ryuk | 3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

Analysis

max time kernel
144s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-08-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
Size

397KB
MD5

5af409fe584bed2f8b847bb9d2eca34f
SHA1

b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3
SHA256

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4
SHA512

f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Score

10^/10

ryuk dave discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral1/memory/1096-62-0x0000000000480000-0x00000000004A4000-memory.dmp	dave

Executes dropped EXE 3 IoCs

Processes:

MLFtFWvVolan.exenkcnbDYgSlan.exeoxmiNLhAulan.exe

pid process

1724 MLFtFWvVolan.exe
1988 nkcnbDYgSlan.exe
840 oxmiNLhAulan.exe

pid	process
1724	MLFtFWvVolan.exe
1988	nkcnbDYgSlan.exe
840	oxmiNLhAulan.exe

Loads dropped DLL 6 IoCs

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

pid	process
1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

740 icacls.exe
1084 icacls.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

pid process

1096 3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

pid	process
740	icacls.exe
1084	icacls.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe

description	pid	process	target process
PID 1096 wrote to memory of 1724	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	MLFtFWvVolan.exe
PID 1096 wrote to memory of 1724	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	MLFtFWvVolan.exe
PID 1096 wrote to memory of 1724	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	MLFtFWvVolan.exe
PID 1096 wrote to memory of 1724	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	MLFtFWvVolan.exe
PID 1096 wrote to memory of 1988	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	nkcnbDYgSlan.exe
PID 1096 wrote to memory of 1988	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	nkcnbDYgSlan.exe
PID 1096 wrote to memory of 1988	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	nkcnbDYgSlan.exe
PID 1096 wrote to memory of 1988	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	nkcnbDYgSlan.exe
PID 1096 wrote to memory of 840	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	oxmiNLhAulan.exe
PID 1096 wrote to memory of 840	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	oxmiNLhAulan.exe
PID 1096 wrote to memory of 840	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	oxmiNLhAulan.exe
PID 1096 wrote to memory of 840	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	oxmiNLhAulan.exe
PID 1096 wrote to memory of 740	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 740	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 740	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 740	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 1084	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 1084	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 1084	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe
PID 1096 wrote to memory of 1084	1096	3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe
"C:\Users\Admin\AppData\Local\Temp\3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Users\Admin\AppData\Local\Temp\MLFtFWvVolan.exe
  "C:\Users\Admin\AppData\Local\Temp\MLFtFWvVolan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1724
- C:\Users\Admin\AppData\Local\Temp\nkcnbDYgSlan.exe
  "C:\Users\Admin\AppData\Local\Temp\nkcnbDYgSlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\oxmiNLhAulan.exe
  "C:\Users\Admin\AppData\Local\Temp\oxmiNLhAulan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:840
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:740
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
3.7MB

MD5
73d5c3b8acd6b93fcc58d6df5f981b64

SHA1
aa483973647e29a62bcebdada23e721d779b6995

SHA256
eb661144a0d91eb8d929129ad2e3b45de0c78bdd962630030a5650c80e071871

SHA512
5485b101a770fc291894f0291b5497c24b1e0470ce2641baf753f4e741dc3531ad53ba71ea6588af36a552cc2109f2e3db001527de9dd9c68e00e643197b25c2

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
dcaea70bac5b68da1fe6b99235b62990

SHA1
1bc488692ce4fab96169eb19b72906a78db4a044

SHA256
7bb42deff68e0491a66c02c89338f68497004c2f35564cce2c839bd4e56c3990

SHA512
538bd40c571df52a3a5d42616d6cd6b4df38d54e70b5c9fa8b6204f2b66d3954fa092bf05e6ac91448882d1fa0cff098825f1a0d6e888d1689714142623befde

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
213ec4123014f61b97cbbc01da019794

