ryuk | fbb346ad0acdc9e1926d5326f5738be955818e4ec19217e0de357ba3930731ed

Analysis

max time kernel
53s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
Size

322KB
MD5

d5793b66a9a31f2ebfea5f9804d77dab
SHA1

4f98055913500597daba98d6fd6321d007a4c271
SHA256

b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6
SHA512

06dd7deaee850fe4fc48bb8e1f5fd7b7f152ec922318953a4ef61b18ba1f5e60785dbb3b6d14d87b4e61613bfdee2d23a6043213411d2b788a6736286db9170a
SSDEEP

6144:o+C8oeP7aBFjcGv0deUkE0vNz1tVCF7OfmoQc:o+FP7k9cGckU/0v1rVoc

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'rikzcUO'; $torlink = 'http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://lgjpuim5fe3pejmllygcffape3djui6k2a5pcbpuyvps3h4ajb7yf4id.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Executes dropped EXE 3 IoCs

pid	Process
2908	bdBggEEWlrep.exe
2684	TGwraTUnOlan.exe
1672	MjWrpRdNslan.exe

Loads dropped DLL 6 IoCs

pid	Process
2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5676	icacls.exe
6156	icacls.exe
7228	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe

Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2908	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	30
PID 2088 wrote to memory of 2908	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	30
PID 2088 wrote to memory of 2908	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	30
PID 2088 wrote to memory of 2908	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	30
PID 2088 wrote to memory of 2684	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	31
PID 2088 wrote to memory of 2684	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	31
PID 2088 wrote to memory of 2684	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	31
PID 2088 wrote to memory of 2684	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	31
PID 2088 wrote to memory of 1672	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	32
PID 2088 wrote to memory of 1672	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	32
PID 2088 wrote to memory of 1672	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	32
PID 2088 wrote to memory of 1672	2088	b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe	32

C:\Users\Admin\AppData\Local\Temp\b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe
"C:\Users\Admin\AppData\Local\Temp\b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\bdBggEEWlrep.exe
  "C:\Users\Admin\AppData\Local\Temp\bdBggEEWlrep.exe" 9 REP
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\TGwraTUnOlan.exe
  "C:\Users\Admin\AppData\Local\Temp\TGwraTUnOlan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:2684
- C:\Users\Admin\AppData\Local\Temp\MjWrpRdNslan.exe
  "C:\Users\Admin\AppData\Local\Temp\MjWrpRdNslan.exe" 8 LAN
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5676
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6156
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:7228
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:12064
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:8392
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:10220
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:12216
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:12132
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:7232
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:10388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:8344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
302b3c2f37aab0fad69c4d1cc9071cca

SHA1
5092fdfb7301e6ff066bbafbe5710e5da8dd3909

SHA256
be2be6e0401c8727ed067cc744bf2bc99429993ded2ec33b1bf3e8ebdc634af9

SHA512
dd17dc840a498f50e9307a45e5f54f88a4fb7b2b55d629c19fb239a49b5f517cb660a42ce12ee6f5c1a8134bc757c094ed4b0c3ca2fbe6201db7c3279ddd49d4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
960024a97b48c262703f61b85a75fd73

SHA1
f371f0e2d1e2a637edba80b8430724ba3f2932cc

SHA256
2ba307c23e31d32300d7df4ac36c096b28dd15dc37b3834d9d627c72e2867323

SHA512
5bec33e2a094084ce6a8dad7e45976b123b6d1d28eed1fbb4e891f8c9230b62c4f8d6357fece05007b8c11a05033030e37e7dd291c27e6e8935d46b2a0794bb8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
188974aeefd072eb4fc0f3a7546f7bb4

SHA1
0fb46298dea1b2eb905fc90f2a84aaf3e2317cb4

SHA256
a0bc201ee1e1a5c57632b64d3a0ff5c00ba9c32f97c523ccd2b16948211f741b

SHA512
b64aabaac5d63099e47caa44dcda797fead0769a1d0dad0a197713a6ebb0f59b62a9f78adb63961385177dc5f2e42b4ba85383e9867a3f64539bfca1a393f632

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
23.7MB

MD5
f2092c3fd43b81707e3f180bd29cfa62

SHA1
06c9e8e00b8567d1df76a31bc96178fd6a568944

SHA256
05ba7345ea70bbb12f8e655d53c88cfd973b6788466cfaecb0b6ca3b961b09f9

SHA512
f30151cf6849de5c38dd9391ec0955d5773a7ef6f2d3481555262b9a0f2df4554ac020a2df945f6cfe9a7db29151baaa08d76b4662f8fa97d2e5f9f5cf03aa4f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
cde277ed8b27cf49f88d3e65df30baa3

