ryuk | ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

Analysis

max time kernel
1802s
max time network
1236s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
06-05-2022 15:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
Size

118KB
MD5

a31089dc3cafe77c39268273d689193b
SHA1

032e0b9a0bf012401507be974ee6bdb3e6726fd7
SHA256

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66
SHA512

d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'N2QvTsXamJ'; $torlink = 'http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://zq6gyokyso6dgsxitjuk2tkq2rl4saq4tkz2idcf6z3tfondtvemshad.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Executes dropped EXE 3 IoCs

Processes:

suiZQtrtqrep.exefuAtOAUMclan.exeAxHvRiYNQlan.exe

pid	Process
3944	suiZQtrtqrep.exe
4212	fuAtOAUMclan.exe
7616	AxHvRiYNQlan.exe

Modifies extensions of user files 19 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\ClearGroup.tiff	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\DenyConvertFrom.tiff => C:\Users\Admin\Pictures\DenyConvertFrom.tiff.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\RemoveComplete.tiff => C:\Users\Admin\Pictures\RemoveComplete.tiff.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\ClearGroup.tiff.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\DisableRevoke.raw => C:\Users\Admin\Pictures\DisableRevoke.raw.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\RenameUnpublish.tif.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterFormat.png.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\DenyConvertFrom.tiff	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\ClearGroup.tiff => C:\Users\Admin\Pictures\ClearGroup.tiff.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\RenameUnpublish.tif => C:\Users\Admin\Pictures\RenameUnpublish.tif.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\DenyConvertFrom.tiff.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\DismountResize.crw.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\EnableStep.crw => C:\Users\Admin\Pictures\EnableStep.crw.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\DismountResize.crw => C:\Users\Admin\Pictures\DismountResize.crw.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveComplete.tiff	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File renamed	C:\Users\Admin\Pictures\UnregisterFormat.png => C:\Users\Admin\Pictures\UnregisterFormat.png.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\DisableRevoke.raw.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\EnableStep.crw.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveComplete.tiff.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Drops startup file 1 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exe

pid	Process
36276	icacls.exe
36288	icacls.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Drops file in Program Files directory 64 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_ja_4.4.0.v20140623020002.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\GIFIMP32.FLT	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\ui-strings.js	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\ui-strings.js	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\plugin.js	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\example_icons2x.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\hive.xsl.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Grace-ppd.xrm-ms	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vreg\proof.es-es.msi.16.es-es.vreg.dat	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\New_Skins.url	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\EXCELPLUGINCORE.DLL.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\osmuxmui.msi.16.en-us.tree.dat.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jvmti.h	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\vlc.mo	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\sl.pak.DATA	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\LICENSE.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-multiview_zh_CN.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNI.TTF	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\AppStore_icon.svg	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started.png	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.security.ui_1.1.200.v20130626-2037.jar.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr.jar.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\text.cur.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\access-bridge-64.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\plugin.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\dropins\README.TXT.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\management.properties.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\mshwLatin.dll.mui.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\MANIFEST.MF	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jce.jar.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui_5.5.0.165303.jar.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_hover_2x.png.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\rhp_world_icon_2x.png.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\SoftLandingAssetDark.gif	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-ul-oob.xrm-ms.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-oob.xrm-ms.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUABI.TTF	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\RyukReadMe.html	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-pl.xrm-ms.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ql.nl_zh_4.4.0.v20140623020002.jar	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\zh-cn_get.svg	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\ui-strings.js.RYK	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1.219508e+06	1388	WerFault.exe	78

