ryuk | d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

Analysis

max time kernel
145s
max time network
150s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/05/2023, 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MTM4OWYz.exe
Size

127KB
MD5

e8673c8a299d1647ead6f3da4565ac54
SHA1

71015f9c281038d63bf7cd45894550c1a26c6b53
SHA256

d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe
SHA512

90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc
SSDEEP

3072:W/SfjQAr839SVK+DM590tfXQpr8WbkPnkaT3Tb0b:ySfjQAY39SVK+DM0tfXQfqv0

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

[email protected] balance of shadow universe Ryuk

Emails

[email protected]

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 3 IoCs

pid	Process
564	OZbjWsMnxlan.exe
1500	GEiQZcbThlan.exe
980	ydOxVrPGflan.exe

Loads dropped DLL 6 IoCs

pid	Process
1408	MTM4OWYz.exe
1408	MTM4OWYz.exe
1408	MTM4OWYz.exe
1408	MTM4OWYz.exe
1408	MTM4OWYz.exe
1408	MTM4OWYz.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1356	icacls.exe
1044	icacls.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\History.txt	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	MTM4OWYz.exe
File opened for modification	C:\Program Files\RyukReadMe.html	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.html	MTM4OWYz.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	MTM4OWYz.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1408	MTM4OWYz.exe
1408	MTM4OWYz.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 564	1408	MTM4OWYz.exe	28
PID 1408 wrote to memory of 564	1408	MTM4OWYz.exe	28
PID 1408 wrote to memory of 564	1408	MTM4OWYz.exe	28
PID 1408 wrote to memory of 564	1408	MTM4OWYz.exe	28
PID 1408 wrote to memory of 1500	1408	MTM4OWYz.exe	29
PID 1408 wrote to memory of 1500	1408	MTM4OWYz.exe	29
PID 1408 wrote to memory of 1500	1408	MTM4OWYz.exe	29
PID 1408 wrote to memory of 1500	1408	MTM4OWYz.exe	29
PID 1408 wrote to memory of 980	1408	MTM4OWYz.exe	30
PID 1408 wrote to memory of 980	1408	MTM4OWYz.exe	30
PID 1408 wrote to memory of 980	1408	MTM4OWYz.exe	30
PID 1408 wrote to memory of 980	1408	MTM4OWYz.exe	30
PID 1408 wrote to memory of 1044	1408	MTM4OWYz.exe	32
PID 1408 wrote to memory of 1044	1408	MTM4OWYz.exe	32
PID 1408 wrote to memory of 1044	1408	MTM4OWYz.exe	32
PID 1408 wrote to memory of 1044	1408	MTM4OWYz.exe	32
PID 1408 wrote to memory of 1356	1408	MTM4OWYz.exe	31
PID 1408 wrote to memory of 1356	1408	MTM4OWYz.exe	31
PID 1408 wrote to memory of 1356	1408	MTM4OWYz.exe	31
PID 1408 wrote to memory of 1356	1408	MTM4OWYz.exe	31

C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe
"C:\Users\Admin\AppData\Local\Temp\MTM4OWYz.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe
  "C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:564
- C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe
  "C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe
  "C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1356
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\$Recycle.Bin\S-1-5-21-3430344531-3702557399-3004411149-1000\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
1.1MB

MD5
4b2da3a49155dc72d4ca89d2b6dd451e

SHA1
982f53b8d1e30dea5abc217dd45549d27b6565ad

SHA256
a20a189baca7f8f73700888354b53e38534fc65bd80ecaa7bb03413ba5f56f42

SHA512
25cd46943327bf0d96cbe4ecbe8393a96644a88238293e9ab9c40757a8d0e0957a82f5be0e2a2262d6c55e0ae0e6b9b57d8dfab4a6fcdcf1cb6fc88f4e10b5b0

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
1.9MB

MD5
eb4ee510d8b76ba96333dcf6a4e7018c

SHA1
f69cb50ff40f92c5fc795de9e5fb763da5e35eb1

SHA256
6aa2213a44176f558e1a9b0d59e3ba534f419218ba7deb8f179cff3463051299

SHA512
74d4a301c319c8aca038b21a757f24cf9d37f63cf26683db18c1db0e2cefc609f9f8905a39fcbd23a71e2ebb198fa63c01553ae5631aa7122f0daf34c163377d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
7d493a393b4fcd1cb4c7c5906bf69a9c

