ryuk | 60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

Analysis

max time kernel
100s
max time network
8s
platform
windows7_x64
resource
win7v20201028
submitted
10-04-2021 20:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bPQDRgviZlan.exe
Size

136KB
MD5

45295780f2ba837be42ccf50710bd2b5
SHA1

f937b1b7b3593a38702f870077658a891974edda
SHA256

60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025
SHA512

588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'spyZ3Hxws'; $torlink = 'http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://smtpys6pvcvdvram6xucwecfv7rdhs6fmxzivrbcrncdeiphryhb75id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 2 IoCs

Processes:

oXkmcHcGMrep.exewwMzGyhcylan.exe

pid process

792 oXkmcHcGMrep.exe
1692 wwMzGyhcylan.exe
Loads dropped DLL 6 IoCs

Processes:

bPQDRgviZlan.exe

pid process

1336 bPQDRgviZlan.exe
1336 bPQDRgviZlan.exe
1336 bPQDRgviZlan.exe
1336 bPQDRgviZlan.exe
1336 bPQDRgviZlan.exe
1336 bPQDRgviZlan.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1060 icacls.exe
368 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

pid	process
792	oXkmcHcGMrep.exe
1692	wwMzGyhcylan.exe

pid	process
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe
1336	bPQDRgviZlan.exe

pid	process
1060	icacls.exe
368	icacls.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bPQDRgviZlan.exe

description	pid	process	target process
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	oXkmcHcGMrep.exe
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	oXkmcHcGMrep.exe
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	oXkmcHcGMrep.exe
PID 1336 wrote to memory of 792	1336	bPQDRgviZlan.exe	oXkmcHcGMrep.exe
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	wwMzGyhcylan.exe
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	wwMzGyhcylan.exe
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	wwMzGyhcylan.exe
PID 1336 wrote to memory of 1692	1336	bPQDRgviZlan.exe	wwMzGyhcylan.exe
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	TksiBiAAGlan.exe
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	TksiBiAAGlan.exe
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	TksiBiAAGlan.exe
PID 1336 wrote to memory of 388	1336	bPQDRgviZlan.exe	TksiBiAAGlan.exe

C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe
"C:\Users\Admin\AppData\Local\Temp\bPQDRgviZlan.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1336

C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe
"C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe" 9 REP
2⤵
- Executes dropped EXE
PID:792

C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe
"C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1692

C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe
"C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe" 8 LAN
2⤵
PID:388

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1060

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:368

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:1560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:2044

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1564

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2028

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2100

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
1⤵
PID:3068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

MD5
3799c62a7c82e17ea1a15fb283315175

SHA1
b96e41cb79cb9ca1e3269a2ef27bc324b735d9c0

SHA256
080aa3fb18ad38bbb37fbf8aad0944636268b1ad9da0d2b484217f605771a258

SHA512
3237fa90fad4ade6af665c5c254a7c724e55769c768683482c08b9bfcdbc288fdc8250c35a71578795b1531c020b5862e36cf9c2baf6d6fa538357b1565724f9

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
9a4a6204d35a9d6875566e00b277f92d

SHA1
39fd0db1bc6453499788c253268fffe3639e64b8

SHA256
7161ea8c552d0852754b06ce2503d09e59e943a6b69d236f8194522cd3dbde3b

SHA512
4d8d9edaf0b9ea9a8099892ad9225e6e0e7c78329eb30ec85d1a42ec40b72c5dd222c80603aa123c37a75c08e852154c528df041614b6762873f158ba17eeda1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
1c08d2a9e2da15148a0e277081d9a505

SHA1
410122f9f145b06633f37a9766ed1110b3ab8385

SHA256
3cf9a7c8fed302d780efc66784ae2c798e063f9d32c78106dd9349e392f03db4

SHA512
e53cbbcd3e2bfb6c2933faf5752f863a65be22b6c8e9713f8f0500ac75a911d03be61c6a57e99de915b342b82537a8504cdcb66a430d75894c70531a0abe87e4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

MD5
93fb263cc5d93989d2c61a6e9ee7ebec

SHA1
4d38018802c211b6c3948a741c442c19702b0d6a

SHA256
c5b6dcbac6fb0342ae5d368616a7e65167f256d971c3d6d515c3e8ddc6905349

SHA512
9ec3f619a115fbc885737c7d0fdab874bad442d99de1b63977bf00e9026ea66a25efb5293ab8434b270c31d78e26022304abd9887eb85f38e59804ac23c030c8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
9d2f3fe877d0927ba19f6c796750586a