SHA1
c1ed562f754ab8722906a3fbb33debae9a7341d3

SHA256
cb3bf89d696981f541b569c47a1854a2f760019a10d7562d16a8e4ffcf109ec1

SHA512
94b6dce80c8152b6c58bb1cfc71dd22c58d9c4760f7c7a77293bc32aceb4b674f31b7c94da7564adf4402845a079f0a1eaca88931006871921a72a2b479e4761

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
e92d0ba9d2ad199165aadc64529f51ce

SHA1
63ac625c4562f0565df6c92b3516e4ddc54c7e17

SHA256
60acb31e0e8d3ca570a06e2df331d083b58872cd681d29f7a926140fe187d623

SHA512
7f0200a77ed54d4626efff9ab73a3faaf3b503835e2d70dda751276962cb506b664d05e4a1a90f3286edbf1f52aab49562ddcd39d7fadcf3f7ecc66aab58072e

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
55ef6c63b8cbb88ab32da0cfe68e4879

SHA1
1be08980b95b438ae8f3883b8dd97ec65dde8509

SHA256
1568969831c00b30c9a61376e3db9154fa60c06d50a1c2aedf34a098400b8f0a

SHA512
0bd7d22ba4bb17c7d122950749b167212973c47125273ca67bb688772a157f862b6dfb6805e0f11af0580491f7542db621899bcf57700860b916a287f646280a

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK

Filesize
16.1MB

MD5
678dc1bf94bfd6a5761823b90882926c

SHA1
038ce7f5d81d1151710bdfd5aba682b5df764762

SHA256
4ccbc611ff3665c5354b5dde2aea7a4e891ea758d0b610c01b767623806c8b18

SHA512
a64eec91c8ac76e1e0653f17ded9383d5de6bfc334cd87a5c2112ac8676ee1dba43f3af01a46510eb54427fb82469c37ce8439840c023b5f30a06a105182377e

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
46a4a077bcad0ae2df1be37ff83b56a6

SHA1
488d8ada6721b939763cebfa5e663b9d66d21efc

SHA256
0070dfffb2b76df225f54b9ef0e40588fc028afdc46f61b43db74d1c2e3e668b

SHA512
e3d2cfa196723a40ff3f325486ce4d19f448d7543ff2e38140ee0cc38187c1967e87701fd1c14877088d9cbc0863cd0a0eacb7d31783e31b66b7c7381cc55243

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
366c27ab5b97bbd61030926ccb410ce0

SHA1
2afae6fd99de8c5674456265cdfedfc638ac3206

SHA256
9bd7746f5c4be61e3f9aaf1698c27ef6868484be3d6887090432451e438979bf

SHA512
c36713a0fb61a32910262901f1e8ef41391b785ba0f117d70b3af0182f3a746261c79f3eba49efcf9fa524d5fade6d06676a248181f578fa9b47d8c55b4ef85c

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
be90ea866512e68d02be6a4400d01cb8

SHA1
a4c47c10dc7ba4576885e81d641ba3a546610292

SHA256
98ceaf311f24da830a2d63252ec00ca94b8b38400e1d129b88fd5aa3cee43182

SHA512
42c7f8d998fff700b646d6dfec5cb03925cfafd60858d035ff7e763ffbe4f0216d88d0861e418f86c56faf89134fcd9a4c9b51a5b730f2db00e893236f19398e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
585dca79278f896dfff236408af03d11

SHA1
b9a37f3f79abcde6e9a00f3447909fdfc4517631

SHA256
b961b339511fbdd23c3ae0848837300aef865ea609f33cf0f0534cb8faa5b30f

SHA512
f3167a7d8ef518fb1b01fb9ebe2c5c4f04460992d66f093270a836667ed587a2a4a278eadd161e5ce4fbed4143929fb4fb47ada98548074d9fe0b17cecbc9771

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
8d2e904b89a4a2cb18e6a4a5089b145f

SHA1
0a4c5a1ddd1284c70856b749dbc316613c914214

SHA256
5eed6ba28c1ce56a59cf5419d186fa39a0ffb9aa41e81dc73a518b456fef45f6

SHA512
2a19d50acf48ff746532ffa42a60e54e0808871a32fbe29bd5839f97a45a80b9408b1800186f5cdbc6266cede6d75348fc52ca8c216676f567ca052ff080ee04

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
a2938b531e1a4e17c13cca375619de61

