ryuk | 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

Analysis

max time kernel
104s
max time network
14s
platform
windows7_x64
resource
win7v20210408
submitted
13-09-2021 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
Size

144KB
MD5

89895cf4c88f13e5797aab63dddf1078
SHA1

1efc175983a17bd6c562fe7b054045d6dcb341e5
SHA256

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a
SHA512

d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\$Recycle.Bin\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'UWUEbcQLr'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Executes dropped EXE 3 IoCs

Processes:

1073r.exewjkfIFenUlan.exedlkypkltUlan.exe

pid process

1544 1073r.exe
1540 wjkfIFenUlan.exe
764 dlkypkltUlan.exe

pid	process
1544	1073r.exe
1540	wjkfIFenUlan.exe
764	dlkypkltUlan.exe

Loads dropped DLL 6 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

pid	process
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

528 icacls.exe
396 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

pid process

1640 8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

pid	process
528	icacls.exe
396	icacls.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe

description	pid	process	target process
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1640 wrote to memory of 1544	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	1073r.exe
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	wjkfIFenUlan.exe
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	wjkfIFenUlan.exe
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	wjkfIFenUlan.exe
PID 1640 wrote to memory of 1540	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	wjkfIFenUlan.exe
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	dlkypkltUlan.exe
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	dlkypkltUlan.exe
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	dlkypkltUlan.exe
PID 1640 wrote to memory of 764	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	dlkypkltUlan.exe
PID 1640 wrote to memory of 396	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1640 wrote to memory of 396	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe
PID 1640 wrote to memory of 396	1640	8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe
"C:\Users\Admin\AppData\Local\Temp\8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\1073r.exe
"C:\Users\Admin\AppData\Local\Temp\1073r.exe" 9 REP
2⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe
"C:\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:1540

C:\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe
"C:\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe" 8 LAN
2⤵
- Executes dropped EXE
PID:764

C:\Windows\SysWOW64\icacls.exe
icacls "C:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:396

C:\Windows\SysWOW64\icacls.exe
icacls "D:\*" /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:528

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2840

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
2⤵
PID:2888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "audioendpointbuilder" /y
3⤵
PID:2884

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "samss" /y
3⤵
PID:1716

C:\Windows\SysWOW64\net.exe
"C:\Windows\System32\net.exe" stop "samss" /y
2⤵
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

MD5
3658feab4d22061ea911bbec0c153b72

SHA1
4a9042b73b4a6bb02d050a0271cc17fec9905cac

SHA256
4f331b828d05077b46af2153165900a56f3c24991a9ace2096da976cf9068758

SHA512
e82f44a765e939d30980600faa6454d31de2b18097508fcb64a4cf893e8e98a5ded56c0c0218c9a8b69f489c9ea3c14ce914bb9b597c2b8e72f4310b571b99cf

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

MD5
59c25d6a5dbd28ff1f1062df861aa376

SHA1
3042975aa98f815be24a32180f14f29332bc80a3

SHA256
13791ce0c7b852721c1b57875748e4f65cad476b11a40d34574c1479fb6eb4a8

SHA512
bdf0bb8bbbd46dc58dcea35b0a36b28a8dba6ad6c5faf0e17c9477cedf5fe62f4308363865abbf9858a8dea3804778f8fbd162c4ef29c58aa6b7b90655abccfd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

MD5
996b368b44bbad8536f7115df9f2f630

SHA1
c08f004ac0f6b6b709c61ab3b3560e012d7c578d

SHA256
fb4243e0fab4c7e59712c87784a7d6b3000d6bf94f07e8ab42633a98aaf19c8d

SHA512
6ecb188b7250a9e7da6bda3b483e293db14c40dfb5695379a6874d5759c303b66579febd36b788f34b2c4a9cfd3efa4b805782669aa98d9c7223b870be4a1ad8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

MD5
bf26d5757ec9cf672d3e5faed25290e0

SHA1
6bce9fae22f01c93be9c2d7151a757f7369133f0

SHA256
b0df51c4d47afe92007b2573cd63de81aa2eb73731e7c6e1412723f56642b8b6

SHA512
70ad599d5fa09480fa75afbb5dee170bbc109ebddba1bd380153aecab2b203f800a123209cdec6578d8606717d8815c7a5ed3d053eb510d20d7d913f39957fe6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

