Overview

overview

10

Static

static

7

0323b4326b...02.exe

windows7-x64

10

0323b4326b...02.exe

windows10-2004-x64

10

0898a80dc2...92.exe

windows7-x64

10

0898a80dc2...92.exe

windows10-2004-x64

10

0aaecf7f77...91.exe

windows7-x64

10

0aaecf7f77...91.exe

windows10-2004-x64

10

150e8ef3f1...02.exe

windows7-x64

7

150e8ef3f1...02.exe

windows10-2004-x64

7

23e95ba676...7f.exe

windows7-x64

10

23e95ba676...7f.exe

windows10-2004-x64

10

28e7dc4aeb...33.exe

windows7-x64

10

28e7dc4aeb...33.exe

windows10-2004-x64

350b0d6ae2...d7.exe

windows7-x64

1

350b0d6ae2...d7.exe

windows10-2004-x64

3

3a6ebac4f8...ca.exe

windows7-x64

10

3a6ebac4f8...ca.exe

windows10-2004-x64

10

3fe801df14...4f.exe

windows7-x64

10

3fe801df14...4f.exe

windows10-2004-x64

10

41367ad447...00.exe

windows7-x64

10

41367ad447...00.exe

windows10-2004-x64

10

48f4749f13...77.exe

windows7-x64

1

48f4749f13...77.exe

windows10-2004-x64

3

499d936c22...82.exe

windows7-x64

10

499d936c22...82.exe

windows10-2004-x64

10

4b5a6926ab...d1.exe

windows7-x64

3

4b5a6926ab...d1.exe

windows10-2004-x64

3

4bb0d8eb6b...81.exe

windows7-x64

10

4bb0d8eb6b...81.exe

windows10-2004-x64

5de3d5a337...ed.exe

windows7-x64

10

5de3d5a337...ed.exe

windows10-2004-x64

10

5e2b2fe65d...20.exe

windows7-x64

1

5e2b2fe65d...20.exe

windows10-2004-x64

1

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

  • max time kernel
    88s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 03:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe

  • Size

    200KB

  • MD5

    ad3a5956dc4e8fd6a62671a6204d11b9

  • SHA1

    aac34bd5c2f8e63dca20034f24384c2ce1d641b5

  • SHA256

    3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

  • SHA512

    23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13

  • SSDEEP

    3072:URQTlkAsGqrezGACPTPr74tOGOq+z3M1EgimoiY6RRerR5GyK231/Bdz:JTlEG9SAWTPr5zgimoiPRRe9HH

Score
10/10
ryukcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'nO49CJnf9vO'; $torlink = 'http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://rk2zzyh63g5avvii4irkhymha3irblchdfj7prk6zwy23f6kahidkpqd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Ryuk family
    ryuk
  • Renames multiple (337) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 44 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe
    "C:\Users\Admin\AppData\Local\Temp\3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\GPpLdnIpGrep.exe
      "C:\Users\Admin\AppData\Local\Temp\GPpLdnIpGrep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:2068
    • C:\Users\Admin\AppData\Local\Temp\ocDAhmPcvlan.exe
      "C:\Users\Admin\AppData\Local\Temp\ocDAhmPcvlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2932
    • C:\Users\Admin\AppData\Local\Temp\WalSvVJVulan.exe
      "C:\Users\Admin\AppData\Local\Temp\WalSvVJVulan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2688
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:22160
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:22168
    • C:\Windows\SysWOW64\icacls.exe
      icacls "F:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:22176
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:34248
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:34408
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:34272
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:38360
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:38536
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:38680
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:38764
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:38368
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:38352
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EB20E6EC43C3427C0547DC93315D924
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:40732
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 86F342DF57518C59DC8115151276739F
      2⤵
        PID:40884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK
      Filesize

      22.8MB

      MD5

      328e2b7f1ad1c9e985543b153383669b

      SHA1

      1f006a4a71fc3eeb767fbbcaeac77802200e0151

      SHA256

      af338d616b26054854550fb08fc65b05ccd275ad81eb7926153ea32b87f59b9a

      SHA512

      9380fee1856c69e3d045c337bc940eade5e6f22224e37490ebe0f60eaabb52dcaeaf23379bb224155c89cca57457277a6612d35b9c40c721f9906bcb828fbc11

