ryuk | 781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

Analysis

max time kernel
558s
max time network
712s
platform
windows10_x64
resource
win10-en-20210920
submitted
15-10-2021 15:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

data.exe
Size

139KB
MD5

8555b213260ba5eda4bf37652cecb431
SHA1

80bd92b996fce311b52aa791a8ace4b20f8fb7ab
SHA256

781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a
SHA512

0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'TLS7ST8vlU'; $torlink = 'http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://htv4omqldafxwhum7ya3m37o3zcbo2d7kidcpgvp6lky62gi6czx6iqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process target process

PID 96096 created 2792 96096 WerFault.exe data.exe
PID 174752 created 1932 174752 WerFault.exe nMTATJWcmlan.exe
Executes dropped EXE 3 IoCs

Processes:

uYqbbdGJRrep.exeBYPekEqVilan.exenMTATJWcmlan.exe

pid process

4020 uYqbbdGJRrep.exe
2092 BYPekEqVilan.exe
1932 nMTATJWcmlan.exe

description	pid	process	target process
PID 96096 created 2792	96096	WerFault.exe	data.exe
PID 174752 created 1932	174752	WerFault.exe	nMTATJWcmlan.exe

pid	process
4020	uYqbbdGJRrep.exe
2092	BYPekEqVilan.exe
1932	nMTATJWcmlan.exe

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

data.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\DebugResume.png.RYK	data.exe
File opened for modification	C:\Users\Admin\Pictures\GetInvoke.raw.RYK	data.exe
File opened for modification	C:\Users\Admin\Pictures\TraceExpand.crw.RYK	data.exe
File renamed	C:\Users\Admin\Pictures\DebugResume.png => C:\Users\Admin\Pictures\DebugResume.png.RYK	data.exe
File renamed	C:\Users\Admin\Pictures\TraceExpand.crw => C:\Users\Admin\Pictures\TraceExpand.crw.RYK	data.exe
File renamed	C:\Users\Admin\Pictures\GetInvoke.raw => C:\Users\Admin\Pictures\GetInvoke.raw.RYK	data.exe

Drops startup file 1 IoCs

Processes:

data.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html data.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

2124 icacls.exe
2160 icacls.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

data.exe

description ioc process

File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI data.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	data.exe

pid	process
2124	icacls.exe
2160	icacls.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	data.exe

Drops file in Program Files directory 64 IoCs

Processes:

data.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\hu_get.svg	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntime2019R_PrepidBypass-ul-oob.xrm-ms.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.DataWarehouse.Interfaces.DLL	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\ui-strings.js.RYK	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\as90.xsl	data.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\vlc.mo.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sl\msipc.dll.mui.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js	data.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\faf_icons.png	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\ui-strings.js	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Trial-ul-oob.xrm-ms.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_f33\FA000000033.RYK	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\com-sun-tools-visualvm-modules-startup.jar	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\uk\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-sl\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ja-JP\iexplore.exe.mui.RYK	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\jfluid-server.jar.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODATASERVICE.DLL.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\plugin.js	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\file_info2x.png	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\ui-strings.js.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\offsyml.ttf.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png.RYK	data.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Grace-ul-oob.xrm-ms	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial-ul-oob.xrm-ms.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\InstallerMainShell.tlb.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\ui-strings.js	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\OCLTINT.DLL.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Grace-ul-oob.xrm-ms	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hu-hu\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\ui-strings.js	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\ui-strings.js.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_close_h2x.png.RYK	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols.xml	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\org-netbeans-modules-sampler.jar	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js.RYK	data.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\chstic.dgml	data.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\net.properties	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_basestyle.css.RYK	data.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART11.BDR.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annots.api.RYK	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ccloud.png.RYK	data.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	data.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\am\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\RyukReadMe.html	data.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\improved-office-to-pdf-2x.png.RYK	data.exe

Drops file in Windows directory 6 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

