825121ebf5dc0637
SHA2560cbd700d71ec685a1934ecb0d1b00765afd0485ff8bd789982b32efe901ec1a7
SHA51231c6f5893e2ffa1efed0951666fbd8b10313fb7beaf8cf5993d3530131d278e696c714e31965f34672072266667596560a5e5e55e266bf28d9c2bd962f74e066
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cabMD5
81b7e38ce740ea0c9ad364bc0abd421f
SHA1545376d9670deac254d09ae5955b85517663f651
SHA256882a791e8fa36401a2374af8a34e0984483468b4ba2c5f777ef5aef63d0e6c0e
SHA5121e9ac6f3e4c504ca9405ce119886132ff231f176f399c6118c1196ad383d1e708a041dabe12c32f22b385f4ddabf075b0760f10fb42abfed3c73a0c7e752cca4
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xmlMD5
dbad26fc84a3e19afc06fb7a341b8a5c
SHA14b30671681ee1448520ed2be0298201c7a8cccaf
SHA2563609b05d0cd08bf8a521f2ef65d29b67ee3b14529ad9c2935084e3ecb275b55a
SHA512d33f570f6c785c1a27982329916bd78f1c09b56a09295467792cca9b38f9e7b5932d1700185cf83e453c30667752600543ba4f0ccc9108d2ea0d1dc599f3cf4b
-
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\MSOCache\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\PerfLogs\Admin\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\PerfLogs\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\7-Zip\Lang\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\7-Zip\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\de-DE\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\Common Files\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Program Files\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8eMD5
0d5881c5b6b16e80fba7b9a7caf95f5e
SHA1958d567b971e59c2dd1071201eddaeb947ca0c65
SHA256974ba45c0df40b2cd4117cf623cfc9394a02ab4ebc0f94b7a775217ac3ef196f
SHA512d41ad56017eb590fa8f1bd4b1ad94567755af3f70b3ea4afff61c2d18e66161ab5f487036730e04703135ced976599ed45424da27161cee5da02f976ea5b727f
-
C:\RyukReadMe.txtMD5
cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
C:\Users\Public\ISiNe.exeMD5
31bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
C:\users\Public\window.batMD5
d2aba3e1af80edd77e206cd43cfd3129
SHA13116da65d097708fad63a3b73d1c39bffa94cb01
SHA2568940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12
SHA5120059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec
-
\Users\Public\ISiNe.exeMD5
31bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
memory/524-54-0x0000000075531000-0x0000000075533000-memory.dmpFilesize
8KB
-
memory/1116-58-0x000000013FFE0000-0x000000014036E000-memory.dmpFilesize
3.6MB
-
memory/1116-60-0x000000013FFE0000-0x000000014036E000-memory.dmpFilesize
3.6MB
-
memory/1812-57-0x000007FEFC0E1000-0x000007FEFC0E3000-memory.dmpFilesize
8KB