SHA1
e16a949aeff5b98d15b10a0b2c1197f1817c5551

SHA256
c1673747163ae8fdb941a642d41570fafe8b69a2cc9f2fb81732f315713d6d5e

SHA512
d4b3df4839cd992dd00767bed3917d896e219f47a896ffdb67c3e4ee5d74fd1480b5e7a401579f7ba706659b97cd0f78af1e7cd6b27dfdd0997353ec4904eb3b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
1.9MB

MD5
9bff559c5d468bb93107d1bd466d030a

SHA1
03db48fc1708a3d02999efeebd8a462348c1e91a

SHA256
7a17c9cfa52c1c0fb9a0dc3953c6d04c05b806ee13483b1f46a2b49ddc0ed5b9

SHA512
c2fb364e246b712ee551c777b11035954f4384e1a07235f9ed0272215a3ff862b446be9160451f056bf10e4d82f5d11670287190c3f27986b77131e1d36c55d3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
9fd8ef18b059a8ac8ba7407bcd4f2089

SHA1
4b288ddbc40ba7696cc01732aafbd0cdc610ff2d

SHA256
f1088386bd5866eacb2c739cbc00d6253d50cdbb39e0b453db02ecdf7160dd5c

SHA512
09ba4769e5a4b8b6f6a5095a5a3a8c9c9f9d2beba212e2d0870890f9b0f88542cfc4c779f8a9a4bd52ce536e46dd5418fbbff5a3a456260b0cfdb286eaac800c

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab.RYK

Filesize
1.8MB

MD5
8425a01507ad5da4b294e62876c5538b

SHA1
c83b576826198c5ba853ef140afefd0a16726ac8

SHA256
3da755aff37a3f368f877c24299f7e5944309b254468fba3432bab19d8bfa976

SHA512
b09fac71c761a568f361ac4f7cd8f5c5b1d03b9233a6df5409fee179a097975f81539dc6d32e183f24b5f363c22a2b07d1a38839503a025c0fe668c1fd67e23d

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

Filesize
1.1MB

MD5
c42cd7a692e7ecab50789247622da8d3

SHA1
c548768df03d5ba2cfc847ebef561882553a9af1

SHA256
d4c230b737c848509650b9cb31620044f9fa389e96b334267d544ee9e3898779

SHA512
8a5747280a1933ffd079901c7d413c84304a08f2f83d56bd76fa07de9bef7739ed9298f67bc46326ed6dd3b14e9f05d465abaf161219cd7234ea755aa8818424

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
f77448cb47007a7dcd568fc97c0b3b86

SHA1
1647a8d5e1da22f3d5945218c86101b6cd1b45cc

SHA256
d858ecf37e059ff230a23ccf6a1f9c6add31a0e811bfc79c373a488127d71a09

SHA512
6c33001c8cad3372a454bbbaf2e6c1f43984e22ed0f7098358a127ba5a35a13b5c3da1075fe78700a50c2ba51a97347ecd78ce9c28fd3b4abbb0cc554b0800c3

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
ed94567d03f22a080bc50a3741e8cedf

SHA1
8d2fae602ad349bf3af4579eeecc9ca546d973ae

SHA256
5d3cfda361afcede041dc489aa48e797933c3d7d297dc1f1422e40f059ee6f68

SHA512
1c2ed33f0ca3a2e33a14e6511225e407554ebff94bd8558598afe0664e86c879b042a9d688d4c6d3e41999215d7aba4f0cda915cedbc3c66db1b0b0f7ec32b81

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
1.2MB

MD5
0c7b2fa4bbeec3cc60ef101985384d84

SHA1
694a027fe967fe7017faa952cb42c7e66dcacdf4

SHA256
c92c3e2f5b4621f82b757d4d2b836998a73cad53e969b48267919b6875bc3a78

SHA512
ece44ebef5ab71dfb4ed1e46f3c476e8282a15f3e9ffc38a6f0d11871fead7f05029f533b92cbc2eb2dc9ed784fc2fd3b5c8a85629047e08aa0ae03fea55d4e2