SHA1
2714cdbd3ff1fc5935f697362eab823d8e7be8d4

SHA256
b8b448cfcf726f135fc69551e6c9d9a0ad981b984b2f00daafc76436fac2e722

SHA512
bdf6828c140ffefb55c1a788f963235c98890542ba7a072b55b78103ecd3a2fad7f400d68643a155e54cfa879835632ca739c9b3eb0c37faac791a411c43e6c8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
3.8MB

MD5
c03efec41db197ed5aaccf306f41a3e8

SHA1
4534ffe64dc64b5d398212bb6bfcc0a4a96ea652

SHA256
c746f26e124225549de0674ebc5e1d4bac5999efdd7419385459c2fc74fc54b3

SHA512
9ee9ee22e624d149c79a56774f6a7177cee57f80cb5de8b932da070a74bb9ed6b58e5c1bd4975223972b608cb982c785bf32cbcb4136b2bd2b8bfa8c99884a1a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
fe38b0d639f305feb9e808fdb1f5445b

SHA1
12efb8b01eeb5b86ee3642d2962162c92a881388

SHA256
e471527b0edff1ba694cb3a417978a6bc323e713871bc8b6cfc12d17c591b419

SHA512
8d9060a71fcf2ed43bbdb2866d99df5f258298d5a94d55f3665e226b4092b4e29d1dbbdee02ba9437ea262a43ef22e776d360aad5a4de5dfe56673bfe451df3f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

Filesize
3.8MB

MD5
1e6a4efab725b65cdb41f8bbb90758c5

SHA1
1bdbd7c7738a19203365895b79fa509236a124fc

SHA256
4eecac8cc33530a83917d66cce63b47dd528ed80cfc4d244fc6e09669fb3b03d

SHA512
a85a49c3fc98f1b07d4f607915f0e6a98813b3ddb60cdcbaf2847ae4c39adc257745d45ca894002038dfb5401e9a3400967a0abe64c9d2e9f4b2ea2d9cd04aba

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

Filesize
3.8MB

MD5
263e52655cfcb9c50421b5b964b71737

SHA1
94a8ce5971d806ccbefe6c7da56b31de2ae2c58f

SHA256
caac09f056bac26e7a4bbe86abad0b57331ece2a23a65c85b4eab232edfea1e9

SHA512
2d8d4902ad04b3a43152fcff9f4ed592dd0431d848b559f6ba5a0fdbc74a69004e83915172c9bb86ced892b035daf8878017019ef8da61886a49a585dc2f51b8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
fb26b598cd216ecf00f640690482fd83

SHA1
277b4b6af3e5008027cbb5b9495935b32a18bb60

SHA256
0eb3579296e6e08ed7163c80e5bd002bdf56708ed60165b1aed63e69b1bf8c5d

SHA512
69f8e48a2d04e024374367c18dd05ec440cf21c6b3757fe5c07895f0ac43d9be4aad72ebdad0e0a8cc17f0819d82f15975321b5212dec4e73fc9d89d59865d86

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
86183465febfb74d4aabba71e9abc446

SHA1
0f5887a8b103eb9da3364130225639f6e3df124a

SHA256
6690d0df0b1392fcc8274d56380cb17f497e6ed3cbd04a8a181ac875479257b4

SHA512
355510d02f7eb8ec9164797d012a394e52985a20ba390f4426cdb424fa620f88c3edb50f90be3b5a0fb52a928c2540515fcd15481c9e1b29e90cbc2d0357bfe3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
3.8MB

MD5
5b493fe59cbebfa0bc0c8b167da1766e

SHA1
ec5716f719ddbbb7644055a1611d04f3cdc5ee84

SHA256
ca2b222922c2af0c8cd1059e5ed989cf52fca16cdd9313fd5b6563183e080d0c

SHA512
bcf09e0d89478cd4536ae2df926f55ed6602730f4582deb141d9f08650ce49e3772cc6443529c3d7a15d2ff44e334705f4f3f77a1fc5b05a3fae2118ae2b59a4

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
d59dbe684261ac627f92e0bc4942d71f