96096 2792 WerFault.exe data.exe
174752 1932 WerFault.exe nMTATJWcmlan.exe

pid	pid_target	process	target process
96096	2792	WerFault.exe	data.exe
174752	1932	WerFault.exe	nMTATJWcmlan.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

2712 SCHTASKS.exe

pid	process
2712	SCHTASKS.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedHeight = "600"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 238aa61cdbc1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2c421c1cdbc1d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{74382397-493A-4686-9557-D192C7B39415}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{F9D397C8-CE83-4357-AC80-D400F3AC3072} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000546299a8c6c774ebea222e9a796c4fdd5c7d73c6b9861fd293b6c27d43431363e749d3bdd931ed02c584d992a467bd6a132bf923279d4971ad129425d84ecbd3d3c5324271dd4dc03f2333110fac420dc5fdf31b3a451f4293bb2a879f73b53f6ef7e92f7a698dc3471fe084b1d99c8bb015341cb31d68b2aad1e42dc551107e74fdd285677658728e9750661990e73f78920deb5bc71df9db7462dbca88161cbdf83742c1a4c4016dad0b24b76f9c7473947c8a46e2a36989c44a8dd1b869363309e7af9a931092a97f28bc8f17ba54493b466ced0dccd3efe16f5a4c81d7fa7d4e6e029de3f558642fd3511429486891a6dcf953ea04f8caeb5e15658314aa94e8f842073530daaedb4675cd438aa5e8f72063c117980afd0226ca3a5e1e2ef2f7bf8c4627993651a518774207680e0d4d76c9d036ad44bb46480456b2bf421b9ce5996a5a3581cdab5a5be81332db4bc859ae1fe6568790d7fae66e1f20294af5ef9d306ecf2c0b0f18978a08ea409587f7bb96c62f0d98d5db15774540f1c7237375d2031885adefb0a32487c1b7baace0d68b788d2f80123621c8f1d13e9803a44fa89c6e58	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d254a4d9dac1d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

data.exeWerFault.exe

pid	process
2792	data.exe
2792	data.exe
2792	data.exe
2792	data.exe
2792	data.exe
2792	data.exe
2792	data.exe
2792	data.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe
96096	WerFault.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

182584 MicrosoftEdgeCP.exe
182584 MicrosoftEdgeCP.exe
199164 MicrosoftEdgeCP.exe
199164 MicrosoftEdgeCP.exe

pid	process
182584	MicrosoftEdgeCP.exe
182584	MicrosoftEdgeCP.exe
199164	MicrosoftEdgeCP.exe
199164	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

svchost.exeWerFault.exeWerFault.exeMicrosoftEdge.exeMicrosoftEdgeCP.exefirefox.exe

description	pid	process
Token: SeBackupPrivilege	2780	svchost.exe
Token: SeRestorePrivilege	2780	svchost.exe
Token: SeSecurityPrivilege	2780	svchost.exe
Token: SeTakeOwnershipPrivilege	2780	svchost.exe
Token: 35	2780	svchost.exe
Token: SeRestorePrivilege	96096	WerFault.exe
Token: SeBackupPrivilege	96096	WerFault.exe
Token: SeDebugPrivilege	96096	WerFault.exe
Token: SeDebugPrivilege	174752	WerFault.exe
Token: SeDebugPrivilege	182748	MicrosoftEdge.exe
Token: SeDebugPrivilege	182748	MicrosoftEdge.exe
Token: SeDebugPrivilege	182748	MicrosoftEdge.exe
Token: SeDebugPrivilege	182748	MicrosoftEdge.exe
Token: SeDebugPrivilege	182552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	182552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	182552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	182552	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	182748	MicrosoftEdge.exe
Token: SeDebugPrivilege	17936	firefox.exe
Token: SeDebugPrivilege	17936	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

WerFault.exefirefox.exe

pid process

96096 WerFault.exe
17936 firefox.exe
17936 firefox.exe
17936 firefox.exe
17936 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