SHA1
5c887b5446daf20c99d63b01bc67c9bfe52bb60c

SHA256
22f4e037c3e4e6b3ed0769addc0307ba4f185186635552bd5287ff5fe78da081

SHA512
0520bff7a83f48eef29235c6b39dd32255661f99c0f4bbc76f676dec4afe108f9c8020038f4d95187ef18be6d50b40219398276b00c7ed858968613ed563bc93

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
9.5MB

MD5
27bdc61668042d0c689c920150606094

SHA1
a37469d59769c700edc5856089266b881fa21caf

SHA256
37e0fe2ee86bcc584c7b79d6ba3ceba3ec69ba9ac96ba56d8b3739021318ea14

SHA512
554cdf4f68255b48961e10489df1747e3353900a3ec82c418f8bd5c64631a73d3fb947d73028ef0f0576a22e79b49dec225aaa4902cdb1bde5e1dc9333392d47

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
5a74a9e4423e552903d5408f32d5a259

SHA1
57f46427c90e3e6e48ba3363ba0d19016d7f5957

SHA256
b0a64279cc3711a55f1d39f4101e9892cd96c94da940f2d5ee2d2c5b99f561c6

SHA512
d9a01d536dce6c6ccefe05050218f6cc0e35be91df423ddeef1717697884283ce206ac26995684732b9a14c79e6f558bbe4354580d47e90cc736243d794920ed

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
6655a6791f728bb4d8bbc1f05da4c637

SHA1
9cace144ef9ea7ddc612ce56a263a75039871c0a

SHA256
f744784be70adad981614139e2bd7a395f43dc9af0d2dfd38c8b83990f8debec

SHA512
bfd61355fa38e9106c829ad9fa98f0f0c82b14ac9d2bcb78121b2e0cae7be6aa2bc2c586c8a3b77b663b443afb1612feb03b8a05f84bc8eabe3cc83487b8df5b

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
7882b9a4aa0f75f03bb0d08ca9679467

SHA1
a747128e76fee06ff5c2133d575a38910c350960

SHA256
401dd043b9cfb7b3602209539b1ee85649c93f2667915af5f0653c42186ae8b4

SHA512
5420fd0345a10f8bb8160f786c2a211d38e900b8ecdf7f0ee5b74e8f780803449374df48b451a34762ae4a37848e7d7494fc110fc432469be0c9c33472829ca4

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
14.1MB

MD5
e4666289f9eec443c262c710813b10a9

SHA1
4679c7a9d7f897dc0fe57e0ecf45a8e86479b86e

SHA256
e626fc1489b3ad4b8fc302213f5fb72c8d0eab393eb31e7852006d0ae5911242

SHA512
9e43552bb0816a62d146a59cc28e2101f841a8bca4c013c50cbc6f7145925c47ccdaca0259c08c30ee1a4cbd1ffaf8903e74ab8582ae78c83668c0d48064c808

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
f39d44d1136474427afda4665b3a4d69

SHA1
87189fe459adae340513acf95ebb172bcb22bd26

SHA256
d4d52a768fdf2cca2f70dcb26320a66092b6ae6765dc734f51b7f59f87309531

SHA512
592804e58d53452577b47746ed2c4bfb28bd0b43668b47c76041c50695e28d979290b5cf2d2c208e21c8a166d5c38e9861bd175fe08c25dafd98989170a5dc21

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
3f8713c4e28c381cd321486556820863

SHA1
e3487277e3feb32dc486dbed14b44c2690771666

SHA256
5b62fbb7036db8f2d70dd3735f37f56a363fb2b665022f2a114d9ba057d2f21d

SHA512
3b7289c939f9cceb042045992b44435060c74b1e26048796d949d391a3d436202b2c624b4e1cbb42a0de150bd966df46a541f6800274a2b7a46bfe2320dd9f0d

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
3960164c964a4b5c0e816633d71a902d

SHA1
030a26640772185677556b6e1bd8ef22430ba197

SHA256
72488a8e5cd6867b96cd1f3307d9c3f8d704222911b5baa91fbf90d37cd84bec

SHA512
51bba9280d18e3dda60ce88f484fd0d3d7e35b62f76232da99e6b7fa3c9e5d057c11080446e293755e1b19dfc05b92dd5afa9855ac08b5a069b84b46fe78e1e6

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
0d2b0dccf68593bb59b8db18d31a5302