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
832KB

MD5
689b02bf612616458c5c87a7504842f9

SHA1
748d8906636f1003d78808832abe7136d911dff0

SHA256
35e5e553e90b02e632df0972d35acd42dbd2bde6e07b8e73cba42d21d30e4bde

SHA512
c4639f1e92a764ad157f573360e128d4012bda71aa4adeae5b7cc603bf27a775936b46c0d3964d0b3f11d3caa11012b0f66c4807388e2c467e5eb9e24b065bdb

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
6c69a1e175c2a1aa7f22ba36c48e8c05

SHA1
a0bf765f60bee1d50c69620f57b25c5309afaa85

SHA256
dcc6613683e0210faf922a286607e113efd8ef58f37715786314bc3866b1a180

SHA512
5e5bebf4f417c215cfb22e59b663a809be8f986db5dbc5d337e05c600053eb0e7cf19f1e2c4610ef869a050f3acf97f1b1f80c570916bd973faafebc164d98cc

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
991c58f1513197a70754dbe310b7fe7c

SHA1
f33abb4f4fbc05343260f94d58050d8082b4a162

SHA256
82718eeb7d3f045d6c6184751d9a5757f0f56cdbdeea8d8f3744a8156e64bd4d

SHA512
80486b1539da61c0166923a0ee7e4af3d92369dafb7392cde07707eb69fb3eb24266fd349d7c7e85ae6c16ae7f1ef0364bc4e6c59bbcd707fefa4b78a8a62a67

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
2873ca514b9514cf786d721945a886d4

SHA1
3faa04bd344207d9e8c4fc48c469796ed6380179

SHA256
cac1e75586046dbcf747d0f4f378dfaf3b36463637edb46e8154202cbbee9b72

SHA512
39cf78389c4553a0656393baa26c89d937cf784c27bf6e9ead7550e511e9281095d7f6ccc5f8d15e38dc5d4939613497da8bd68a19204aa138788ab7dc891d86

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
e04b40b6ccfc6f496547cf1ddefd1965

SHA1
391416523f882a6dabfe2e5d81a1d6476eb10d74

SHA256
111f7ede6b6bdb4721c899eacc7d1acfeaaaae6d89d81cf78a098bfcab975c2f

SHA512
22c4a6fbd41da1d4bcd8df7cc5ce47272fcbf9b42067ad932ac78dde775f5eef96a847e38d8444a243929b94fc5ce0e4d0f8a01701504c51941068975fca854c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab.RYK

Filesize
2.6MB

MD5
5f28b60c50abb6089e924961aad7b660

SHA1
fe4d927668bace9965a0df489891b80e7054921a

SHA256
54fb4b6c292367b1786f893359fe2a0debbd4a565008f035ece222f2633633c7

SHA512
b7457c633b178b08ffde16c3b91f710e17d0f46e47006ffc36ca7504096fba26f420f838f3f3f900c957e654558ab3edb5b41822dcecc65275d29fbf8dddd339

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
62d99a083b93209c018d9fd3e94d0d9d

SHA1
54027addc3409476fba7e0a5698e9dab5db079ec

SHA256
f7d8c5bdac7d553317aab8d7392c349e1462b81f188be4da0953ad08ed230cd8

SHA512
4b0749e8a6dc2d726dd1b3aa6ef93c4e61a91eeeaa69075079bcc55f56f07ac9e7cdc0955792e0b1da761d830a92372434f007a85275ca596f2afb3eea34e094

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
1.9MB

MD5
85802cd3bc75836e1530df647a8f6c3d

SHA1
bac2caefb58f8178c9b5c950375c4e447f52ffcd

SHA256
d5b08e3d266c3422b68ab219ad77188e8d28a050e483e47b97dcfc27bb8a785f

SHA512
4ed8287874435322d70d615893db5a46a94513c0d4e95b49c880639860f0967310b153c2eaaf3552de2bb45640906faedbb495cc026d923b04315276072e7e9e

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.2MB

MD5
f4d6ada3ff4ae7d1b2929fca8fa92a36

SHA1
1117cdda10a3ea55d4ad22c536cc1e76f17c06f0

SHA256
d8e27abfde6f74254611ccfb6c1d788a381981c530213342f2fb29c4d0bac0c6

SHA512
6451b0742a58283743a11dabaaf5f62a9943733811194bd58797f323aca4db15559421bfe0eded909a4fff3e8a2f8c4834653dbd793f13ec96a1ddf3e22cb592