17936 firefox.exe
17936 firefox.exe
17936 firefox.exe

pid	process
96096	WerFault.exe
17936	firefox.exe
17936	firefox.exe
17936	firefox.exe
17936	firefox.exe

pid	process
17936	firefox.exe
17936	firefox.exe
17936	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exefirefox.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
182748	MicrosoftEdge.exe
182584	MicrosoftEdgeCP.exe
182584	MicrosoftEdgeCP.exe
17936	firefox.exe
197988	MicrosoftEdge.exe
199164	MicrosoftEdgeCP.exe
199164	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

data.exenet.exenet.exenet.exenet.exenet.exenet.exeMicrosoftEdgeCP.exefirefox.exe

description	pid	process	target process
PID 2792 wrote to memory of 4020	2792	data.exe	uYqbbdGJRrep.exe
PID 2792 wrote to memory of 4020	2792	data.exe	uYqbbdGJRrep.exe
PID 2792 wrote to memory of 4020	2792	data.exe	uYqbbdGJRrep.exe
PID 2792 wrote to memory of 2092	2792	data.exe	BYPekEqVilan.exe
PID 2792 wrote to memory of 2092	2792	data.exe	BYPekEqVilan.exe
PID 2792 wrote to memory of 2092	2792	data.exe	BYPekEqVilan.exe
PID 2792 wrote to memory of 1932	2792	data.exe	nMTATJWcmlan.exe
PID 2792 wrote to memory of 1932	2792	data.exe	nMTATJWcmlan.exe
PID 2792 wrote to memory of 1932	2792	data.exe	nMTATJWcmlan.exe
PID 2792 wrote to memory of 2124	2792	data.exe	icacls.exe
PID 2792 wrote to memory of 2124	2792	data.exe	icacls.exe
PID 2792 wrote to memory of 2124	2792	data.exe	icacls.exe
PID 2792 wrote to memory of 2160	2792	data.exe	icacls.exe
PID 2792 wrote to memory of 2160	2792	data.exe	icacls.exe
PID 2792 wrote to memory of 2160	2792	data.exe	icacls.exe
PID 2792 wrote to memory of 2860	2792	data.exe	net.exe
PID 2792 wrote to memory of 2860	2792	data.exe	net.exe
PID 2792 wrote to memory of 2860	2792	data.exe	net.exe
PID 2792 wrote to memory of 520	2792	data.exe	net.exe
PID 2792 wrote to memory of 520	2792	data.exe	net.exe
PID 2792 wrote to memory of 520	2792	data.exe	net.exe
PID 2792 wrote to memory of 2204	2792	data.exe	net.exe
PID 2792 wrote to memory of 2204	2792	data.exe	net.exe
PID 2792 wrote to memory of 2204	2792	data.exe	net.exe
PID 2792 wrote to memory of 60	2792	data.exe	net.exe
PID 2792 wrote to memory of 60	2792	data.exe	net.exe
PID 2792 wrote to memory of 60	2792	data.exe	net.exe
PID 2860 wrote to memory of 1528	2860	net.exe	net1.exe
PID 2860 wrote to memory of 1528	2860	net.exe	net1.exe
PID 2860 wrote to memory of 1528	2860	net.exe	net1.exe
PID 520 wrote to memory of 3952	520	net.exe	net1.exe
PID 520 wrote to memory of 3952	520	net.exe	net1.exe
PID 520 wrote to memory of 3952	520	net.exe	net1.exe
PID 2204 wrote to memory of 2712	2204	net.exe	SCHTASKS.exe
PID 2204 wrote to memory of 2712	2204	net.exe	SCHTASKS.exe
PID 2204 wrote to memory of 2712	2204	net.exe	SCHTASKS.exe
PID 60 wrote to memory of 2320	60	net.exe	net1.exe
PID 60 wrote to memory of 2320	60	net.exe	net1.exe
PID 60 wrote to memory of 2320	60	net.exe	net1.exe
PID 2792 wrote to memory of 2712	2792	data.exe	SCHTASKS.exe
PID 2792 wrote to memory of 2712	2792	data.exe	SCHTASKS.exe
PID 2792 wrote to memory of 2712	2792	data.exe	SCHTASKS.exe
PID 2792 wrote to memory of 15256	2792	data.exe	net.exe
PID 2792 wrote to memory of 15256	2792	data.exe	net.exe
PID 2792 wrote to memory of 15256	2792	data.exe	net.exe
PID 2792 wrote to memory of 15292	2792	data.exe	net.exe
PID 2792 wrote to memory of 15292	2792	data.exe	net.exe
PID 2792 wrote to memory of 15292	2792	data.exe	net.exe
PID 15256 wrote to memory of 15232	15256	net.exe	net1.exe
PID 15256 wrote to memory of 15232	15256	net.exe	net1.exe
PID 15256 wrote to memory of 15232	15256	net.exe	net1.exe
PID 15292 wrote to memory of 15252	15292	net.exe	net1.exe
PID 15292 wrote to memory of 15252	15292	net.exe	net1.exe
PID 15292 wrote to memory of 15252	15292	net.exe	net1.exe
PID 182584 wrote to memory of 182552	182584	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 182584 wrote to memory of 182552	182584	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 182584 wrote to memory of 182552	182584	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 182584 wrote to memory of 182552	182584	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 182584 wrote to memory of 182552	182584	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 182584 wrote to memory of 182552	182584	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 6952 wrote to memory of 17936	6952	firefox.exe	firefox.exe
PID 6952 wrote to memory of 17936	6952	firefox.exe	firefox.exe
PID 6952 wrote to memory of 17936	6952	firefox.exe	firefox.exe
PID 6952 wrote to memory of 17936	6952	firefox.exe	firefox.exe