SHA1
1b69c7839ab1d3644e46667debcd4846a7bd1c5d

SHA256
a78318affd12441f61e01045409145375e7f1942410016634f34dd8fc0dae52e

SHA512
025f45fcc1ef26316d1fcbb3891413aa01a50acf89dfe5132248a7dd6a14c94e2e28bccc950eb8a96797d70daee8eb259f7963e96249e7b83b606b1e1fa4743a

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
35.8MB

MD5
3ace3a1566198ee0acf3b95b7c19a94e

SHA1
49bbebdf432458684f9f4fb14f57de9ae5c50ff1

SHA256
b24e0de19f6b4277cbedad281c84e2b7c7003e9068158399c43785f792bdc064

SHA512
eddf201741de12ce2313a98f2a80e8ccc30c096aaf018e27cd7678c581feddfab878889c55a9b4ccb2d161aedf4b89ae8cb0132f3ae863dea30c845fd3fd86ad

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
46171ff8afd2155c45d160137a6aaa86

SHA1
932762343f2561c1416905ee18e581e9c10a3982

SHA256
518e913ab8fb198087c81f1a68d8e2f8032df0c1c4a7848d44be8b9b5de32ef4

SHA512
4d821bf654c985d4ee4efda020ab693bf5a80ffd11da05393ea48e481b649325892ea2f8298dcd3d27846d68d0609d7620a4fbbd38db6e08751cd102795a2de2

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
676d9ab276ed8acd7761c0ffb2df0b85

SHA1
2d8b938d6da2afcee42e27a2a672262051986371

SHA256
e2a595300610542a40a16d6d84b3619b89ed58b2777aeb627b00c969d1585bf5

SHA512
bbb4a60f1e33ee4a5d425fd8fb11777fd2ade4c3cba97bc20924b620dc5180ba8409f10bd743d1ef02f25b948f0088b24b5c4785a8448371e026d1baeb14038a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
6c453857fc96f2fda2bb033f24cee49c

SHA1
4875e91bbc330f5ceeaab73979919ffa32407a05

SHA256
d82d85b764b070be9fc400ee2bd77158f99c76565bb0122aa49e831ba41701aa

SHA512
2b1f06a36a169d93683905fca01cb62ee92ab921a890a0c696cbbc0fb65c419615849278ff1e2c0b3101e347073a135408da3754b9b4dc9bbdbab0d8feaede40

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
f6ac86566677d90b6e47688a056d9ee4

SHA1
b3b531b3164ff7d9ad4afeaf947ed3649e1a9f7b

SHA256
edb94b64d6aa9e50f9a97fab74460567b3fdd1211326dca701f8fea9d9b589b5

SHA512
89192b2e5a79c92a5b7c8e4cfa98a6038370c8ae91e96f29a84fcb341b974373c075510cc61added44282dd5a3e59809b229afdc8a108fd4d1c69221ed8b1619

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
0d1e3db1c3bc718a92b0d762d128b511

SHA1
69719337d49e58c7e00c5d40ab0b13e39d903654

SHA256
62c5ca61bb6156023c24ef61e327e942cb65713c3bb8b23d0b3e046ccd66d6ea

SHA512
79a8d2b47f913b2cf020cd876517b756c3714088c86f640af43f925dd701059afd936bcd00ad30a3ee4434ca74b8f372f45487124aa418a84527f481f1ab56e2

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
00341618d18f8dd88649f9665714618b

SHA1
a2b4dce11ec09a53eea994ea0f672541b3d8267d

SHA256
97a0e9b39c24648562019f3f6d84fe7b1d50d5fb8a3ce8912790e8f45abff31d

SHA512
3cc8aa9822a4aab4291dfcb48df3f7cff6f543b0086245b996f8d3656e95e31c05353306dad0f0b46b525e3a181881a6963e7fcb68ed304d04a77b9cab419f40

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
1872104a43dbbb47bb714b4d4ca1b7ff

SHA1
fbd123ed929f7a59f32921989b4c0c7f33bd3e55

SHA256
507f7304cfa32828411aabfc2fbe9209fe6a2b6237f4d856fa0b53f2e2c3c14d

SHA512
79d86ba77e8fcefeffcfcb742b946e483e3757de52fca9f347b2276edaa4e2aa0afc0d80e28e0734b7d5029e0974666411bc37ba11ee09d1618db19fa0399d24

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
e2bea977a7c0ad2b5390d2b2d1d91b00

SHA1
59e2877f5401b4058ee83beb75e8b063a3ae4424

SHA256
380d39783d67a85682e6badc2dadec74004a36c945310dfc72500ba7c13e9a7b

SHA512
cfb70db14178825285dbaf2d10b2e36ef7ce348d08c0bdcedb7d36e3714b6896a205df1c5bb9ffac27b483c202657c61ca08ecc998cc858b6d4f369121348e43