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
2ccaede187c74ea915e1037162f7051c

SHA1
0d186936ad16fa9483062f384ade6ae0643e658e

SHA256
f15ff7a9a6493df00eb01253e6769cf35c5283bf4cafe8b3bd721353814ee234

SHA512
47dc8fcceb854944b84794da4c0c116c7161c09196d718581ae93becc0938bfc8b42f9eae034776ae5c14a51f62e60a25954f36edf9605a102e8765d8c15eeeb

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
552ad370fcb552f66e9c3976cc07e202

SHA1
766bb86734fb25f12ca11263407d4f087ab34c41

SHA256
0a51a847a8e145465c0a56d42992c557779f9927663d9b4416cc0cb477e152fd

SHA512
797ba80de1a12a54da5679e2b72bc8342a9b495937e52318a63e6ddac6350ee54c4eb9aa20f6fc7d85cbe5a4cc416f31a46ec32136eb7de6074f9febc675fce6

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
2.1MB

MD5
b60a4d4871cc9204986e4add2ebbc97d

SHA1
c437947f4cc1c14ff4b712767eb5c07c8b45af43

SHA256
22cb6a9610a1e3c1e0f7160b4c04fb8016653e0b5cbf04c4f92f8fe578032809

SHA512
f07fe1083e83358ed86181daf3f2a6fa3ecd83d429c07dc56553fd87f8a41eb3e2455c396633773fc8f8c139b704145062af31a8739f56d0ca24d74790bc2228

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
1.8MB

MD5
fc5a0ceed36785e6452c616d309d90c9

SHA1
1070837ebbd7e896c3563f4052fead72efd4bbeb

SHA256
cfed341c79faf0b9855c1dded09849aa1faa04d96d5319c6490164b82f5866bc

SHA512
7c09a1de4e9fbdf5ee117d73bee0428d57402bf3ab80f00017a54aa5a3ee9b742d04f54ff2b28fb2c9e2430a7fe343e0299156ce81e6aed1bee4c7630e545457

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
3623b59d685656a2987d24be542f90ce

SHA1
db7fbf2315747d4a64a1a6221f55c4b3fad56222

SHA256
0f6f8d8921d7fe73b75330774a9a4640636b506f050fbc93b3b822348b1d0645

SHA512
6ddcf1b144f2cc642ae8aa3ed3461d853a867e86fb9d042f88e632cbef34f9db5f43d32cd257eaffac14a42d522be841d4b90cc1ada77293f8626ecc6f091a40

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
e79cb2d72c7c84ef8b257c0dac37a7d8

SHA1
d715801a0cc2e3989a3ab7382e66937bdeb45ecf

SHA256
36ad9e77e07e444896d2dea57303da4a89794f5d84d8064f10a6f60134d2404d

SHA512
b36f1581f9ad40b131d2194cb56703f3baf7a5550f40bf46884dd1c27cb5524848f18208267b6cb4c7738b2f5e8cf255c75e012b53514d552e850932473117a0

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
12b61beb3434e4f269ff4190bfaa7735

SHA1
d8525eecc6379f8107e3239dc3d73a407fd04810

SHA256
30263b49ebec86ebf3d4cdb0f209223c176f9e6a95e20d05fc18e09615798a7e

SHA512
a53d4225e5e66913bb01eaaf8c70087ddfafcedde9b5d55584e384258a9bcc9ad9d52e46157b6f4bb06896e01069dfca3c1b5f8ed11586f399bee6250dd4a4c7

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
2.1MB

MD5
41a48010976bde2e7989bad18211972b

SHA1
ac3b438f31bbb73aecbeeaa78e5797686a4d8352

SHA256
d0cbe4aff7edec54e6b8d3ffc37d3583c3c36bc45f19359302630fd0de392c29

SHA512
e0dba8fe4267c9c2df5f64109d0d4e9dc26ed39c26d4eacdda9ee7c95ca98a288ae5af9045f54ff445ae5ff2b46c39b1324b99ef32f3ae41e381d72abc95bbd1