SHA1
73a7dd1d4ac8a7e72f6a30b283fc3a83d91db3d0

SHA256
f3c43201eabc6b4fe49d1bafceee93c6e95113375426f383588c293ecfa746e8

SHA512
83bceb8309b768c909e6ac9810121f0ebe1e540636eaf8d72b779f069bed7dcb51f9554160764de415ce7799abcec19035a607788c7b6ce630fad142016f9ecb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
aad3f3cae4890a143c09c2e029ba88c5

SHA1
02756651833c46d9b09085de2095851323438756

SHA256
e82d63034948d4326ea0a614a599eb7489cdc9cac0716d950c02827f6d988be6

SHA512
bf3e40c3220d4a9b097a0b12d974efc1f5bffc6fa965b5c023baadfc05da264a137f29c0cb27b3ceb2b366bf1c46c2a7b11e8ca7405698a479a792a8c33fb263

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
8d5a0522b307e019636c08a3f63de2ea

SHA1
8ece4f9ca2b7b9bf356f8678c71b8ab46269d09f

SHA256
4df662ebc6472716710a5f32e3a4bee756d2168ab9e307743782d0e7780b35ed

SHA512
b64630a7d4ad0b70368b5247a52a22edac75a133e0537bbdd8f49373e47148530337a68520b391f100b0bad3a40c8673eb46ca3c15090ac8c9a7da57762f02b1

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
9303de68bef6f9fc251663be1f944d97

SHA1
0beecfa1b57e52020c823458744456a4cce319da

SHA256
a862f5f1b3711c201604b4ff4ba85f7366449f333d9b059e0dba22edf7e21837

SHA512
b3f70c72ff801f3e4ea68050117dc8af5805328016307db4c086316b287761f20c251c6ca5df4ae518b68fc247cac3e3a45ced1c158636a7b99ffbb4126d38ba

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
e7ec9a1a7abfe2f615b83faea34487d1

SHA1
b2b39342901288a68c877b0e0b99e518a316ba24

SHA256
28d9ca4e677bc81abb752d0ddcbc8c3261a9e6a6b46e756ed6383c5628041763

SHA512
ca3e9d465c90087c0383476994e419051af2260ace98d7f44edf2ddec152465e605c6adb11d37a6b31b2c5c8280e18fc389b31b55fb7bfc212ec5e3b0a225e40

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
df88e114675b5401020f9c1404cb8ce5

SHA1
0d9efbf15a9fd9f8e6301c741b11ff3ee77efd3e

SHA256
18030b06da5faadd08b96cc8e0b2571674cbe137a9e05a5e21c57947e36f87b7

SHA512
074cc4da2b8372eb8fc3d4fe82a9f6e5e75d301765936209e0070d79fa80fc4b514242e51be3084ee552281dbccefb6c866b3cddb7e82bbb5c1265f55555448a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
ba9fcb0826e7e6e19bba538b75a1ea10

SHA1
ed1b9a3da17fa1323f7a6af06cdc63cf4c086ede

SHA256
5ca02778b548aa4b0daa31b8d49873ee705f28438564d2f5b43a919568cd5f09

SHA512
b5041f975fdc7b4431b04b852816b0f0ac22e17e0f8256011c508fa3aef05fb2c0eefb194ab5452f5bdb4ea618c3167aec0e0b2a1ac9738f6ac275c64b784f1e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
dbfd2598054226725fb235d4080028d3

SHA1
efcb8576b7df6e9749d65d4eab3743195d98c658

SHA256
4d3f80d53f93f2510a549ddcaf6578c8505b32934a4a8e64b93079caed541b92

SHA512
119d3d3bd5ea2ce4bf9e28706588324cffa2b84eadd9f19c0630f0a93ee0c3add2129d7fd99e7bb7aea091d5696f3f9c3cba3289af6162c624a03a092d05644e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
b295b519e72cbc0f93624ebfd8654655