MD5
0bc4ef98c0d82993cb81be97e1e5ad91

SHA1
77b51657225ba01629c8b16e4b9f1799d4343517

SHA256
23e3dba3c36a4ba4be4fa1112406186e2b7362bb3224b0825f60dac456188bea

SHA512
a3d51fac9c58eb0d2783470bb2357f414e93f2f5bcafb77a7f6a7ef32303b4fcd16c8e5cd93038532c8579b49872871c6da77cfa5dbc43f0e8efa1b71775c35b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

MD5
9649f15a2b14f3544e62cab070f2b08b

SHA1
5eb8725f1ccb2d0508d8291987f0834561649e9b

SHA256
46edd9a113b7c2ea5921d86defa7db8110979170a2e17961e068ff87327986a2

SHA512
7db967a67e1543cf1567898c2a910a5018cae6c4547c46ae7625b6decbedadb1ee0ab34e19912f8fac2101d29fc5cae4c79fbaff37dbd730285865893306505f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

MD5
96958f22f525d3210d36013ea4d2c754

SHA1
dadbd1c0c3c1a51d7112917a9c5a3f644c7283e5

SHA256
9fbb287a833d5cac1af64d3ee0f324ee3a88fcdb2b33d26a69ef1fa97d264d39

SHA512
8179159a9e054fd9371a75923428b9088e0918b60e0ede9d052aa94b0da87b31937c71ef42def29d2fd15268686d1fdde90b9c040909fcf0998a49e948986933

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
f1ac854d1ee72e59f643c446ec985534

SHA1
fe01c1eb65d6cbaf39268d3d7e3637e92e2efc97

SHA256
49b175817355b30e926ee55ac80dc27f83aa15e73f834efdbf0371eabfa518f5

SHA512
cf4e11157de83ab90939ee7106064b51fd62a30352b622003f8d87fc327e2705e9dbfe6c4eb5512666370ee6030f0d9058c0b3265ccc8a5bbf4ccd3935f17eee

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

MD5
623ded46206827643f3fdef7d4e329ce

SHA1
c932140643100b309413a87389d0402762bd1206

SHA256
8e69c2d58b279b02ec6b6bab4415dc9c7901025b23f106a0eee8b3929a9b093c

SHA512
dbe6ee5ca0ccef1fa1af256286f0cf493b7905b7f0675fcb91714943f62f0248730f5c62a8c6ce9cd9a12397a52a7bdcdc420ddc6a851e3d02826196ffddd996

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

MD5
cda1b0b90c69c0ae07f5d0d173b35968

SHA1
b0cf46a1a05908fb18d861f6eb7d8a5e8ff1be65

SHA256
788f17aed5424da5767b7e8780c96c8100426d03c6ee1a8c20e610bbeab888f8

SHA512
5faacdaaef0bffb6b54bead5e6a696bfe29fcdab33869f5b40e89b026b6918ed805a8f172c54fccb9bc92d01d77513718e8ca504110432ad79187dd2c499ecc7

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

MD5
d129e3ef328e8757c03c0780b3b58e8f

SHA1
7d2a0f655a457c6d1d6c277d17b12007dcec7121

SHA256
e03394dc500433b08d8f4b7308768a3b58cfa184e33453d3867998bb2ee0ff85

SHA512
60aaef51b1b8e663cd6be424614dab11d5089473a7b83fb4d3dce773de7033d4e66c2e22eddf536ceaee262807b8f07718c66ddf65dcdce6109107693bac369a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

MD5
ed56131f57483d1d99a85c4c7a8c208d

SHA1
ccb14805539b378f675c0e60654377752095621b

SHA256
d78d828a63ff3d5f77b79daa49a765cc8fb8137b13f6626dc27a67770d1707cd

SHA512
ee11bdb6b63465b071229a383eb01a15631dc80e1359f9f12d1002548d1a4236091c69314607587d64cc3524119e307cf2513fadc10d2fea3bb0e704fb530365

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
fb6dfdafab031a10fb1ccc8cd146b851

SHA1
decbec287df2b5ce58b91bdc9d787cd0b5f09bb6

SHA256
1452b9e4a6faa0cc1674186ff5d915a10e7a2f306b6b435aa306598274f29274

SHA512
d9b00284f9970f8a64eab174171a1b9097540aeb4ad081d7bfd65b6daed00e4b6e28c82cc7fd8dc77f07e482646a91bf31449bf1f7c2ea7e791e3607932b3d09