SHA1
119a0b45d7e7eabf8fc95ed6874cd856dd9ddfcb

SHA256
2eac5f75212acf20e2304fd2cf2ecd14d61608a4460da86d54078b5c8586f532

SHA512
89daed4eb5bfc776652856ebbcd477997400da78bbaf059779fef6e7900576304700fa939d198294d4ef40235c11f2c8bc224209d61413942c5e531082d63471

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
cf8182f7d402a4bd4155fcaa3c0c71c3

SHA1
69a74f7e7dfd6711960199da5a540bbfbfc239ca

SHA256
4ca92cc2aa895a293d78c81458e2d172619e33e6ef429bf52d7a6b61d129708a

SHA512
cd48e7680da7b7a60560f1b3f3192e981d88a8ae790b2ae977a9db7ab2ce6228af3c805885a6ea963ed7fc690e8843db417f85a15693eebb9a3ce2f7845a3017

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
0a48b7e1ebd94b32d78302f788a6f855

SHA1
b8536a44f6f36ff113ccb41b9ff8806ba66ec982

SHA256
dcadc7dd2e6d00dd61a01a75ea8d7382d093da85eed543211830f02e93bb3415

SHA512
9503e45c3ced575a993901972919bff87b1732f389b26ce8b810f6ee2074371edd993e67663da0110e1baa844f79687055d888776a0004f8ca463ffcefeb3b37

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
e84b2b78bb2de7f4f718995ce51a62ac

SHA1
d832a715760e86fecc5871c9af8e9b3866a6e9d2

SHA256
0102060a0d59e5ef12707d15443f88edf6a48a80c01f7e1d2ef946541b0cf8c2

SHA512
42dffb3eff55e3b98f6bd58be527a1687b32be8b66cca9e3c80cbd1c3d692b6d238cfcf139b92631d3985f7f7563cb2e2ba076528be0ed9b65cff5cdec1e97f9

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
9412a5e5f76d69baf1db43cd56186b86

SHA1
a79a21fb4227692acd1023d28afd1c0f9def2b6f

SHA256
8164b064127ecb99ccd54cebef00be5a9b53c12dc42168367dd2f1a131876078

SHA512
de118c723ea8162a9b154f8fb3af1a7f4257493c084e8a01f0c0817f27da038ebd019a6d8ba1cfe690be0db5999d8e8cbfa3eb12c1ae44420f019602a7ca3fe1

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

Filesize
3.8MB

MD5
e0059afbda7b547f2d3a27b77af7151c

SHA1
2b86e73cb642322d72732c3177f25cce766d7945

SHA256
4c3e5f8139089ed184314f5900daa4c20245ef73e39a5f2c19472bc286331c62

SHA512
81b82cce92a8ac6dc5238048deb308ef436ee1c51cc8560137e24387d8c923fd734aefa105fe36d89106fe649dbf3f030a019fe9473a9d3805059dd2d4c46d3f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
e4d0fd6384e226f722c105859dbd4a10

SHA1
7431b6e77f97f6f1c380d074565b9ed9e6b066a4

SHA256
7eaf9fbd12a68d99286ea279d2a9b58620c544cec97e14ee4d07a6b80a72a91c

SHA512
5c81e45ca049debcd193ac0d247e252a929564ef4455e0331aa6031c40b244fdc77eb9bf2bfca7d2313994a997f61732d673ba876b60de4a27e58f94f52aba09

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
3.7MB

MD5
10288ec067b0ee00e8d57edae1a1a947

SHA1
a317d0840f0dc92f58c3558bf6f5bd631247e6b5

SHA256
8dddb615846961c10cd46fd9571104789e68c3178b9030b976c5b6654283d779

SHA512
8f6e930ea34b58c77e52a118af19826a1e05e16623b324750b455946a89860f43a058082fb3cb405d05874c74ed8d2a2376052e9028ce25fda9d9bd56e6566a7

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
0af2a229d48240af2bd7e500d1cc2619