SHA1
861aa9215b06a5bd25410619165c521370245a7d

SHA256
3cd6d69284527bb298ffaeab5dfd888d2f0e8a6795e666abdb939abd33e69d77

SHA512
2446f512755d4f842159133a99fd097f90d9c332814af4d4f3df7c2808f730c57cc116784c539577c5eb7fe58bf562af3080b76f56940c28445c5b1f1c71b584

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
5fb360f62266609dd9e84b698fd05dea

SHA1
6f13775f442af8fbbe5efd1d2d0ffc9e28a2036c

SHA256
dc9c4cc35600a60714e0cabc39c88557f0757fbbfe9261845a480cde0772eedb

SHA512
8c7b22f871b1c61617291fa301e996a8291c82bb450f6bde52b93fc793848d4b4620a8421661e2a5b3576958cd15626ff8ad87f70a28d5177d7ed0d63d5dbca1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
02f8aedecdfa730d2e3ca0aeef7b76ed

SHA1
e70e7b70ea3b72a796a9241c0b42b7c8574fe58d

SHA256
d59b703c7b3e2e4c2a042524be1db4c7284dcb64b599d846dd08ef277d1ffb40

SHA512
8a2d50d230fb3307f1637ed4103fd8d6b60a849db83f91701079f11f4147092c1bc346c360137d755d6bd2e502eb18db06b8c5e89ec92cfe89f0b91d8a0dcddc

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

MD5
4fde6a97fe7a257c638712476a8e7201

SHA1
4b3bf1369adc8e7eedac7b3251db53ef06409b1e

SHA256
83ad4f14c7d3938ccee6b1a96ed8f40489278fc7cdb2c1f7ca7b90bbe891688e

SHA512
83e4cf0897bfa960cac18a1aa82cbf579fbe337d99d8c50c744ab92177406c16e0af7681f5f72716395a1d4927af6804318db8b5bd56ccb4e8bc923c6d227c3f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
f54eb16ce4261dbf419bc8e94c8ab44e

SHA1
990ce47646c30cf206f7888627df2b559232b490

SHA256
95f3303b4fbfdd3a2374f1f03dcad9c97b1ea073697f1c5b60c3da2a04e11fd7

SHA512
a105cb39077da5044c2a74bcc2e71f6992ecc2bc7a9234fd6cad1ee40242709a500d72866a12ca3321c026318772e050a270a605e6684917d94cf0028cda1e22

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
31e41f648c144c7e850ef9cec0b117ef

SHA1
aaf7969e3f28cc675f353ef7655443af8e94bec7

SHA256
b06fb8ad10cc98e3da36dc2c2985cc879d8db7b258ac7bda77d20fa83bce6f88

SHA512
8ae6f0d151922b375ac7aeac96af834a0fcb414f653341f44120b5523c42995a195a4ed7f09dad599a907b1848ebf4b4d9142cf0b208c104bdbd30332a6ddbda

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
ef78d4fd4e74545167cf8540c4be6729

SHA1
43eb18649b1702598af5ded6f5d73cf93ea027b6

SHA256
aac862483239d4b0e275567dac069167d4b813b3a5f335048fd00608e97d2a2d

SHA512
149c2b15eee37341dc97623e5051067c46e31d1c3daf95b319c53b90b8fcf4231e1eb172fea841b7f7b4472ba08d5cb147330df06177e363ef324eaac5a243ba

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
c5b7ecc9b35c8eecf53b26cfbaded0b4

SHA1
729cd753fcd1cad1c26bbbcdfac923912c47e8a6

SHA256
a2903c42475983c94322061c12a12481b7ff2e17967b23fe50040bb1b4b8cfee

SHA512
16702b2becf67c8d40ff48c78e7c928678671d1ab28e65135671e0e305eb6c6b789e415c289c9f82899eba049bb58d5f93d0704875c8ef7cd8a7d72843c1e028

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
fc15c3db49c109c95058907d4e6475f0

SHA1
4274273da587c97a9b13c1a466ac9cc4a01eff99

SHA256
a84c29c844cb79b4c93e05066a938c731a9967c58f735fb63d46256148c79948

SHA512
f2e20562929f49207b52b59a8e4b83f888e54dbc0e35cdf9f7e08fdead8d68a7136101e7cdfb30ae1d01d22a0c6114e13f89e68bb66144c5369cd024aea302af

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
648c21f6dfd9f88fa5c8a3cb54c548f7