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

MD5
baf8e1fcca987e34224838cd2579e7fe

SHA1
0293fabb4872b0c1c1bad167f537b98eb37fe7c7

SHA256
22f7968b362c34ae3925fadf1fc7237b732c115ab9a27b73ae2ea659c9ac622a

SHA512
1b6c6b46d9a3d3d5b2cc98290023df538481b1512921282ca4fd56830d6b3b09b36d6f1d4d966e18b0786fd494524dcd8a695030248f3422a82eda5e75e99283

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

MD5
15f816bd401fed4b0f7a98318c354ccc

SHA1
b792b86cbc50637d323cbee03a9e12645b12f590

SHA256
5ec1221d14d111bfa8da6b547be9aa8ea314b6847c035e9cf7cf4f0eda806a97

SHA512
8e6b531efc087693d27acf52c37a650a205a9656c6e2d8a3aa671b195147b358be23a3f4013635343cd204bc6e316c58b875bf497107ee4dce9efe14abaf47c5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
477e3ba3610cf7311e5a6d79d2b31b9b

SHA1
334f4473e68c94a6513541fafc307d58a747bd5d

SHA256
e151ee7830be8afbd1251fae3a1562759bcb900999f6c3ac49f4789500e4ccb8

SHA512
6e44d2b2f0c6fbd33ba16fd38214fbd066c37b062d4ad08d76a6dafc4611da509f6da209f3732205e73a0598abed6ed642a6f73f4edc8aee770ca401a0f21aab

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
2ced12e2bd54c913c7d089d4f3e7316c

SHA1
fcbf591e6e946851440b282e8da70733184c37c7

SHA256
03be5b6434cddb37e0791afb8ddbab5262d792946461147ed4cec9482cae1c55

SHA512
ef33617334fe17bcf222770c1a27fffed6956e66aad50e3c1fdd9fa6fd31e2e1cb64f57381dbc3a08aed73f608da477034136c69c9fa2aae7a86f79a0f5b7fb6

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

MD5
67d8276a0d14e62716d6b7add073cc8c

SHA1
86368ff37f52b004b5edc5a435f375329c6e495f

SHA256
d1ebeea43b42155268b2eefc38b0cb87b06321134e1754fcebc454ed7d0908b0

SHA512
6911e57bc3fc3fb98372e0a47baf6350bec42d9e8cdded6bb81bc4da28a8672b56fb983abd46be4bba602e2e6116d4287942d350c70f860b9d6347b2fdf151de

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

MD5
17accaf5b0401a80c419bbea737280f5

SHA1
390769af2e216724da6e985c01ad8b17ef8b46a1

SHA256
552aa38899bebed62109b6d582f9b098b43c86b96d83a2fc9ed9e138611e4903

SHA512
3c66d660612a0f522465d369ef2cbffd2f37b8c511949e37c345aa3e2a8750cbd7f0cce847d3ca1201ba601a59963e3d4b5ac8e06f7bb7bedfb0880f92ca5514

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

MD5
d7c6db9d1916bdcc3dea381a510e0595

SHA1
92cb9ef476af046bdd4226c62b6709c0a2aa288f

SHA256
089886e32934454260a2f92deb0c080d71273e6e4065ad41ede2f88d82e280c7

SHA512
a12aa967ddf8807431a82ace24799ad0020a5e3c70a384ffdba61921ebd9a0f8380dd93eb4172f27ac6c432a9707e501ea8aec05791952e8a601cdc13050f5f9

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
033f04c140ff487e1d5ecb5335c6ba84

SHA1
449c4daa2d7e5789b1a050778bf4f55cd5f47b51

SHA256
9b4bd5d81446e1ee50bb31bebd9195606a453cf28335871699b449d0e7cfe035

SHA512
c330ed730f9cfcda39daacea0a1357a448563ad556ff9f370204bcf5eee3dd70c74342cdf598846c85f2fdbd52db4d8e0c611d1441f2999eea6000e6401febb0