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.3MB

MD5
f1efe794b1047789d61ab00c58718a1c

SHA1
75cab5e5bc81e2d620662051c4535d691f8f3a45

SHA256
c7faa78a6c8171c183e7ada11d888e18a55f8188982cb30c5d3d52e15225ec0b

SHA512
18335e5b72434aa81e3aac10fb788aa90b47ebfe1abfa7cc4d838f647621351094908e22d704a7ddf55e9c35aaa42bde74dd39f309bb7da9d356954518341071

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
aa4b9ff2c76ce7617a97b2831e3e0ff5

SHA1
9e69cad85a8e3ff115bd68b92b4ca788ff9ee8a2

SHA256
5d61a63afaa0e328eb0aada2fa53d6a9d55b8d8e1c3b6eb9d9a1cf050ec03cbb

SHA512
3b3aabd5c4c5b12121b1f394a18b2e26c3c58fe089e71fb277d1159db980a1c99e3a0bfff24b8ccd3e2ab4a352583667ca783ea31ff902cb9811b026fb0b4e3d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
2.1MB

MD5
76db3d5fb41271ad4775f9a45411521f

SHA1
8e4e3336d0a1b4f48b57a26161853d6bdd83609e

SHA256
7286e07315e4554396e596213e22de5a31fad22667de9f6903e6df52cb4102de

SHA512
0f3341b1b75e8965635cb1bec7d37902a3a8a053f109f140278b794577bc3b1d3d0ea477423aa90b53cac3289d13a436a620cf7a7db90c7717a916ac40e1959e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
5d1ce8997f982afb87486bbe3dfa267f

SHA1
14a0ea20849d5ca50c5c201711bab61258178357

SHA256
5c32d7489b5fb39e4d9e52d5d3897ee34d2d7dc5171a977a126ac64548fdddb4

SHA512
7c1da58437e7c95d1b7ea81d43475cb5460f9601710a13ae4d1553fd70ef72de26c9cff97d60e3928f9f85664c730ec20a963a0fdafa1a3ef486e8877291f298

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
aecd65b38d8663d13fcec71d8588297a

SHA1
fdcac85a1422e68005743183226babc24ba16f4a

SHA256
3f4d27f8d80bf71781c71d5a5893b414880e88668eb3d506ba201da9e7b88f6f

SHA512
710749449ce98069250e956587993a8345da3b02a254eff7754f51f87cbd6bdd2cc8c3e9c1ba2a6f5a75a5f202017709c31cb644494b7efe76ea11a5005938f7

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
768KB

MD5
7ac0ce6d4ce60b008ea6e3ed83a00e05

SHA1
962f86fa03b24dfba2725b34ab1f504cbb09a852

SHA256
80214432e35a8df6db358ac4cbf47a5873ea0c6b4c66dafc5b0f3ca273880f03

SHA512
e5e3be07671de53835df04234bebb22c48048e89225fead8710a658da93a930694fcab2c194abf06d04e19a4484715e36352979ca8b57624a5f78ac9bd6b32b5

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
669fd4995855e89ec2420eb1373b0e7a

SHA1
d053d5718f651dc69670480795b7910a9a1e6b38

SHA256
c9748dcd128ff2688995e440493ac8afb0710c23694f8c053d6b19d156705258

SHA512
4192e468a46b77d24e232d70f844319cc89528b14e67c41470e561e51ccff0b3e1728e65d0479f31b931888b529673b68fa28ad51e9c5fece5d53b4e20175c9d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
3f48539cdab145a3c17fc9044b87c83a

SHA1
c8d555f0f731881e6d5d0dd412ec2b084aa2e727

SHA256
d913a233091ba6f2c3f7f494a808cd38e1172b1370d39a4296e78a25147a2ac3

SHA512
e3d53d33aba39001a7c39f6d62f0ea2c7e281699d5f81a3982e1d4da1a9188feba2230b78b3068203c34ceb8a29cc594624f5add1add69726268aeb07cfab922

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK

Filesize
1.3MB

MD5
da4dd8b6df4caa1e71b8995f544ccd23

SHA1
22b064b0bfaf4f38cf92650ac323da71ed237428

SHA256
4f384d0ea7fc054ae7c0ac4491b2ee9d54f8e9d9c7f1b82bf602a3dee1a421e5

SHA512
3df9866d436ead997f6c1fe63133253e2ba8808b5836e7a6bf3711d57d9475f5046ca2baffeeee58159530e984250a704beca5761b5d9f60f4060f5e08f6da72