SHA1
833c47761bcc16e4963cd12e9c7341a8cf19659d

SHA256
c24457fc053212d61671df6500c159b4adc971bb7287988c84fb51230ec0bc44

SHA512
b32f6e582ba64dbfae6edce258f5aba9cbc9fc2fdcdb8826354cc70c623e6fc78911d456e65311f26fab25ce28aa86501cfa9dcfbf45d52e42f56e088f0eb829

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
6a3b309ad75d036f846510d8f86fa1f0

SHA1
8d9efa8aade42c1df690030badb3bc54ae00e256

SHA256
14d2a74146c9e8d61f9a738550aea013792fb58da87e4646112a303938a1e87b

SHA512
e37b88752102e4c8e247d1e4c329eda79a25b9d3c05269e224b0710d70a59f7a2d9cf3a48b135bbae55c97667fd536c6f81c3991772d8ef61c382e9d8840ab58

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
9c01ce8256b9ea0f66e36988c9b7634e

SHA1
1dcc4a58b8d8e265e8f078cf503f5043814cd862

SHA256
baa6289277c1ee96b272273fa3c74962fff39877a1a36fadaee8e6410e9eab4e

SHA512
f25adf6ac18bbea1ba4885cc8ee7778c1af826b3609a47b5bf2cbe1c012b98f719d6f96e7801daaa4c723795d03010560b7f5437228fb7b85f01844e4a32d1c1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
39e4c6f9a8c25d185d07010b5edd679d

SHA1
458cd96eb33b7d15b5b1de3e25fbd42ffeba548f

SHA256
e2585098fb01f4d2a31e93c7e1b0d640f9b2081549888e41bf7eb9f2f17ff70b

SHA512
7e038ecefbe0f552cc504813a621460f22e2d7569c34b103574bb6b2df9bbf16440544a6603b194ed24f666a985c564101d1f644835b152ed5098ed55ff7811b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
6f0fe709310392a0fb44e61ad920d22f

SHA1
b322530ca8856e8f9ab6e1421c4e038201fc17f0

SHA256
a4c218ee0cd507b53b8a623682dd106e42de7a8da5f1b4202c6b003c5f65444e

SHA512
9ec1f7d422437603e856517a57dfe57dd0e9db20834d5f1219c4adae9a0c493bb9b69693844869d66706599f18abc3382f8ed9708eca404f74a628938f36dd9c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

MD5
f1104790231ac6f3e62940115556382f

SHA1
21822e3449bcb2b8d3cbfc734f35ec90582ad10b

SHA256
7f981321fee35ecf2e00c2e94ce008aaf08aac6d8ea597f34884d91b39768e38

SHA512
7cb5fde15f2809944204c5a854cadf9fa2fd047da570b45aa1fb33e93ee7a70cef54de0eb8f1453d4ac89a83aa24315c8e82d2c030b70acd2142e0ef9920a6ba

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
65ea14f91ec523007d394cf096fa0a7f

SHA1
1bb27bac1dc8c868a8d7f12747e64f15f55d948b

SHA256
474284e9450a680b4fb3743ebe92c68ba6513fbbeef048a7132d655fe57981f8

SHA512
8f91e08bde8c91debda4689a9c7a03083e9d03fd1d281c23dc67fcfe9aed2e47482a925e0dd115cecc3a350f15a8e410a0785fcfb748365bd327d29fda3c848d

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
c9b91363bf81a8027f9f5a6e73c069d7

SHA1
a4714da7196321aa0c64d39855f8da667aec0e2c

SHA256
acbb7c533af126db8257fe8276fc313b7f5a44b01f0e9907e31a9fd25663edf7

SHA512
c43b4af27350ac94111015718cfbd124c5973930c04dfdee56fd9d121ca0b2b6d94ac1a4c5f656d5d4d62ae767bae87ecfda028f53da77e62e538781187c55f4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
dab98662e0747d34702ff7cf4da46ab6

SHA1
7a3d7bd9e2a179e4d7d2f2e17ed787af77ddbbde

SHA256
53fa9c1a758b8e556906675be372501255726e64b57ee738b75902c7614a478d

SHA512
2bcebfd559c99a4f4b09c58d4cc0eb7bed757b0d3f58b42775abef75bb42242bda741cb3e2c6e917013c91cdf71a0fbc7a52d590ed94abca7699eb2f3c018238