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

MD5
99c019c0fdc39273b26376e83e6385d6

SHA1
7b10f6d4c06815977cee86cf532b7dd07c6f2bd8

SHA256
5401fab25387cdb79a9b06301f049fbfc2b25edef0babe2dac9e99b35fad7498

SHA512
59fd723c3fee7a86c20bff7b7d966d3e3c6388f3cca1834be1f8e4fb836c122ad5d70df4597c4248700e51b2253872b9f3683ebd9c6bffb1e553b69c5f1ad986

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

MD5
040b30818191041c34bd11574841b2c6

SHA1
de91cc060163b8d252ce103611da8f627d2bc567

SHA256
119029e6de1b1142b9438d0e8649d5a663559a7a7dd979b3fd9545118311d5d5

SHA512
6964d6086c1a827e657f17e73c8d64f647e4f561f7bab99230ab2c5ae18f2d9e20d271747421f17d9e9e00a08635d288015b4aa1a7854137c85dbc028f19e318

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

MD5
b9f2841c56f058cd7ee0048857f073db

SHA1
58c1b69903596c355ed230e292659fbd1e937e36

SHA256
05933b99c64060a5e6e7ef8e8358eacff20a66a019b3ec9f3e209c286c2fffc0

SHA512
6175be8aa5cb67bf18c7d91935c71a4a141ddf87cc3240e565ff6adcddd1683b7d140c4747e749c8b66ffc14e2ef3b758685a2870d9d83a065071ef0715a7ca3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
fdeaa4f49d0267be155dacdf81cf14ac

SHA1
09787fa6e85cbea643cf3177fd50514b7bfce8d7

SHA256
dd15e8033f3aa47177e4915dd309ef75bd394f7bea36bbf0c1471b82955778aa

SHA512
237e8eeea0a682f2d3a3076fdb826a6f9b5c38b9dd76d8e60452a671db2b2164e59867d4c5651307d5aa962e76b3371c078f9b2b129cb47598c65d852c653da6

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
2523051d2d3b12f441b25ebfdf53c108

SHA1
9d0ca1d0ddafe26b3df64e9daf21b09808312312

SHA256
22762f573715a8d158482d61647ba03572783d38a679a6486353ca85a1db62fe

SHA512
79ca79e578910434a5edd1899b3753ff2d8b0a7a552d3fbadd1c30f035d20bc51d23c820b42d2042959db7fd18acca19067067f7093c36ac6ea02cbe4fd702a7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

MD5
fd1cd6ae4474f9cf0461d46425ce9a0e

SHA1
f90fcafb3b299066c514ac4503a9b552a8071ec8

SHA256
366bb373d9d2feb0e81bbc355d69caf4c5979d28a8506b319ea8f40ea8aecfcf

SHA512
6a0a406bfdf99f74d59e23138c5e8df6c9aa2c0862ea151e62fed77e400079a34a16c82f58e350762597977acfc8edff8c7ee59277ee11fcad10a5c8dab43433

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

MD5
c91a8550598689c4ef5706e8c7e44b13

SHA1
2839db2eb120c3ecdd1b2862e9493312c81f3601

SHA256
f5d2df426c449efd1ec5b10e656146580d01a9ae0311a97e9152049b5365bf17

SHA512
391fb20317d80f1c0536729377fa1613d673ed3d4506e6765d62ea483b1e4542f0082c96e487971f48e02302093f38f9dbc804cf658b0fde55ad6dad0c2df844

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

MD5
44406eee6d7fd8cf302bf6ac7cfa25df

SHA1
9d351bd0c587226b798164c5a6c6283813dcb2c2

SHA256
ffb7869045db39501ceb6ee14d688b86e66daf69e8a39d2ab2c519e9b7a04b36

SHA512
b9a6c57ec2903419405c6668171d27c2e795020d1f6cc778fb4971b4b297d72f20a729ef98f719e3549745fa605830d5e51c858bf8b4ee44566700a94e1a5cbe

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

MD5
79c1a6480d5b6ee7d81683fbc33b9e89

SHA1
47decf449a38170dc76ecc9ba40af0496888660e

SHA256
027aef0521cfedda6c6cda6e32c321c99f2e69aba31c5486df0f155ae1ac2b95

SHA512
f4f3f730093d82f4aa6362a6465a46bb7f1c4dc1f3b55fb6bde1031ea0d78def4d955aac72bfce46ce9cd2ad30b448d503fbb78db7ca4cd2904ee95edbdb8b30