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

SCHTASKS.exe

pid	Process
420204	SCHTASKS.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

pid	Process
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exenet.exe

description	pid	Process	procid_target
PID 1388 wrote to memory of 3944	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	86
PID 1388 wrote to memory of 3944	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	86
PID 1388 wrote to memory of 3944	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	86
PID 1388 wrote to memory of 4212	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	88
PID 1388 wrote to memory of 4212	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	88
PID 1388 wrote to memory of 4212	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	88
PID 1388 wrote to memory of 7616	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	90
PID 1388 wrote to memory of 7616	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	90
PID 1388 wrote to memory of 7616	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	90
PID 1388 wrote to memory of 36276	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	91
PID 1388 wrote to memory of 36276	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	91
PID 1388 wrote to memory of 36276	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	91
PID 1388 wrote to memory of 36288	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	92
PID 1388 wrote to memory of 36288	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	92
PID 1388 wrote to memory of 36288	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	92
PID 1388 wrote to memory of 57328	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	96
PID 1388 wrote to memory of 57328	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	96
PID 1388 wrote to memory of 57328	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	96
PID 57328 wrote to memory of 56148	57328	net.exe	98
PID 57328 wrote to memory of 56148	57328	net.exe	98
PID 57328 wrote to memory of 56148	57328	net.exe	98
PID 1388 wrote to memory of 56024	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	99
PID 1388 wrote to memory of 56024	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	99
PID 1388 wrote to memory of 56024	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	99
PID 56024 wrote to memory of 56060	56024	net.exe	101
PID 56024 wrote to memory of 56060	56024	net.exe	101
PID 56024 wrote to memory of 56060	56024	net.exe	101
PID 1388 wrote to memory of 56020	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	102
PID 1388 wrote to memory of 56020	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	102
PID 1388 wrote to memory of 56020	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	102
PID 1388 wrote to memory of 56168	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	104
PID 1388 wrote to memory of 56168	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	104
PID 1388 wrote to memory of 56168	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	104
PID 56020 wrote to memory of 53528	56020	net.exe	106
PID 56020 wrote to memory of 53528	56020	net.exe	106
PID 56020 wrote to memory of 53528	56020	net.exe	106
PID 56168 wrote to memory of 53588	56168	net.exe	107
PID 56168 wrote to memory of 53588	56168	net.exe	107
PID 56168 wrote to memory of 53588	56168	net.exe	107
PID 1388 wrote to memory of 294372	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	117
PID 1388 wrote to memory of 294372	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	117
PID 1388 wrote to memory of 294372	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	117
PID 294372 wrote to memory of 4976	294372	net.exe	119
PID 294372 wrote to memory of 4976	294372	net.exe	119
PID 294372 wrote to memory of 4976	294372	net.exe	119
PID 1388 wrote to memory of 295064	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	120
PID 1388 wrote to memory of 295064	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	120
PID 1388 wrote to memory of 295064	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	120
PID 295064 wrote to memory of 295112	295064	net.exe	122
PID 295064 wrote to memory of 295112	295064	net.exe	122
PID 295064 wrote to memory of 295112	295064	net.exe	122
PID 1388 wrote to memory of 420204	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	129
PID 1388 wrote to memory of 420204	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	129
PID 1388 wrote to memory of 420204	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	129
PID 1388 wrote to memory of 442512	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	131
PID 1388 wrote to memory of 442512	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	131
PID 1388 wrote to memory of 442512	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	131
PID 442512 wrote to memory of 442560	442512	net.exe	133
PID 442512 wrote to memory of 442560	442512	net.exe	133
PID 442512 wrote to memory of 442560	442512	net.exe	133
PID 1388 wrote to memory of 446620	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	134
PID 1388 wrote to memory of 446620	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	134
PID 1388 wrote to memory of 446620	1388	ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe	134
PID 446620 wrote to memory of 446668	446620	net.exe	136