      Download Submit

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
      Filesize

      2.9MB

      MD5

      fc0cc45e540dbc96c36af8c275ca2a16

      SHA1

      6b7fedc39c8e9e946fc75994c78a0a277e6f43ab

      SHA256

      e004bf5d88b6f73dd46b0ebcbc2ff5cb54b53f5a3350019267f86415bbab7b3f

      SHA512

      4f72970e91d51fbddf3904c715783437914f8da7ad25be0f12f9e000dc85e137621bf96aa32aef8f522e47f2b31e06924bfc7083fb0ab2a2e2f5ada712717be4

      Download Submit

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
      Filesize

      4KB

      MD5

      5e214b8964ba692846d664c62eb88f03

      SHA1

      dd7bffe17ce2ad1e40d2dd8933620f55f7ffa843

      SHA256

      ea68d1dc37cd863d2bafaa99ae25a7e786dfe9a81c8220c504d0e1dbea740ab9

      SHA512

      902207f2fbaf6a0f1dc40ca79c9370f4c7f27362f7700e66be78e78a696ac8225de33a8e213e6fbbacd67b8ea5cf28d2f4bd08d5d4f284b3241e829c05198f7f

      Download Submit

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK
      Filesize

      23.7MB

      MD5

      6edca197667c891eff5b85a46c7dd8a3

      SHA1

      97319924dcefb3120db0c939fd388dcc394c7124

      SHA256

      79dbc42712d1b5ef8639088ebca870f8540fd06f38a2533441d27b6a24dfc9ac

      SHA512

      9cd2446e61d257ec9b6a8fb9f7f1b96629687d3254985c599541d6529777148e58e254cfe04bad2dff59f2c205cae44927dcba604983383369b1df35e9e5381a

      Download Submit

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
      Filesize

      17KB

      MD5

      98f4ab61ba30ff886885501f623e4b4d

      SHA1

      b619f6d81d103b87c9dff35a6abe50827443cb85

      SHA256

      b3c3913112f98f2540f573bc05ad569f9f8b01f623ca75efe0ff43fbe95dce39

      SHA512

      9b1ffe3eb9bbf5bc2649561f582860ba438fb9dd7e7111339907b16aff378b020e686a047891b99ef2839a3e3f885285a91918f9fbed0ea92d34c98aab68f0e7

      Download Submit

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
      Filesize

      31KB

      MD5

      e154a7f4c0c80a22c492d6e324a3341b

      SHA1

      ffec48ad4ebacac631edcc449ce8fff97c663014

      SHA256

      8c35ff710585cf713c710d02ecb909600c51faaff8b4081f49a142505a5db06d

      SHA512

      c25f37d2574f0ec80ee3fb03e6ef6766db39ae7582243fde3aba7c148ce8cbd5dd3534f18ce3f3103d5df744b378e3689b5632d278e482fb79ae99add57b961b

      Download Submit

    • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
      Filesize

      699KB

      MD5

      f3f3375f3c2ed00cf3c6b5a1073d36a6

      SHA1

      f5f0f5cb9f125033b9dac5fd6fa15bba6448614b

      SHA256

      8abb13c4a54e016f3a1553fb357b634abd71933409e387ad7c71c2ab6b9b1861

      SHA512

      bb5362a79a913a705c0f062aa972cb7343a7236e3aec29c6791828a1d86fabdb814f6901ffa7bde646efea15e8c22d1e2305c8c2dc3d670cccae0401597cce49

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
      Filesize

      16.1MB

      MD5

      11ee568b17483ed4c06059169c504cc6

      SHA1

      e32278c07529f4c3d64ce43199140e4a406f10e2

      SHA256

      269bd2b48f7b1c8847914e8f171e241a705cd6ce5f7b55bc7b9fc86e733a0937

      SHA512

      e8767f7435ebdb44fd85a5049eebb6a1eb1c6b7854f7ea4adba1f90b7e6936000beae7e487b93f91199ea9f81aa593d61030ae1378e15a063109568a73a39ed3

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
      Filesize

      1.7MB

      MD5

      5d88b62a598807f7ffe2acf53ee2ed72

      SHA1

      d9cb9ed2f37715e7e37bad1e623cacbaa76d2f0d

      SHA256

      4e1f7d1f6229b89c6ac30b20c6635a620b824ab065ea5c3d852f3f827f750f49

      SHA512

      c3c22784dcada0c3d4044e5e863c988b77c2934f5046ea1c866609b410e8f40a694c0b7d710f2d0f0f8e15ef37e399dd81f2b3116505d17631617f1f61fe2481