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

MD5
3aa979d228c2d8973ae003b2630758a1

SHA1
2033f5d88f398965933d693e70438c6f804d0076

SHA256
d248ac2d6f556a9cfb55ca91b6c087be25a6a26eaa97f49c1a58cead9edf9fbe

SHA512
97e4c00b34ac83b903cedbb476fcd830539a8f4428b81bb08b5711d81fb16a7fc4fe6f4c07010b88ca09c3427b1671b3b09a5e1157b6b99071296bdb9f63b77a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

MD5
9224cc3e4516d5bbf6ec2a14c7674a7c

SHA1
e118d74e2f02d2f1b16044284f4970db15174ade

SHA256
ae81ad4e568f88eeac8d955b37c91c9be222e5fdb3ef0a1e00aa3618b3dc45fa

SHA512
f4e48dee3e0bbef12fe313ae20be4bd6fdd4c2ce8c8b186e7d42cbca5eb5d25a6a10e468ea6e77aa119c957b35f41f5c3ee14def04aeb147ef683b7c3e76ca57

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

MD5
1e36e8f33fc598b61245c3c9651bf749

SHA1
991274979f909b932bc29b05f1731e14f95c2a13

SHA256
ed64c62169810eac2034354f37dfa55852b9f681427014390acc62109c694179

SHA512
5d96cd724d292f84a20f4fcafa963c5ce93ee4512fdd4dcc07f0d2f56bb8e121c567c6b3eecf6c835b674fffd65329f8effe778518eae2c853795a06d988d98b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

MD5
c3a4b0f40c185afbe2c6bb04914d202c

SHA1
952e3ef27aeb730e0ba351bab0439e52e6deec66

SHA256
76abc33c88c518dbecee581c8448f38ce8e2b552ddbe6b87da23a6680d1f43c7

SHA512
ad463e53cfc02666dfde5ea2d7ac1be8ac163bd87dbfb03f0a50a5c640863b44ad2e59358f5d8a98cf877b7c5be3198ffe7c012a1892dccd7a9a81869b686b7e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

MD5
9133ce599b29088952fb4e3b7be18df3

SHA1
56411be39a9640b908a2efd1c8c2b455c7865d48

SHA256
6a3c28ff4aeb0fc18dff41e0f359e6255245c6882fe4a262d3896ffea3644703

SHA512
5a61e1b0f10d391650293ab1672a9c3ee0e4255dd741488368423f1ff6a75335153a6cd8f8f2cc2a09622df94fa5e1b4ac4e073d0a62f5b09f4cdb600f971450

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

MD5
846c7e9daa8a2cc827a16ed8fd4b30c8

SHA1
6ea718f16c94d60740739d806bb57969baaccae2

SHA256
0dac75ed10c9d1b026d6116557036cb5637096ae72b9c0654c9fef3d323da153

SHA512
630332f338662bbd0e34073dccec52b74eebad18d1a030e9391b0e80256d55209b9cf45ce6931f37089864147ec83c3b67cf21202575228971f60a2727251c46

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

MD5
72c54d12e29b80ae5f89f7e1f344c47a

SHA1
d8b84f8997ec592b14688d3acc1001434353819f

SHA256
6849ffdaef8a154d6c1747678d8d48ae46ee83746a22200b7a7f89e04af482c2

SHA512
85c52ee05224ca6de7db87e690b328b5125aae19dcba4974ca31ead9ae005cfb0d8714ce9789b683e6bd8a23b2fab71d3554c6bc1c585a84a7a3d88d2b4728e0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

MD5
0ef3c19966bf7a72ef8e7236bd102949

SHA1
251ad81879af6dfda28ba5c3910aa07b88f86460

SHA256
332c03f5a0684d076b86bbfa59aa82d0b568e77583d6ff08b0bd66b497d54a3f

SHA512
a120aee89e2b87e79d4cf8d0fe2874aaa4142b418f4cec58421ffa0892bb0f77dabbf54cc37cbad1873cffdaa8784f30928f7de2ec76396dd70bf82c8a12ba15