SHA1
6eb0fb9ec9d8bec969d23ec2b7a31a6a7fe8f8d7

SHA256
33015abdfbce9e0081668dcc4eed7b0c3a2307314ddc3b6c44bb60e99df3479f

SHA512
399dce6b210164f2b1e7bb149207916ac7e08d4066e91c84bbc42965ac93ea5a9b0636fbbf5d53f3cd128705b56d46c341e6d99619bdc31a9bcd4c99bddb48e1

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
c54182dbee39f53a4b3a8c11ffc1b89b

SHA1
86259d89e2baeb0e65f1ee1e7db362200e839c2f

SHA256
4caa23215f58f6b567121c9179ae37e43d7b7d6e2fbc71023ccbe7618ac468a4

SHA512
8c0329e7638b403a8c0f68ce917ab5a6123e756e0d8e1f4fd230210eaabd04999dd41fd0f8c961c98aa48770c548eac240ddc82434e1675ec606678c5d021ab5

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
d686c71d854a1bd296e8e7c3e902fec0

SHA1
f4769ac9f10e0a733ef9ecf311df474202eb0702

SHA256
6961898d778ead50cd810c933d02a801f241c7c526f7cad7d68ebc1f2980c81c

SHA512
77abbb5bc6964f576baa22ca7a971537c644fa2191295c44417dbacbfbd8021e964a0dbf509e10af327d1023be57892400a03c81d7b971f6d001dec2f6fc92a1

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

Filesize
3.7MB

MD5
70eecb759c8d8c7cd9e3f7ec60251a65

SHA1
3bf9e4c38bd36160312249110f99dc69f137155e

SHA256
8f58a4aea0990b2353f20943c0c64a8e3ce6fb6119aa2b963f0ab1e48878ac29

SHA512
faeff49fa2db1ea6bccddca1902fb6de2f55a4768a88f93ef1fb34efbf8b2954b6280afbe5b4dda9408e8bfeb5a239205eb82adab02c8ae1e613f0e49c46c253

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
42d5059759c32baa3ca39052d549a400

SHA1
c7ab20b672204d7c61071e68d8904b8bcee4cecb

SHA256
7bc055b9a8c105c65c1f32025a735f26e8d8dca0954fa52d9bb84bd336d5ffcb

SHA512
63421c06e42497b19625b1cd5463d1c529aee5a1efac0ec50c15e70fb0211eb901ae184de39c24c363be9d1d6569522cf2accf33656e7610d036f549446ea32f

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
2921a73d667451c93651e94658aad572

SHA1
e5bf9ab6af92edfe1a4f8f74749daa230647496f

SHA256
0b041a8e839dc1d60550d0e49224fdf75b8778a88c10c5cae6ce465ced3d9c4b

SHA512
ecccec435da8675eaf1106d128cdcb474c2debc4c5604fa5a755538f07cd07c948765f692b13725d9a38583edae2ce62b87b6bbed2d2f790d202aee3159d748c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
3675321381be2e23b8073fd8d5697965

SHA1
c4cd1ada9331ad91416e0d8549f33c996a94dbf5

SHA256
eced3ab63fbf8518a5171b942df9a18f6423364a9580e6849de57510fcd9f482

SHA512
05e111b9a320e0bf1fcbfba6bb653d8668cd379ff5c61fe9cec9b928634ac7ec96fb0c8b98cb25578d848e74a68cedc9fa87f50c801e6d59361eac5ad3c0ed4f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
a33a722f7959ebd84e41635218619a9e

SHA1
e3d081d9bd8186a98a830ecc677646587e525028

SHA256
0f8ef942d66ac9c987c0da80fb4f7a989275126a9e4125eabdb45f705b49f1c6

SHA512
87fb8d906561c151989468a6e485ea4b615c029dbe550da4f25a2297ae57fbbb198d622336e81753a0944b083254dc7ae89145c9a43750a1606cd9b12549691b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
1.4MB