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
      Filesize

      1KB

      MD5

      38e7ee2278bd7803cd8fee27615e5d72

      SHA1

      d9892e6d3358755b773fa740bb372ca2df36fbc9

      SHA256

      e458c8ee4930c9ed6f748ca4c74a28c02c4e4c0e33c0c1a234c0621293a5e989

      SHA512

      686b127bad31fb01e4c741e7bee345a1459c8900dd4d52d332fef11c10b32dcad52b0aa2cd5f252e72c648e0ac9eb4c99fb296442c5581c231f38cedf9837782

      Download Submit

    • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
      Filesize

      2KB

      MD5

      c7b563bc5a02724ea2ac168f773177f6

      SHA1

      50089d64e5ff370bfc8629f64c2e8d1e076e0c1c

      SHA256

      37dfaed6f63fb805fe7cd02f0445f794b385753c522f2befde0eebe94cf9b234

      SHA512

      71ea6087b1b4bf418537bfb988f871f5006f159a79d7c7667274faa7951f1abd7348fb0621cf10327cfa9b6a875474af62af2e89879b8f9a5f57a973b7e6274e

      Download Submit

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
      Filesize

      1.7MB

      MD5

      319a510aa45003161e53a78fd222a73b

      SHA1

      8ceb4907da3a86fe33aecba03c2a3e252c34f3b5

      SHA256

      c34a640db3e3ebfbb9c501c70004e6accdf159001777410e66ad0495d4d93c93

      SHA512

      7870afaba2d75d42b492adff709078d352b207743b4870070d9e5d6aeb0c2cef799d1e0f37e59789fa9217762898a6854dc513160ea10697e42674146181a740

      Download Submit

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
      Filesize

      1KB

      MD5

      8163efdf619bab7ccec003cf6b947739

      SHA1

      f231a66bfc9910a77aeedca578d1786aac9f49af

      SHA256

      53c2ec991c073088fdb7a6e312c107795cc12ac989c19688c46cc1d2d0598fae

      SHA512

      6f229bce1540c4eb0dc652e29b2444149241c18271c97c4324d9ff9499d4096356a67c431758568baf5e2b8040006634620127332fd95b5333805a6595c201eb

      Download Submit

    • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
      Filesize

      2KB

      MD5

      a93e039268a1663d2cad5612b023b498

      SHA1

      3c89d7983190be10037a3348265817114e6f965e

      SHA256

      b6e787b1ade7746bd5030a7fc7ea8143efc96984938e455c67a1519a31be6ade

      SHA512

      38c92c1bc27662d6556d15fbe9aec811e1cec6b9c31c29091c044d5ae7ac99ceed2cc790889c66a926ae651f7359adc5f250505a2b5da683b703909a2f486ce1

      Download Submit

    • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
      Filesize

      9.5MB

      MD5

      6d918ba9b86867326e1c63c3f63ad508

      SHA1

      08c97f1fe945c9e30095403df64a4f6d819ba884

      SHA256

      4fe6d1715b410e6a06b557d24451490856770adfee6592f7dab5656f06e47c51

      SHA512

      6d12253ff6dcbe54ab3315d80d000c545a9f1d69b742f0ba3794114eb5c4997824330288858d380758c2dc7a3ee5a8b397e43f48bf45363341238420111a6c9e

      Download Submit

    • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
      Filesize

      1.7MB

      MD5

      0a0284f7aab7ab935fba15ef6ac43aea

      SHA1

      4fc3ffdf02fdfa59e08539514d6a157937a6ed79

      SHA256

      7f8b9778c52ac99f0c17894f5320ed4e8602647fd2bfc155e3ee7fa9b9d32ee6

      SHA512

      daaad96caf7fd409307bb146128ed4853d713070ee801ab6f4cddc1394c9067d922e90c819a1ba5faecb43ba9347afc54e6bdb46dc26333ad3d3de7a91db29da

      Download Submit

    • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
      Filesize

      1KB

      MD5

      c36fc3120add7ca07a693bf8fb8b63a5

      SHA1

      8d3d18c13dc78adbd0d198d04abe47b6e630f0f2

      SHA256

      cfd69d0e1e2e42c024106feca7d3d6fa8e53b55dab289609e4599ff06e891c31

      SHA512

      48b8defad046646030ec1cb5cb0a2559121b374267d6601674067d2d5d8253877939f7a7f4048433b082f6870a524cce0dcb9cb5ac84a34d08cd245642ba6dff