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
1b29fd253e92893cbd45f120b1c2063a

SHA1
9b8eacf1c6d00de7e6de8ee9e24ffa90c287ae49

SHA256
57af8b0732958ee3c042a6c72c98bbcc1153c740e2670a11664405d4d51a9db4

SHA512
4107e2ee6bf0bb082d36531a6e3039ddfc00bcc3f1e3266c0aca2f4352de0a92215172afd502b366d026467958e89b18e2192a6d88d9c4961bbaac3b684b59d8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
d30a89f1d2aeac5e5c96ff9ef53ba0ff

SHA1
c499d56cb65198fbad33e9219862bf95366787bc

SHA256
3cce274a2f4ca30576aca14a0293a6075b31e23211fbfcbb7522b093d1f3a89d

SHA512
572cf38927547da2bb4dc4b5412b164c8a1a47a1d599055a410ad7938c79ea3795d53baa5d2f1eb0d41d20bc3c6f1433eb801bc7584497a8c822a0c09de08222

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
d01600d492c3157c7009e786a38bbb58

SHA1
6aa17533ef5404751a63623083ede66eac11c33d

SHA256
1dabc59534b32afc183a73cdae3d18051885abcc1f5e8ff3688a841966c1b95b

SHA512
22f44889d20221719f39e1a0b9996f28589d5522f829668b5bea9a610b24c40f853860a0d4b294aa958ef75244ba3d2610495c8e7fc64058d5cadb14d28a464c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
24dae3e2408fde9f28aca436ce592e68

SHA1
c4cc98d2899ae1278c977ef70e8790915345be99

SHA256
62c7c68d2b2ea514124082a57a0169e0ca4d3c71b265c78a7ee6be2f65da1139

SHA512
31c86a1f253bc7bd2d121bb64dbb25f3b961ad867a2f17b80028be09a2cd6d2f84703d3789d865325f87ac02cb65e1698004223767d2f8909e74c0b9e1aecad0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
874ead0f60e1518b70661df690d71fb2

SHA1
a93876dba14a1d2d22ff58656c6c648b707f9490

SHA256
1c73aa7a545a4585c9213cd43a01555a1aeb7a5117a7c480b0386589505bbe1b

SHA512
e4952e56411b03e07d7be8c3a1676ed01960c214b98ea83eabacfd8be3676facd6bedd2f6edd1d93c8a349a73c35a60d1af8b193cf1b357c5cf3c6071da0fa08

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
98765b789a0f86580ffb8a9b61594d48

SHA1
4bdcb60c9204c75d16f00e8d34474c17740e34bf

SHA256
9f52f8a98e5e826abc3990f98491e8b326a41c42fcdd7c363141131dcbfde068

SHA512
a69785df39e8bc563a35eb366df0b13d2c64e36e5897656c0a72da7d13118b4c631818dfde36205c615d0de1f64c4e15689b7ecd0fddd88ebd984d80d9d3d206

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
6ee3867a097e91001b1a708f22bd8ea3

SHA1
d36ce826686f8a8476e97463b4900ecc95743981

SHA256
130497a347fd5386f5cf8db31b72f2dbe9477fad6ba4e4cae483d8a88a287f84

SHA512
ff77910af347bcd45fc67bfc7478e12c6f66030e90c5a6d64b830279766d8973b5a2f49910e463b1346592d040fddc5535266e948bd164d4b6e262d7dd445e7d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
5754048c288021cbe7aa15542f60edf8

SHA1
7e5e64d72693d5b68d8f7856662715e1f037e24f

SHA256
f68ce0623986dc1dab62e4fd8cfb84c76719c9a64394d5a4c2748db33eda3193

SHA512
30dcf6fba5d245cf0e15958ee5f7af040d2ac0c3c9c45a664e97568b59c5c697c6122868e10679d338c5730b63fda183ae63935ad1e69f24c7ffd6897f9acc16

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
dc03020e04d7edd17094a330b7c5e13d

SHA1
0c56520f59ff5990e2264b2038b2176847a83452

SHA256
7831ff8ea74c52ce0183474d96b219ac22dcfe6da207a47bd7662f9341e0affd

SHA512
cac686edc70b4c70e7faf00ed72f175f1f5301706b3f4741f43f9d6e6b9839280ebf5b2dd2393f1b38e27797bbdda7d325409ac89d18f3a3c36bf6b48e35d7ba