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

MD5
2f3b6060578a16568866fcae8bb27f43

SHA1
53d7fdf43926c8968d665fce83cb91eac6aceca7

SHA256
8936b7df21d06c6cbd54c02479713ceb8ba077e7c90e41aa3ff2f1e440d8815c

SHA512
ef87221c300e68ab0d1ee298b1b63c18aa3a3c9f7957086341d6b8710a1868f5e77746f13b969debedeba215aa4110cc19108016bb391f89618d992977234493

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

MD5
d59ad8e91f59d57f371dcd1868b666d4

SHA1
cdae650816817a0f02351f93b1451215f955c580

SHA256
496c162cddee732909e5aafdd2ba00173f00bf5c7180316fbb0df7d9c72197b6

SHA512
25bc28823d50f9c740f748eaa7c887a6ded07dd40bb71c445622710560b4fc009f42d6a746b92210390631b28b68f256dea18b5a474b87924ee208038b407152

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

MD5
e814cd9c600ee9b146ded05082ee80e8

SHA1
2f9a7b8da2bd57a2bb812374c8e7eee975583214

SHA256
b89db7a403deb3c4ffeb5828572ceb2660ab293d435f40546c90dce74624e64b

SHA512
c9ddd0611fcc10dbb2b6ed833169139fc2230ad3d9190230e8dc5fa655cd24e77e84838a780377a85fe4c2baa4ff4f9744630e1096530b468ef288882c5de7c2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

MD5
7656792f24ce6dc6e1b602a3529d2d44

SHA1
b622af64c2ac503b34070a1abb67bae1929cde9c

SHA256
f13baf5eb0b4ff842ca45736777cfef03c45c4b04665876ab9db447ff5366e03

SHA512
67053196fffb98297baed2359776a047dc5142f68675af82ed53a8e3475b49e5a3eb49f36800a0e613128117fd1830d6c74b6345f52a4c909e697c10fd945a11

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

MD5
e6eb95ced6f93dc130ea0bcfa800d4db

SHA1
cfa2c6d3f33eb1e8d9581d803d6875952f928d97

SHA256
9d798913b23a1cf39ae8da2e7ae3b460a1932603e1354a35eea2308e98459db7

SHA512
75aed42295a77197231db7b9c4d5d6df978ee70a04e02b31fc48ab05275884ec7d745be84207ee40818fac1519a4c0ea10dfc6e7eac25028e6e42fb728f882bd

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

MD5
b453c6dd05bb54593ebfd76aa6e57d6f

SHA1
2387728d6063ab725e5fd83c48d72fa463b46718

SHA256
12d4b8094473b4c1f9a8710a87bb20336f41c638c33917f38abe6afad43aba68

SHA512
9d253c678d2680c4d65db2ddb7dfb837bf8ff798abeb9fbca8aa90d17f213d94baa2b596003fbdbf1a1fb6f33d1f11481b846bffabd05ed30a046616f1e5aff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\1073r.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\dlkypkltUlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
\Users\Admin\AppData\Local\Temp\wjkfIFenUlan.exe

MD5
89895cf4c88f13e5797aab63dddf1078

SHA1
1efc175983a17bd6c562fe7b054045d6dcb341e5

SHA256
8f368b029a3a5517cb133529274834585d087a2d3a5875d03ea38e5774019c8a

SHA512
d238fa264ad931ed43798a65f01cbe1d044300dbe5312bdcef8540f2757079514daae27f30f2369b7b811a3273c961f9fd38e7ae5010c11120c83906e8c102e2

Download Submit
memory/396-73-0x0000000000000000-mapping.dmp

Download
memory/528-74-0x0000000000000000-mapping.dmp

Download
memory/764-71-0x0000000000000000-mapping.dmp

Download
memory/1540-67-0x0000000000000000-mapping.dmp

Download
memory/1544-63-0x0000000000000000-mapping.dmp

Download
memory/1640-60-0x00000000769B1000-0x00000000769B3000-memory.dmp

Filesize
8KB

Download
memory/1716-136-0x0000000000000000-mapping.dmp

Download
memory/2560-130-0x0000000000000000-mapping.dmp

Download
memory/2840-134-0x0000000000000000-mapping.dmp

Download
memory/2852-135-0x0000000000000000-mapping.dmp

Download
memory/2864-132-0x0000000000000000-mapping.dmp

Download
memory/2884-133-0x0000000000000000-mapping.dmp

Download
memory/2888-131-0x0000000000000000-mapping.dmp

Download