      Download Submit

    • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
      Filesize

      1KB

      MD5

      540d61297e983ed122066c5e880f18f8

      SHA1

      dc50f6869b0f5425a70c44914090dd19eb8cbe4c

      SHA256

      f48bafd014db006c2ed4244735cc66e90a69b8b5ec7e228ec587c84a574897f8

      SHA512

      6e3a56c9576977553e0b7165a03b589a23d1c7eb10884fc707c030cb337b7ddc55a177ae52796f98b7fda986068010eba94e8b15a8bf26540fb0662738e083f8

      Download Submit

    • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
      Filesize

      14.1MB

      MD5

      261041a63eebcc8853b4a26555d36f4e

      SHA1

      e505ad507f4b849e7f5de6cf918d3e9c3e49dc45

      SHA256

      ea97a8f4765f3900cf77338d8e3822e5de972c26f8979368ac9a72f590010ac1

      SHA512

      f5afba14b15b5a9e25d7724848579a93479d10722a99b5eff37244b9a07aab0c377b68619edefa30d626545030c4308b8c7b1b546a54e332ef224eed330454eb

      Download Submit

    • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
      Filesize

      2.0MB

      MD5

      acdc0c681a3b127db64eacd58ea12c2f

      SHA1

      153c793fae4485e873efe5eedf469aadbc282251

      SHA256

      8b55793b39c71487cd73cee7b32ac44110c5d030328d8cc5fffd1e57588dd769

      SHA512

      efcb00e65244d39cbffd247170dadb1fcc90a07f83b9f2657648fbacb22491b5844a1a77495fbc2b089d0408c47cb5a71bbd52c0db70d6e374c57ead69bfe604

      Download Submit

    • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
      Filesize

      3KB

      MD5

      b701e54f0177569bf6728937d4cd4a85

      SHA1

      df9a5fec8dad7d068de06d3f6a25b42324eafc01

      SHA256

      f381bd086ea18c08d5f7dc6252d45e11cc84402e6cd176155d15543e4faaf034

      SHA512

      9a9d3f928593efb1a8a3ef8481aa6ae4fdddab360761a02374cc40ef0e6890c95f93b424a1768759c5f8d312786e15b793acaad46f789b20743b68e1a55a9ef8

      Download Submit

    • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
      Filesize

      4KB

      MD5

      5a34f9e0fca064676dc9e4e5a2d3d978

      SHA1

      f8f0c13c3011ef59f303c638ac2d1a0c037c2404

      SHA256

      0b2e84503c7f7a79adf7ed640f4c73702fd00244e9599464e4c7842f6a00750b

      SHA512

      980d9c2d9925240107db1e5df81594a5ddb67037b148849b8204c0f4e298108c9f396c3dddcecf90e35f58cbd5f82b286692b2aca85b33f4840579e13060d611

      Download Submit

    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
      Filesize

      2KB

      MD5

      9cadf376879f2ae519a6767b06964ffa

      SHA1

      fcd53f2da132aa5127c27aa0c0233a3b406fd780

      SHA256

      f52d45847bd4a78e7296ffa587bb9ce3a8d99554ae5e70c5aa04ae4dd613afd0

      SHA512

      c32c227f43ca853e149b5667e4fa2f240f6cd25168dcfb40187cbd5043a2883b5cbbae50e524b520ed797561338dbb38f748bc6151e46aedd9ae4a2ab1dae3df

      Download Submit

    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK
      Filesize

      41.8MB

      MD5

      0720fa471b55602ea88ad9c65c8a773a

      SHA1

      0001c4253800b68d357e6d834ac26a7dad6a2675

      SHA256

      db3b563ac4a41e91ef417082620b3bcd81f2c1caa9e9cf5c29053078bb69470f

      SHA512

      b60c06d7a47c19860068567025ac4d53bb95fe8f64fb740a2110a13972e83139cb307da3bd065f70a877400781bed3deac5dc1b1c3ac4c5b4e69d05e8b5147f9

      Download Submit

    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
      Filesize

      1.7MB

      MD5

      673853ced9d72e42a25d4f95430f6e52

      SHA1

      127cb16a8be0cead47ec491d24b7860318035cb8

      SHA256

      03b62a238aa9a58c7f7a0a43762540b8bda09c5000873b01ead59828c9fbfa75

      SHA512

      a1213d4f1fdba47baeed35e12c8f625ee61302a4ff78ff297b76ddbcbe5668718d12bda264dd41e6c71c7dd2e3da711f92f8264fd3c40d126f7f534167a5e2d7