C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe
"C:\Users\Admin\AppData\Local\Temp\ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66.exe"
1⤵
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\suiZQtrtqrep.exe
  "C:\Users\Admin\AppData\Local\Temp\suiZQtrtqrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\Users\Admin\AppData\Local\Temp\fuAtOAUMclan.exe
  "C:\Users\Admin\AppData\Local\Temp\fuAtOAUMclan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\AxHvRiYNQlan.exe
  "C:\Users\Admin\AppData\Local\Temp\AxHvRiYNQlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:7616
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:36276
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:36288
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:57328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:56148
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:56024
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:56060
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:56020
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:53528
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:56168
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:53588
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:294372
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:4976
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:295064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:295112
- C:\Windows\SysWOW64\SCHTASKS.exe
  SCHTASKS /CREATE /NP /SC DAILY /TN "PrinteL" /TR "C:\Windows\System32\cmd.exe /c for /l %x in (1,1,50) do start wordpad.exe /p C:\users\Public\sZxjc.dll" /ST 10:25 /SD 05/07/2022 /ED 05/14/2022
  2⤵
  - Creates scheduled task(s)
  PID:420204
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:442512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:442560
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:446620
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:446668
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:600000
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:600056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:603568
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:603620
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:675664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:675092
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:675244
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:675340
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:632824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:675792
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:3056
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:675056
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:713624
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:714544
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:714548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:714500
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:893820
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:893884
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.05644e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056504e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.056608e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.05672e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.056096e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056304e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.055776e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.055888e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:36740
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:866804
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.056108e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056204e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.056724e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056752e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:762296
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056624e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.05572e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056092e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.056004e+06
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1.05644e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056104e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.056184e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056656e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:628604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.056392e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.103368e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.10388e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.105728e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.10578e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.214248e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.214304e+06
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:1.214332e+06
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:1.214384e+06
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 534876
  2⤵
  - Program crash
  PID:1.219508e+06

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1388 -ip 1388
1⤵
PID:1.217996e+06

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1388 -ip 1388
1⤵
PID:1.22278e+06

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\$Recycle.Bin\S-1-5-21-2632097139-1792035885-811742494-1000\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\USS.jtx

Filesize
3.0MB

MD5
2b89d56deb068051e1895bb336c800e3

SHA1
0bc56cd5239ffa92bce8f2816eef2d0280ad8d97

SHA256
2fa906d3b4da5f6078aab595e0d7843142e07a25a26cf972541c90cb911128bd

SHA512
119b49ff1b3977ffc3bc3e3806f607be585c37954b44090850990872fdd3131f89539599a1f3722312dbc77b24553fc2a93ed2b0f0f3c9746115bfbbf30f9138

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Comms\UnistoreDB\store.vol

Filesize
6.0MB

MD5
548675771dc5c6e3eb66df2f84a4a7bb

SHA1
2d4ae087e044d247cfe894ed306babe9a5f2c1c1

SHA256
cbc22c40e7b39f78a21443dbe38e4907a32e8c2895f66d5ab70c66fd331adf91

SHA512
9106ad8b5b124fff15971197894dc23a65be6567a5e1edc5d802773b050acfd06542879af4a64d73c503d09abcbab0a1934b7b6140fb0f6d86462495837019ca

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Documents and Settings\Admin\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\DumpStack.log.tmp.RYK

Filesize
8KB

MD5
6c3802bbea7bd39dbe31a1f2da92d433

SHA1
be084f8fe5cc7f9e7b1fa31059f6536c4e313509

SHA256
a529ae91c2998e80ba880ff0eea6018fc0984736a249f77ccbbe0b6f53dadf02

SHA512
4f303b3ccea19f37540fda53df0aae493911ef79f6e414592ce0ac9a6fc93ef778744000414938f6cffa315939c8fe62502186e9ed428df74638b09e1cac7465

Download Submit
C:\PerfLogs\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jcp.RYK

Filesize
8KB

MD5
6aaff04e64589a5a2c6d93419f4cb3f4

SHA1
e73a96650fb27759921d427d409ff21020d2f1ee

SHA256
1c801b75511c066bf92ff08c953cf17ec87162ec73830bf7b1875d4a4c29fd09

SHA512
6e6319d6f76d7aa96b483a22ae40b6af8514e2de3f6caddeda08daa32534a7626fe85af1906786525a39e3a6f26296d7f83d14c18cfda4b664e8c137e53c1c6a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx