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

Filesize
19.5MB

MD5
09ab156f0f060ce71391076e15996d98

SHA1
a2e4cf0c836630d800726921f54b801814b7a19d

SHA256
b95645daab92be3baa730dd5a09628e7a0faad2c5bd24f7f77d81a852eafb359

SHA512
e2934cd161d8c96333bd36fefce4eecd888e277e983b04b5bc7c5319cf795118302754cf392a252a89cf726bf26858fa31a2666e1c7b58667a3913af96bd65ff

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
0217cb034dc2e1e69705e49cb12fcbbb

SHA1
fbc390316e4ece5ba79a2f57b23f99a7e569e5eb

SHA256
6a1b2975c11a81ea7c1528b1bb72f382ec3ebcc881b48b1f3bcb87a4ea47107d

SHA512
c256d2924ff273b9c55f8746c019bfe3bc9077d8e14ab7f9869c799a81074ba095601f6b85beb8b7d1aab41ba76304992a21d7554b219a599c0936ae143ecd1b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
52169c8b2206b9a37ff80e120cf5659c

SHA1
3c7073b3c18729374ba979f074db113167c0d642

SHA256
3c48efa389975d373122e2d860eee57d3635a3c611021dc361fb838218461cca

SHA512
2ce202b793aa96ba1b35c495f52ccb083f8e0ddaa4bdf57d9e3090a8d6bc503f308352fee058e5868138c3b1654f44e66d8a85485ac68795894ea6ef5a667ebc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
fb2355c81e4cc93243ce3d21b85b9007

SHA1
e38a79c656f103a7eb586fe9d2525d471d24279c

SHA256
bdd66927bf5f71f1c6eb757afef0e48a9e90ae4eaae300c34a4fb78f37822b35

SHA512
5c45eaf750c6458bd3684b3fc1e4d1687aae2b68167b87d360aa6f74f43697a3bc480f1c53adccdea62875c3d497baa681ed49d7639cb747452346039ae4364b

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
1f36d8c90c0ee4ce64fb69f64654ff36

SHA1
9edbac8e81fe6986d8cc0bdf5638b2f9753032b1

SHA256
c3d10dad23dd19bca988a9cb771090738c28fce7be29b578b05b5d8e0d3d98a5

SHA512
8f39dc1014b8ef35c6eef581e25c259250e4c460571e2306985c935095b339a0ae0de84c35defdc6f9a6f2a0bb0a82d38089f428cb80d854398f2caa4b86b13c

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
a86d0573e9d63b388139ac662e05efd5

SHA1
c78a316a0def0e99999c6a799e0b3e8150402e15

SHA256
b498458555c8b76893fcbff6e6ef1e69f47d722c0faafa5a3cd4ac06515cdce8

SHA512
5ef1756b611b3b588f93dd40a9c1a58d6a22587b6e2adf8ac8199960d46d3d2dec57ab46b9a1d2bb790b914a434327eea62d93f1d201bdf9a4aef8394928016a

Download Submit
\Users\Admin\AppData\Local\Temp\bdBggEEWlrep.exe

Filesize
322KB

MD5
d5793b66a9a31f2ebfea5f9804d77dab

SHA1
4f98055913500597daba98d6fd6321d007a4c271

SHA256
b218ea35335833ba6dab543183314754db42bace4e62cf5950447c743b0ea4f6

SHA512
06dd7deaee850fe4fc48bb8e1f5fd7b7f152ec922318953a4ef61b18ba1f5e60785dbb3b6d14d87b4e61613bfdee2d23a6043213411d2b788a6736286db9170a

Download Submit
memory/1672-514-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/1672-52-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/1672-468-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-545-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-19-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-55-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-1053-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-49-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-992-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-872-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-449-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-6-0x0000000035000000-0x0000000035028000-memory.dmp

Filesize
160KB

Download
memory/2088-5-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2088-4-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-1-0x00000000002D0000-0x00000000003D0000-memory.dmp

Filesize
1024KB

Download
memory/2088-2-0x0000000035000000-0x0000000035028000-memory.dmp

Filesize
160KB

Download
memory/2088-3-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-32-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-470-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2088-262-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2684-193-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2684-53-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2684-1086-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2684-34-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2684-1041-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2684-986-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-513-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-335-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-465-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-51-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-56-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-654-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-1054-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download
memory/2908-20-0x0000000035000000-0x00000000376F1000-memory.dmp

Filesize
38.9MB

Download