MD5
8f6563e33af99390054365fef148ac83

SHA1
73e4ac44142c17be3e45cdf65cb7bc6d3f000c93

SHA256
c228fbd2060eaac83484c9c00162507510bcf3f2b70af2432d2e923668cd26e6

SHA512
f3836f883ae585a9b1ececb86f501e53140fa3d3d2990d53bce11440f3e2a5a3ac0c39829e79e3e655418f755f29bf6ee924aa521e944dd47d9d8c0c903f970c

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
a77cb79bfdc646778a7e1bc6062b29d5

SHA1
8ed00ecf9e2112a36744433e1e9a2b667c06b744

SHA256
4be334871c82e0b459d49861c8e7bc2e8950220c8328d24e8438e2d0a750a31e

SHA512
3e1cd926b87181bfb45c65e80839b6a35a4679e9fd81118ed4a1e5eeafd726f232605095c431224b72bf2f291b3199d4e0d25d69a95714f03caa57c46a01a59e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
b199291dd0164db46a3165db88d8460f

SHA1
187d64ffe6a460da682a603f91d6863fd4d80afc

SHA256
4951341f7927b4dfae28b6de64ec86cbc2671baae2566b1693a001ca61d51d6d

SHA512
f03ae8e2a42fe461ba6e44903daa26b34648e64f2ca31e951ab89c4a7caec51d64f753fb929a3526c4479614c32557a09470dc9726ccd09ee8187078cb2cd59e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
1.3MB

MD5
6587ce07e6216810f018dbb6c55498bb

SHA1
f8ff75979d11720549c0f277b9d695a5c08beaca

SHA256
9de8cc92e3194ecc2ee41271e94ea5d95727fe38895bd24dbd8ea3b27d7fe53e

SHA512
d74224f4aa9cc28f18b910242a711e574f0e35e83b2faa3046db57d6991fe3c6a1456f146eb3dbd7cf95ac5a12ab63372ee435c7a446a09aaa8989592d3b723e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
ea186d34185d33a9e012a25f3b2a0100

SHA1
24c0a78f545413e8be8608f9053b1667040b04d9

SHA256
6cd26de27cbe87b8348cf16822954dfe7abea41f23d283202e4b28d2318601a5

SHA512
79097eb3a53feb80199f92d2e4edc05783ad8c6073a38fc74bf7d76cd15682335dccc49eb1d5d97a47142e2f88c871bb40e4bb43e3d306a374d4092a5de663e7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
911dc4cefdab50985aa731f7d8da4804

SHA1
aa8f604941688823a5644eecb01839c5c3bbdf05

SHA256
ca782303bab9aff4efd5e9eff5d0adbe7989796b245066cb6f4264e1b413c952

SHA512
1755cfa5ab37d80f8c945077c5fed842ec09bd6259e3d69d2a57499d03b8912d6c0725f9bcf60d5f696cb6262ff7c3081e997e4d3fba3369473427b4b4d37a79

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
1.3MB

MD5
b9b0e91310cede423b799ae0dbfe5cba

SHA1
cfa294385dd4d75fbd2e48eac6b8b740188e64dc

SHA256
b4153ca1a792aa2281e2a55a8a04fd1a2283c106e4734aad9315b1b6bc7ed736

SHA512
b8f1e513097c09eee88476a6d97e5c640ff36ada0c161e9683a8f9474c11aa705a9e1fa09f0dba9bfa3e53fe382e3babf39d9723418bbd21e15598754aaff190

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
5081cbe76268f7f64d86671993377e63

SHA1
43166aa4c2f23f99c04295eeb633d123c2e4057c

SHA256
415f3cdfa096c8bea56e04a200c20c182fa13ccf2cee7e5d72feadaa8d4cf654

SHA512
5d9946ea3a6f452b0de75a7db0b9c24cd84f9c9925fb1e2eacf29e28308f38972f9c3935ca15125869e2fab9155a9606ece883a0976fe5afe19b5908670865f8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
e056cc8111f5f20c53f3da07ec96cba6