C:\Users\Admin\AppData\Local\Temp\data.exe
"C:\Users\Admin\AppData\Local\Temp\data.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\uYqbbdGJRrep.exe
"C:\Users\Admin\AppData\Local\Temp\uYqbbdGJRrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\Temp\BYPekEqVilan.exe
"C:\Users\Admin\AppData\Local\Temp\BYPekEqVilan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:2092

C:\Users\Admin\AppData\Local\Temp\nMTATJWcmlan.exe
"C:\Users\Admin\AppData\Local\Temp\nMTATJWcmlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 11816
3⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:174752

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2124

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2160

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:3952

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:1528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2320

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /CREATE /NP /SC DAILY /TN "PrintBM" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\hYY0I.dll" /ST 10:25 /SD 10/16/2021 /ED 10/23/2021
2⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:15256

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15232

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
- Suspicious use of WriteProcessMemory
PID:15292

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:15252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 57616
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:96096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:182748

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:182804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:182584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:182552

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:6952

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:17936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.0.433345678\1333152240" -parentBuildID 20200403170909 -prefsHandle 1472 -prefMapHandle 1464 -prefsLen 1 -prefMapSize 219808 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 1596 gpu
3⤵
PID:15192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.3.1503705078\586818802" -childID 1 -isForBrowser -prefsHandle 2160 -prefMapHandle 1460 -prefsLen 122 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 2172 tab
3⤵
PID:16712

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.13.189712722\1476030173" -childID 2 -isForBrowser -prefsHandle 3268 -prefMapHandle 3216 -prefsLen 6979 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 3276 tab
3⤵
PID:34732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.20.440649834\1706159610" -childID 3 -isForBrowser -prefsHandle 4608 -prefMapHandle 4548 -prefsLen 7985 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 4492 tab
3⤵
PID:57472

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.27.1557691482\379902066" -childID 4 -isForBrowser -prefsHandle 3524 -prefMapHandle 4120 -prefsLen 8808 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 4072 tab
3⤵
PID:203568

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="17936.34.1387846808\1011200256" -childID 5 -isForBrowser -prefsHandle 3068 -prefMapHandle 4784 -prefsLen 8817 -prefMapSize 219808 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 17936 "\\.\pipe\gecko-crash-server-pipe.17936" 3056 tab
3⤵
PID:203356