      Download Submit

    • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
      Filesize

      2KB

      MD5

      ed3df53c7d7444040be35969b5d6a351

      SHA1

      c5b4948a6672879389f47ce80dc307077c18a232

      SHA256

      0790999afc6db2b2cd63ba367429197cfe0b9f848dc7689da4738f06bf8ca627

      SHA512

      4486fcf7243724f4114e90d19cb47b9b1b5019937ff6636db6316f277d6fecd69d149d7982b0c72312fd9b3c8d7b637e55a07d9e16aa4495585b3d77558c2073

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
      Filesize

      10.4MB

      MD5

      7a8ab00acc2da06788ac44e3fc224fec

      SHA1

      b6c150bc7608d21e9a6f3549d0fe9e609d012f7e

      SHA256

      8a5994f65e115bd2e4329c8d898abd92819a38e4790aba76ab116cbcdefaf6c6

      SHA512

      316bfe5edb2d807b86591bd78c668397f892cb9e36d8c73367fdb461787ad0bc0c3612e4f307ffee7695841a19ceb4803a0cab85769d54c30f4d81641a421db0

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
      Filesize

      641KB

      MD5

      f336ddc529a45ee104cd0b7e609a0545

      SHA1

      cb9b2e4fc53b373fb4943116cc713bccc7bb7dd0

      SHA256

      c94adb313754c522ad757c01742d1f48abe923bec53a9230371d82d2ac5133f2

      SHA512

      e50acc5d9322e9da6914f5d298e847c8cc41f62e77dd953907c8aca84aaba87c49643657cd9b45acc42794bee958a86f22eac3626e72eb1fc46b13860303028c

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
      Filesize

      1KB

      MD5

      9a84f123602b8fd78e9e4d299d51ae46

      SHA1

      c022a6c39a7629244a118b72b0508715e427ba38

      SHA256

      174e9905f8cfd0d3c48e83868ce33669adf12418b2a3fb6bcecbf105f2c31c1d

      SHA512

      8d6c4fcce12f72db0f1433aaa374f391a16e9e374e766a5bc8b8157f51c26c96c11f43dd9a1020539efb3e43b5f2e335f81eb59050a2eca78a6cd1aed5b1b093

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK
      Filesize

      12.6MB

      MD5

      796c0f3fcb86e8ba14ab61c36ba54ce9

      SHA1

      1030ef87d1baa11edc708ec377bae0d119537b7c

      SHA256

      cb2334bf2434fab705168c8663b0c135133fe23315628412198a2a13536a233a

      SHA512

      b68a37b433380d60ef4c67dd40468f411dd5d325715a151190f6a6ca4df8199f6d8780c700be3b8ef8b4ef67594d9f6fb88023a658534b9c3cef5e91c90f3a01

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
      Filesize

      647KB

      MD5

      eba7a2b74228e11e2577f628ebf8a912

      SHA1

      5cde40e5770f7d9ca185937b12b20ba7869fd729

      SHA256

      98c1e9174e85ec5224951320018b2ed0e1a06a05dda39d53ba5a7da5b038cb5e

      SHA512

      3141156daab192eff407510832b98582ba14f5a030af67c47b5d6768dc6d69f6052a38547d7fedc844f0dda4aba17f21d0f32ebc0fdb7c1ff0955e76308f26e8

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
      Filesize

      1KB

      MD5

      bcf55972ced96e3da3dcad19b69abdcc

      SHA1

      dd1944cf84224883a34b7a42dd1bf5bc718bff11

      SHA256

      e20e316d1f29c6595e2e64b2d73eeec74f10a3ee527e8774b39fc49bad92ebe7

      SHA512

      979543f4031ab3ea85de95364d42de53f13ac673d0fcc73fe1d351fc60935da9f7715b15ffd15401d9d1cb607c867cfab3d46aebf5f4711fc1afedc6aff6e7bc

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK
      Filesize

      19.5MB

      MD5

      8993d27deb713f60858982f80d278a71

      SHA1

      2b05c83c11dc3f669bae2f23290ba3c556adce98

      SHA256

      f8c857807d13540e23e95c9ad4f82f8e2278fb82ee2091f02405daa1b959c995

      SHA512

      b76715ba0215f0518a210acac0907497a7de613233b30f146c03fe845c84a0168de3c435cc2c2295545c43fe661c7c1f49f05cdb6a6d2af595eddd112f9da71f