SHA1
2a5675a15d4b8e21177bcb379fe9018d3fcfa699

SHA256
fd3a447d756e62096962bc52b16629f9d4f66234bb428ac8d4678920f371ff1b

SHA512
32a4368bbe5beba798521470d2e9c83bb858618c67cfa49db189a01c6b9e11f12c5f824c9836630904874cdd2a22ac47400b5fadd8f3ae3b91d7082e788bd46e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
1024KB

MD5
30ae3deca87ee2804039ca3255fc8fdd

SHA1
1e3b38ca435ad61f673d0224030fd00b2a816747

SHA256
786d3b520b6ca0a3717896b5a5d001f3ccd7c4fe3075dfdc8e40dc8ce43cee20

SHA512
5f86db6c4ccea6c52854c7c1249428d752f9a0374191a494b4ff767a7240ca7ce8d215f99dd4a022e1d51a414b9f5288b4055841e554b570150a1a7a6f8d758c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
4cdfd369b1191fb8f4e4a0adb3836410

SHA1
6703f9dfd3e64f2a8b6c4f340e92ec49e6783caf

SHA256
0a06da4c36ff5ae786e4009e38b9ebe33d5d673f17702aab9fdd03a12a0c3888

SHA512
4e1440a53bb9319cd1a35c02deccf44bf3b934191c5dc522c883095b7eb0685ab7b30e618e319de9cfc00257f940cf380ff1e0918040a6d9a31355f14de51641

Download Submit
C:\Users\Admin\AppData\Local\Temp\MLFtFWvVolan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nkcnbDYgSlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxmiNLhAulan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
5571a633e0ed282e12d066a24cebe1dd

SHA1
3814c9465ca1afdae41b7cc1e8a9790e53446490

SHA256
bf26056485fce5fefc42591d3144480eb19a689c57ac5e41fa1324d8c39c0e97

SHA512
eaa769f68aa25784cc8860cf24a4e2aba2232d6cbc35adf63e553161c254b9b97c89e22b6f37d05d3b96b7f769e05701f466ce4c55ce6e0daa0f84805aeeb97c

Download Submit
\Users\Admin\AppData\Local\Temp\MLFtFWvVolan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
\Users\Admin\AppData\Local\Temp\MLFtFWvVolan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
\Users\Admin\AppData\Local\Temp\nkcnbDYgSlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
\Users\Admin\AppData\Local\Temp\nkcnbDYgSlan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
\Users\Admin\AppData\Local\Temp\oxmiNLhAulan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
\Users\Admin\AppData\Local\Temp\oxmiNLhAulan.exe

Filesize
397KB

MD5
5af409fe584bed2f8b847bb9d2eca34f

SHA1
b49a2eed4d369cd608ffdf8d8cfe491d055f1cd3

SHA256
3ee706f07d13cb9e617eac2b4442479634ab48f11005568c739c6dcab75052a4

SHA512
f822e1a096f1a597b5c55159e725c769e63bf209c789e0e4e33ea6aa7db023aacde206a1151303cefa8b318a7312a3ae675231f8e91cc847d5db2c09c5b970bc

Download Submit
memory/740-102-0x0000000000000000-mapping.dmp

Download
memory/840-90-0x0000000000000000-mapping.dmp

Download
memory/840-92-0x0000000001E10000-0x0000000001E36000-memory.dmp

Filesize
152KB

Download
memory/1084-103-0x0000000000000000-mapping.dmp

Download
memory/1096-58-0x0000000035000000-0x000000003502B000-memory.dmp

Filesize
172KB

Download
memory/1096-62-0x0000000000480000-0x00000000004A4000-memory.dmp

Filesize
144KB

Download
memory/1096-63-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/1096-54-0x00000000006C0000-0x00000000006E6000-memory.dmp

Filesize
152KB

Download
memory/1724-66-0x0000000000000000-mapping.dmp

Download
memory/1724-68-0x0000000000390000-0x00000000003B6000-memory.dmp

Filesize
152KB

Download
memory/1988-78-0x0000000000000000-mapping.dmp

Download