Filesize
3.0MB

MD5
2b89d56deb068051e1895bb336c800e3

SHA1
0bc56cd5239ffa92bce8f2816eef2d0280ad8d97

SHA256
2fa906d3b4da5f6078aab595e0d7843142e07a25a26cf972541c90cb911128bd

SHA512
119b49ff1b3977ffc3bc3e3806f607be585c37954b44090850990872fdd3131f89539599a1f3722312dbc77b24553fc2a93ed2b0f0f3c9746115bfbbf30f9138

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm.RYK

Filesize
16KB

MD5
c7e9fc9c8bddb8846e730d8abfb3289c

SHA1
d5fe94ae7c5c8dfb072bb2ad8d21c1d398b7b231

SHA256
f1d735473ff07d4dcf558c9eabff148876dfa9684bdd3f948c69cd89919d0637

SHA512
2f8c16f6be25a9cd79a5c79932cbd818df07d7e5393114da316267833ff2dd61b079e971bb64ce0d58f52ea7de5588d98067dce1fdf07e4e59635a37d220099c

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.vol

Filesize
6.0MB

MD5
548675771dc5c6e3eb66df2f84a4a7bb

SHA1
2d4ae087e044d247cfe894ed306babe9a5f2c1c1

SHA256
cbc22c40e7b39f78a21443dbe38e4907a32e8c2895f66d5ab70c66fd331adf91

SHA512
9106ad8b5b124fff15971197894dc23a65be6567a5e1edc5d802773b050acfd06542879af4a64d73c503d09abcbab0a1934b7b6140fb0f6d86462495837019ca

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Comms\Unistore\data\temp\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Credentials\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
c0962896f42166ed598323fe09a47d29

SHA1
9875c5caa633bc55215df341ac436cd21d19ded5

SHA256
d99d3f8f033b348cc8f8f28292655b5137684e319616d5f02d6c358b8a6b79b8

SHA512
8bc7c7c104e34d1daa2fe3524e726d9a45cfa31321b2506628d4a19cdb8e9a4ae8890c0a6952dc845da7a38118a05abe6433388975313c1ebcf59794b982dbcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
4f8ec3b79f9b44609aa7203cddf45fed

SHA1
496214ad697e0d9881e9fb6ca1296165b2a62cf9

SHA256
458d4369dbdea4b8affcdcce0ad79ff651dceef9eb2a53fbd8c3ae0b30697447

SHA512
b69f34711d4e3265f0c9701c3da66921957776f2a323d3fb3f80b3405d81c2ac2365aa7308c27edef27c9d7e664707b01e6ce5be1013a347a438fb747cef7b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
47dc10d5fb825cd3072efb81fefcc047

SHA1
9f3afe2a8def2b93ab505f4f48df3e1fba8b16af

SHA256
b8c0ce06a205cc7f0a877054b06c2d9f8c1594f5793ad7fd0c9b6da435ba75f2

SHA512
558a33676559614f641a9ba3fa0edf89730653eb15321bb6a2b753686b266666dfe74326db5ffc78d1aee325d238cc630bfb0f5a8d4f726208195486076ff6ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\README.RYK

Filesize
466B

MD5
2acca438a95fdf58c75f24f46ecdc487

SHA1
78ffa4fc5051caf831167a7a44c56582cc0e9216

SHA256
71e8a60318c265d41b89e84f3ec8b88866cd00691bbf43d8e48d35dc9db1164f

SHA512
75e4959852611be8ee2500c6bed5b52dcd06a00edc569fd09bdd1353d1b679300f04586be52cd9c36bb1266c305e30f630766584fdea18f0b60b9c0f3149cc00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
4e05b2c15db49cadaed10f5e89de7b70