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:197988

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:198048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:199164

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:199256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\$Recycle.Bin\S-1-5-21-2481030822-2828258191-1606198294-1000\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\BOOTSECT.BAK.RYK
MD5
61df394d60e973dd90f9fc15383914bd

SHA1
fb578ab509b66beb46632d5cb1d0524af23d9a42

SHA256
0ed7e3782f9d1d6450ea4032a020ed1fc553bf3296e97daa8326414300a12095

SHA512
f42a11c43252d4901290ea601c6ace5117c915b8e503d0ec2c82af410aefeffee182452945cacb10f3aaabe40d7607be05ff5a532179eb88eac53d770f6a9c31

Download Submit
C:\Boot\BOOTSTAT.DAT.RYK
MD5
08af28ca6a05b4eab3a8b3b724f7080b

SHA1
2956bd522b1991cf016b2a414b8b3a86da9ace36

SHA256
f0d27ec939b1d27ffcf608c219001d883c9e726972b4b9312f48a521e7820364

SHA512
139fffdf825df970cbe8d8ccb62bb1da69fb6c66a049af0e48d16ebfb24e3d035a1830c525233cb15e78ea4869b4435ab054ec5d36e34687793b5df50d392b14

Download Submit
C:\Boot\Fonts\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\Resources\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\Resources\en-US\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\bg-BG\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\cs-CZ\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\da-DK\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\de-DE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\el-GR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\en-GB\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\en-US\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\es-ES\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\es-MX\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\et-EE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fi-FI\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fr-CA\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\fr-FR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\hr-HR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\hu-HU\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\it-IT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ja-JP\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ko-KR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\lt-LT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\lv-LV\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\nb-NO\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\nl-NL\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pl-PL\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pt-BR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\pt-PT\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\qps-ploc\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ro-RO\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\ru-RU\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sk-SK\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sl-SI\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sr-Latn-RS\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\sv-SE\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\tr-TR\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\uk-UA\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\zh-CN\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Boot\zh-TW\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\PerfLogs\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp.RYK
MD5
2ec094ca9e7a954a563904c8a7d74386

SHA1
57ea9c7dbcfdc250787d424922d89e2e51ea6a6a

SHA256
b25723a692e31bdf6a0a34ec44f1381756579c852abd46ceabc733d25e809278

SHA512
314ffef44c0c0a43e7489471186bad9511f289af05b1883ea084620a7ba1a33ba6dd4b960d4badea0e8c2e5916b4f72eda92e0f31c874d8adfa502c9d95b9e11

Download Submit
C:\Users\Admin\.oracle_jre_usage\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst.RYK
MD5
3528685d76d93f506304b16d7b3b2b8f

SHA1
5dec4025b5496802a26db0faaddf6d25fa5c88a9

SHA256
8193b6bdbdf5e21d60f80d2f193b162534b1891d820c94390a52bfb449c77cef

SHA512
31e22f4ad3ca3b1924e36c43305e79a5222c956204c5c769372b2dbf3e340ddc6a8097e7aad7670f659095eebb4ec91236d3da09cd04951f2f75c8db175370a7

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt19.lst.RYK
MD5
2275b73b4e776ee9d597cf7bb9bf86be

SHA1
01541a412875a3ff0561c90647ef53ed24fdf65f

SHA256
d084aba689e7abca5b4ba05085addacce7e91ddafb1a6f73913d0bbed01d63b7

SHA512
9a2cb9bb6a6cb9f18fa2a86b609972ae3f4b92696b367c8d35c9997016383ec64897d01af274f1cd2060db755c54a7840fb680c0567b5bd54f5c6ab6fc70a33e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt19.lst.RYK
MD5
c8b99b45ab3ab9eaa73bc37b24f20cf8

SHA1
9adb65a47c0a93f8b159dea5b2cd328870b485a6

SHA256
d4760fadb6564aa2e4fe2e42270813d6a11a2a01e3078857d7339070b98883d9

SHA512
12dec3a6fcf2aff1c6305784dcdb41d33820431b525d7e2150f2e25c8a609f73f7f3cefc446c1e040f5a18fa734cf0034caaeb816c3d7290bf83f5e3eaaf2a07