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
8541c85c16704284689eb4030a6054c3

SHA1
8cda719954070c370e06b2de565371466cd0f785

SHA256
7784a0c8c7bf07b52d5e5e483db35f01a3af9365993040026425c111742e6d7e

SHA512
75506101a0a7a01a543e20ec81acf719722137a464dac1f4861237f34585b629c72bbfbb0f17a072c4699897a05cf71c16a246318365ed4584e44c1b943b650f

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
a409614415b8c60b4f0bd9155872242b

SHA1
89a6da5020023646a828200cd9aff7bed9689be4

SHA256
ba8bd6740fa164571791fcbeb2a60c1c2c19a230ecca9ae61074159141a285db

SHA512
edfd5f91a801c7ffc0fb20b915208cbffc13f72bdcc3a12b2e72f97bc3f47ef6af8086d007d4c8dc8a11eab456eacac791562e59cdc396a06b958f61c044d191

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
e2dd1b7cc26c6ab21828b216b2fcf889

SHA1
b6503be573b6096dec496923483c915b07a5e96a

SHA256
f213bfd2cbad93623f8ee4b0ccee3ffbf8020132676505b89b1f3cd543736eb1

SHA512
467055e8aa9dd6f2cd03b123c629cafa64a2749de62d61023c031275cb3f44fdc5f36ddf5ee77fe8cfddfdf188ee059f5580ebe66208029da139a35694d6b972

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
38ad7f72b8b514a1e1fd780581d8a5ef

SHA1
e301b5aad1f33149b7f3531eb95bb63a6637ced0

SHA256
5a3ad00ea866282c4fc0fc531bb6f3b88300046d15f46b4b0f98cbde8da5c6f1

SHA512
3aac629abbab0f05afa7e107635a3479a399003906cc37fedf104238ebe5c1c45f9887be1fcecae1366845e9ba0409e36b03c9f88bea2f7584818dc65479dae8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
8948d1d87fb556856ad8be5040b0ce74

SHA1
1474a691494ab96873e9901ff95136860b051ba3

SHA256
3cf2021d721aac9ec986f4d7a824919ad44c6df4b1bb0d5bf286d64d10838406

SHA512
936b2ec236dcff39ba6cbeb2a5a381b3514b6eb45e7c3a76bfb55cdf95cfe6cc9df82ea535891e8027866bf6e2562f0c0cd67b1a95b8c716d349195e4b1a1d03

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK

Filesize
1.5MB

MD5
79c2cdf492776427c0b180015405539d

SHA1
4e72cbd03b73fd7995c7637a3fb775e4a6cd2398

SHA256
27d1e51fc5d08ea1a4055d61fc82a910e089b3dd48cb2c49f7a04104ab0b8240

SHA512
ccf317cbb0127e199abb7349c00b70cf31d33aa285abdeda7faab8e7541399c3462392dfcd5c2c434d558ed047fcbe3abdc740cd5162538b05a7d736ecae2f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
620B

MD5
aad27a2b7aafd7847fa58ddbf07a2d25

SHA1
5a367ec3a44b5c079d80e414555675e316947d28

SHA256
317a5d236c321ec9dc865b7a3de107bc160388e0b76102d9067830618f4b942d

SHA512
52856b0a4f2ee114c19cccd110355e26dfe22c6366f9d755b18d98cac33f1a84ca56aba177fa105a1ae6cf46c11e2a738eacb389f9c1ad3271d61204cb1b0cf3

Download Submit
\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
\Users\Admin\AppData\Local\Temp\GEiQZcbThlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
\Users\Admin\AppData\Local\Temp\OZbjWsMnxlan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit
\Users\Admin\AppData\Local\Temp\ydOxVrPGflan.exe

Filesize
127KB

MD5
e8673c8a299d1647ead6f3da4565ac54

SHA1
71015f9c281038d63bf7cd45894550c1a26c6b53

SHA256
d0d7a8f588693b7cc967fb4069419125625eb7454ba553c0416f35fc95307cbe

SHA512
90ad0b12c8de7e22c997f5bfb84f558f7cfd78a1edffdbe45547f545113d7b01077dc5962f3f941e383de390cf946405fd73d890ac9059b8f5a4d491297a72dc

Download Submit