SHA1
90a6beb8aef8f1e0331abbe5346c0ecff0527ce9

SHA256
7ae5f0726785baf433f7d253bc8273aecdfbce579d1f800cd4d69f00f0a0c7ee

SHA512
3cb2f9f9f3dc404d239b1850503f828cd23b180cdb51eac0018137c705e310fb671ed3b08857e3100743b0f18eb89d3b00f967be483895415168bd699f707365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State.RYK

Filesize
3KB

MD5
205282cca67793673236e5be0be84961

SHA1
66f02b25e4d7f942488892ce3a3aed120cce07e0

SHA256
93ff46a30423c2b0787e14c5cecebab76b7926598a2050154b67d28eb42430d5

SHA512
f42dbeaed9d6d0e2e355570853746904b3cb9c44deaa34c08e7ec852287f97c52e082f31f19a10bcb70e3cba7a61fd2723ba93eab24e38a12bb98ac702ce0162

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Feeds\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\GameDVR\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\History\Low\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\af-ZA\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-AE\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-BH\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-DZ\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-EG\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-IQ\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-JO\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-KW\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LB\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-LY\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-MA\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-OM\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-QA\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SA\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-SY\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-TN\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\ar-YE\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\az-Latn-AZ\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\input\bg-BG\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Temp\AxHvRiYNQlan.exe

Filesize
118KB

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\AxHvRiYNQlan.exe

Filesize
118KB

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuAtOAUMclan.exe

Filesize
118KB

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\fuAtOAUMclan.exe

Filesize
118KB

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\suiZQtrtqrep.exe

Filesize
118KB

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\suiZQtrtqrep.exe

Filesize
118KB

MD5
a31089dc3cafe77c39268273d689193b

SHA1
032e0b9a0bf012401507be974ee6bdb3e6726fd7

SHA256
ffbf608aaef69e1ee53f8303c685604dd584985f809d19f6cbc914fa86b3ae66

SHA512
d92748b34286c21f4781b147000be1b54cf57e14587517638647b8369ccd01b3ecb00545be0d87d44f9dde6b30a404db2740bf06275dea647efc33eafd65d2f4

Download Submit
C:\Users\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\odt\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
C:\odt\config.xml.RYK

Filesize
978B

MD5
5f5054d35c85b6634625750509d0031a

SHA1
89a7cfcecf6a4448d994d758e54ee1a0e7a2b1e8

SHA256
b5e645899c4827ee5c01a47cb49e7b68a66b6293cbf8828244f383251b63a058

SHA512
574edd875d429a1d0ca14744f2c99aac664f145c54076e3c0beedcb0b03798c856beb07c3a5ad03bdfaa95876869cae6e313c324fc50aec07050709e5e7d57b4

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
8398b1f229e0d80c65e262ae92085a90

SHA1
5142f7b7f9dc13ac8a07eac6e1240efa84e3bc8d

SHA256
4e374f86295c56c4c0d57b134d9035377b0d17b6fe418fd790cdfb3f7a9d03b5

SHA512
113b51cb8fcbc1c61161434948aa0297ce2ce889100ab1827d1a7d0a76e65d99e97d590b43911b450cc931ec4517affe26860af072e967294656d9e7e83ee687