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
89f5aecd6fe902f573b7fc736a4ddf6a

SHA1
c39409939b1ea5ae091893927f0ea77541764023

SHA256
09cb54d4027afaef70a84eff454763811840fa2ee638ada771d3cc9c5a84d4f8

SHA512
1f97a278829be381034901f93bad516f0ec4bad0f45c21cae016a464907f8fed3ca894d21d7101fc53e4d30c984670da1607d31d4dbb4b6f8c6f8574a1a15550

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
c489b92deca70abc8c1cb2a3d454b24e

SHA1
6f5266e9db5fa2f5a9d19a290500a903bbd77af8

SHA256
5b431de9da742c993e6b48796bf1dfc7d114ae0deb56cbd67862b0eaa13fe29c

SHA512
b56c5b684af7dfca6c10217c1cfb3508de324a383719d8c7273130a6cb5ff35080c2066e0a0f96a63eb1808424759597cd9d475dabb993024ee906dc10404598

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
c7109aa9212efd044c9f77c6d56ec191

SHA1
4ad94fd71d0f0b4a780de07ce72f03552b6971e8

SHA256
2a8a69f557533c09445739e9e9ff07b2a2268b6a4f615d3f5ec28f242a94b4a6

SHA512
934d57caf50c489bf7dee1da8bde02bba057ce36f49d2ec59a32d3b975b0ec1fd6ace48ee768e5cfea498ffaad4a0f8df575d8060ebef0f3dcb17f03c3323cd5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
4bed6b99d59bbf8a515793770439827c

SHA1
e118ba6c25db8627bac487be01cdae1ef3006584

SHA256
76eac0faf026dcf79f293832f857c402d60a9868836d3ebb10f7ed8ac65c1fc3

SHA512
492860d8c0a5e06905e09056f645d9bd93c32ad6434466961202f6220a67ab2c8708d83c41803c6c44cc0092e4275974bb14d5bcb3d123ea5453cdd4f9bb8d7c

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
c0be3c3005c0786c0bcd0622b4d1ac25

SHA1
8480eaedf9d042bbc76031ba60f2166ba9333be8

SHA256
bda6584799aae1729e4daecd38312e69bfd6684a44e1920c4fb241e9c727be75

SHA512
8b5640e697bb38c7f6bf76c47454bcebbbdced1ffcc781d87d85708eefec0874550f84801e7b13b596db344c897ce24d22557067507f0d37f9108e662800a078

Download Submit
C:\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
\Users\Admin\AppData\Local\Temp\TksiBiAAGlan.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
\Users\Admin\AppData\Local\Temp\oXkmcHcGMrep.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
\Users\Admin\AppData\Local\Temp\wwMzGyhcylan.exe

MD5
45295780f2ba837be42ccf50710bd2b5

SHA1
f937b1b7b3593a38702f870077658a891974edda

SHA256
60c16e45c5cbe88a38911f1e3176d90444e4884261d8481d4d719acec1bc5025

SHA512
588666aa108f01334c2e0adc03aa68d5e3ebb68ee773939b668a5a6ca1eacf03570b7608d4ca3c936dd7f7ec6edd4063a05b1cef7d446661c8f00f8520e72f8b

Download Submit
memory/368-74-0x0000000000000000-mapping.dmp

Download
memory/388-71-0x0000000000000000-mapping.dmp

Download
memory/668-134-0x0000000000000000-mapping.dmp

Download
memory/792-63-0x0000000000000000-mapping.dmp

Download
memory/1060-73-0x0000000000000000-mapping.dmp

Download
memory/1336-60-0x0000000075DE1000-0x0000000075DE3000-memory.dmp

Filesize
8KB

Download
memory/1560-135-0x0000000000000000-mapping.dmp

Download
memory/1564-136-0x0000000000000000-mapping.dmp

Download
memory/1692-67-0x0000000000000000-mapping.dmp

Download
memory/2028-131-0x0000000000000000-mapping.dmp

Download
memory/2044-137-0x0000000000000000-mapping.dmp

Download
memory/2100-130-0x0000000000000000-mapping.dmp

Download
memory/2956-132-0x0000000000000000-mapping.dmp

Download
memory/3068-133-0x0000000000000000-mapping.dmp

Download