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat.RYK
MD5
b9fdf3a4db2998f9acb6f0f64f9d349a

SHA1
6298bce9e04f0237712dc828f3fc85eb888f9318

SHA256
1f9740375c83b689c4c3384aa31d1286f6cc464d6d8d5c45aeb4139615e6fa25

SHA512
06c42a9b8c34e4b294bfb4fb63c62e7b314a489e9899bb97f9e8bab9a3e973c49bb7018183dcf699baad4deabecb7f64df1202c806b85db4ca22561a710ff87b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYPekEqVilan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYPekEqVilan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMTATJWcmlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\nMTATJWcmlan.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYqbbdGJRrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\Admin\AppData\Local\Temp\uYqbbdGJRrep.exe
MD5
8555b213260ba5eda4bf37652cecb431

SHA1
80bd92b996fce311b52aa791a8ace4b20f8fb7ab

SHA256
781bc4dcbd459893397a8b987bf697f5b95435dfaf7fe3f4d2224728e7a2202a

SHA512
0e4056303a68e4c3af5b639fdc0f434ab81452c4d06d92b97f4a8fa39383a7f963ac9dd09c4e89250678b9bc77b5f9bfd14efc294fd493ffa4c058215ba1b136

Download Submit
C:\Users\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\odt\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
C:\odt\config.xml.RYK
MD5
bf489822747f3dded29fe0f8765238b5

SHA1
0cdf5ec35bbb1a30fb303f9e79bf15ad516ea332

SHA256
2ec8099e1792ad01870632e9a7267c668b40b88aeb0b2f00d5b23f1206fcb160

SHA512
57c9a133c50a3bd0b4c8518e0e0a87b26306179de5ac7cfa0c7bd1f53af29b2cd364f1d6c44771b8fc902a4fdf3392021104293db5ed8242300fc6c3f73c00dc

Download Submit
C:\users\Public\RyukReadMe.html
MD5
21054314a02299149fdad2a606b294a6

SHA1
321096520dd3f92d0161609e6b92704c1d4d2dda

SHA256
c8c969bb1aabfad658c265b6bd85db4c7d2076665d8466be6a70758a7b23737d

SHA512
7aaf0783de336997215ce66948cb5fe2ef5e601fc2eb4a0ad1e886d601861f4c79fe34ac4b44a0c29876254f6b74ea682e185841cc9c652fb664210e5b823a8e

Download Submit
memory/60-138-0x0000000000000000-mapping.dmp

Download
memory/520-135-0x0000000000000000-mapping.dmp

Download
memory/1528-139-0x0000000000000000-mapping.dmp

Download
memory/1932-121-0x0000000000000000-mapping.dmp

Download
memory/2092-118-0x0000000000000000-mapping.dmp

Download
memory/2124-124-0x0000000000000000-mapping.dmp

Download
memory/2160-125-0x0000000000000000-mapping.dmp

Download
memory/2204-137-0x0000000000000000-mapping.dmp

Download
memory/2320-142-0x0000000000000000-mapping.dmp

Download
memory/2712-163-0x0000000000000000-mapping.dmp

Download
memory/2712-141-0x0000000000000000-mapping.dmp

Download
memory/2860-134-0x0000000000000000-mapping.dmp

Download
memory/3952-140-0x0000000000000000-mapping.dmp

Download
memory/4020-115-0x0000000000000000-mapping.dmp

Download
memory/15232-195-0x0000000000000000-mapping.dmp

Download
memory/15252-196-0x0000000000000000-mapping.dmp

Download
memory/15256-193-0x0000000000000000-mapping.dmp

Download
memory/15292-194-0x0000000000000000-mapping.dmp

Download
memory/197988-197-0x000001793B020000-0x000001793B030000-memory.dmp

Filesize
64KB

Download