Download Submit
memory/3056-226-0x0000000000000000-mapping.dmp

Download
memory/3944-130-0x0000000000000000-mapping.dmp

Download
memory/4212-133-0x0000000000000000-mapping.dmp

Download
memory/4976-208-0x0000000000000000-mapping.dmp

Download
memory/7616-136-0x0000000000000000-mapping.dmp

Download
memory/36276-140-0x0000000000000000-mapping.dmp

Download
memory/36288-141-0x0000000000000000-mapping.dmp

Download
memory/36740-242-0x0000000000000000-mapping.dmp

Download
memory/53528-157-0x0000000000000000-mapping.dmp

Download
memory/53588-158-0x0000000000000000-mapping.dmp

Download
memory/56020-155-0x0000000000000000-mapping.dmp

Download
memory/56024-153-0x0000000000000000-mapping.dmp

Download
memory/56060-154-0x0000000000000000-mapping.dmp

Download
memory/56148-152-0x0000000000000000-mapping.dmp

Download
memory/56168-156-0x0000000000000000-mapping.dmp

Download
memory/57328-151-0x0000000000000000-mapping.dmp

Download
memory/294372-207-0x0000000000000000-mapping.dmp

Download
memory/295064-209-0x0000000000000000-mapping.dmp

Download
memory/295112-210-0x0000000000000000-mapping.dmp

Download
memory/420204-211-0x0000000000000000-mapping.dmp

Download
memory/442512-212-0x0000000000000000-mapping.dmp

Download
memory/442560-213-0x0000000000000000-mapping.dmp

Download
memory/446620-214-0x0000000000000000-mapping.dmp

Download
memory/446668-215-0x0000000000000000-mapping.dmp

Download
memory/600000-216-0x0000000000000000-mapping.dmp

Download
memory/600056-217-0x0000000000000000-mapping.dmp

Download
memory/603568-218-0x0000000000000000-mapping.dmp

Download
memory/603620-219-0x0000000000000000-mapping.dmp

Download
memory/628604-256-0x0000000000000000-mapping.dmp

Download
memory/632824-224-0x0000000000000000-mapping.dmp

Download
memory/675056-227-0x0000000000000000-mapping.dmp

Download
memory/675092-221-0x0000000000000000-mapping.dmp

Download
memory/675244-222-0x0000000000000000-mapping.dmp

Download
memory/675340-223-0x0000000000000000-mapping.dmp

Download
memory/675664-220-0x0000000000000000-mapping.dmp

Download
memory/675792-225-0x0000000000000000-mapping.dmp

Download
memory/713624-228-0x0000000000000000-mapping.dmp

Download
memory/714500-231-0x0000000000000000-mapping.dmp

Download
memory/714544-229-0x0000000000000000-mapping.dmp

Download
memory/714548-230-0x0000000000000000-mapping.dmp

Download
memory/762296-248-0x0000000000000000-mapping.dmp

Download
memory/866804-243-0x0000000000000000-mapping.dmp

Download
memory/893820-232-0x0000000000000000-mapping.dmp

Download
memory/893884-233-0x0000000000000000-mapping.dmp

Download
memory/1055720-250-0x0000000000000000-mapping.dmp

Download
memory/1055776-240-0x0000000000000000-mapping.dmp

Download
memory/1055888-241-0x0000000000000000-mapping.dmp

Download
memory/1056004-252-0x0000000000000000-mapping.dmp

Download
memory/1056092-251-0x0000000000000000-mapping.dmp

Download
memory/1056096-238-0x0000000000000000-mapping.dmp

Download
memory/1056104-253-0x0000000000000000-mapping.dmp

Download
memory/1056108-244-0x0000000000000000-mapping.dmp

Download
memory/1056184-254-0x0000000000000000-mapping.dmp

Download
memory/1056204-245-0x0000000000000000-mapping.dmp

Download
memory/1056304-239-0x0000000000000000-mapping.dmp

Download
memory/1056392-257-0x0000000000000000-mapping.dmp

Download
memory/1056440-234-0x0000000000000000-mapping.dmp

Download
memory/1056504-235-0x0000000000000000-mapping.dmp

Download
memory/1056608-236-0x0000000000000000-mapping.dmp

Download
memory/1056624-249-0x0000000000000000-mapping.dmp

Download
memory/1056656-255-0x0000000000000000-mapping.dmp

Download
memory/1056720-237-0x0000000000000000-mapping.dmp

Download
memory/1056724-246-0x0000000000000000-mapping.dmp

Download
memory/1056752-247-0x0000000000000000-mapping.dmp

Download