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
      Filesize

      652KB

      MD5

      d1d506803030250405fc1debad6cf489

      SHA1

      82dbf674baede93cdaba96db00c2414850d376a6

      SHA256

      dd03624450ef34140fe0f5f941e2c923901c9b7788616f20de21ee7fd33c731d

      SHA512

      98ba3c2349609cda5a7742819b2b752ecf19c5624c798bc6f4e798bccd8c079981b63b1f5a5c99ccedba65c416b063e88b31900e06d6f129f57ee52d077c566d

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
      Filesize

      1KB

      MD5

      f4162cd614aaa0b81b974be386a99203

      SHA1

      50546beae5f9eb5125ca720305665dd130746864

      SHA256

      4c5f57bcba5133e7210510a1ee604542ece2cef51ace6677897e3db4f0b03bb3

      SHA512

      02076d2f2cbe52dced3c441bd58a764e4c44516bcf0ae9ee85d2fd82010bedc690a4f9c296e4e240e5863debae8f7875541a8344350012ed98eb4e78d0552d42

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK
      Filesize

      635KB

      MD5

      57cf16d0c6b48ee9deb2958e2b18a36b

      SHA1

      cb8e60c19c572a5836c961384ba02223f3e74509

      SHA256

      9e7c9c4285c7748889ff11ff9f277155a4ab16406c4667e24c3d7a1527fc7fb9

      SHA512

      4c22376cc9f2ffa00654e03f8ebd44ad2989f0e6cc774530aa6f1c7f4a0c7ef542e551c6847703c976f1c0d3231367e9731835c23b890a27e796264084f15816

      Download Submit

    • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK
      Filesize

      1KB

      MD5

      4af776d2e49eea051e24557eb0916bb5

      SHA1

      ee69e015fb779a42642f90ec352b7d8cfd1b15db

      SHA256

      0b69d478bd88504a90d5ea5ff9aabeaecffddc570dca7156a837863aa4e979b2

      SHA512

      e8441f9455706b6a6eea38cc96cf96733695d31baaec95676936531fd5d08d9bc5ef3bfc69fc621b7fc62723f0e4d8df5eb30d3f460d2ea0fc6f402d82537065

      Download Submit

    • C:\Windows\Installer\MSI3653.tmp
      Filesize

      363KB

      MD5

      4a843a97ae51c310b573a02ffd2a0e8e

      SHA1

      063fa914ccb07249123c0d5f4595935487635b20

      SHA256

      727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

      SHA512

      905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

      Download Submit

    • C:\users\Public\RyukReadMe.html
      Filesize

      1KB

      MD5

      eef31ac0043fbaca9ba45316c36c37a3

      SHA1

      6370497bbf37c99d1f17ddd31467a427df926cba

      SHA256

      6b29df519d30df469d9df438403cd59e5783618eeefdbe4c0299049fce7a7693

      SHA512

      2c367bba06e99175b75df3b9eb7245fcf012b1e0ad401516033c158922cffd2a7f6b1e5efac8adb5af10b98c9ceb79bb146bab17f48cb21db02c443f930c0304

      Download Submit

    • \Users\Admin\AppData\Local\Temp\GPpLdnIpGrep.exe
      Filesize

      200KB

      MD5

      ad3a5956dc4e8fd6a62671a6204d11b9

      SHA1

      aac34bd5c2f8e63dca20034f24384c2ce1d641b5

      SHA256

      3a6ebac4f83f8b9088c9e00a25d88a56fb7e46b7b8a03158682a5d7d28f0f6ca

      SHA512

      23edec2ddc72277efca922dc7c66fef2220d0ad3709b277c236bd883214e423143a947ff48ec2a8b57b1835b715a06b39b7d1c2a423e62dc4166ad5097742f13

      Download Submit

    • memory/2060-2-0x0000000035000000-0x0000000035028000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2060-201-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-5-0x00000000005D0000-0x00000000006D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2060-3-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-34-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-11210-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-17-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-1-0x00000000005D0000-0x00000000006D0000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/2060-9741-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-8088-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-6347-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-4544-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-52-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-2230-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2060-6-0x0000000035000000-0x0000000035028000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2060-525-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-583-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-202-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-19-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-50-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-9742-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-20-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-53-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-2231-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-8169-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-35-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-4549-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2068-6348-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2688-2341-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2688-584-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2688-54-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2688-11213-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2932-56-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2932-51-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2932-9227-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2932-36-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2932-10417-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/2932-12005-0x0000000035000000-0x000000003542A000-memory.dmp

      Filesize

      4.2MB

      Download