ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
54s
max time network
105s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Size

468KB
MD5

9296a9b81bfe119bd786a6f5a8ad43ad
SHA1

581cf7c453358cd94ceed70088470c32a7307c8e
SHA256

0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591
SHA512

64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1
SSDEEP

6144:TDsDjEwQj9kQGxBOfJWgqimbqMS4oXVqhTA4G2PGYWAl/uSp:cDEj9kQG6JNfmMJqWDIl//p

Score

10^/10

ryuk discovery ransomware

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note

contact balance of shadow universe Ryuk $password = 'J5U8YdUCr'; $torlink = 'http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};

URLs

http://ddchw6p2kegymsyoqljqnsslebfh5t7e45s6m2pqhhn5mt4yb3rlazyd.onion

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk

Manipulates Digital Signatures 1 TTPs 4 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "0"	TBnZxfGXSrep.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "0"	snvGPsRvUlan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "0"	NabPFVqWClan.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State = "0"	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Executes dropped EXE 3 IoCs

pid	Process
2876	TBnZxfGXSrep.exe
2820	snvGPsRvUlan.exe
2516	NabPFVqWClan.exe

Loads dropped DLL 3 IoCs

pid	Process
1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
19872	icacls.exe
19880	icacls.exe
19896	icacls.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TBnZxfGXSrep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	snvGPsRvUlan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NabPFVqWClan.exe

Runs net.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 2876	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	29
PID 1268 wrote to memory of 2876	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	29
PID 1268 wrote to memory of 2876	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	29
PID 1268 wrote to memory of 2876	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	29
PID 1268 wrote to memory of 2820	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	30
PID 1268 wrote to memory of 2820	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	30
PID 1268 wrote to memory of 2820	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	30
PID 1268 wrote to memory of 2820	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	30
PID 1268 wrote to memory of 2516	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	31
PID 1268 wrote to memory of 2516	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	31
PID 1268 wrote to memory of 2516	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	31
PID 1268 wrote to memory of 2516	1268	0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe	31

C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe
"C:\Users\Admin\AppData\Local\Temp\0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591.exe"
1⤵
- Manipulates Digital Signatures
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Users\Admin\AppData\Local\Temp\TBnZxfGXSrep.exe
  "C:\Users\Admin\AppData\Local\Temp\TBnZxfGXSrep.exe" 9 REP
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Users\Admin\AppData\Local\Temp\snvGPsRvUlan.exe
  "C:\Users\Admin\AppData\Local\Temp\snvGPsRvUlan.exe" 8 LAN
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\NabPFVqWClan.exe
  "C:\Users\Admin\AppData\Local\Temp\NabPFVqWClan.exe" 8 LAN
  2⤵
  - Manipulates Digital Signatures
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:19872
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:19880
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:19896
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:29552
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:29456
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:29516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:30488
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
  2⤵
  PID:29940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "audioendpointbuilder" /y
    3⤵
    PID:30088
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop "samss" /y
  2⤵
  PID:30164
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "samss" /y
    3⤵
    PID:30108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab.RYK

Filesize
22.8MB

MD5
f453a5a633fae3a6d2d2a9c3de237cb3

SHA1
f19dac3f6b3719b2958201bd17c6d15f49943248

SHA256
486d3ae947197b85594f0f4d8403a654affc82ce5a3654aa385572137e9cf7ff

SHA512
ce6e20a176d7017229154d5079fa4728b4b6433fd74270c02f1f2842f57385ea0e0770ad0494935d633cbe7af34598079a278a6dc249408de2b15d370f9646a5

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
2.9MB

MD5
a807c35d68892742035a7d50852d3e6c

SHA1
9f18a65774f6486f1a8c032e2092face68ca25e0

SHA256
cb450acd0410ca829ff50c5caf227bede68898d220f23ff466a230925627d676

SHA512
35fdbb1362028e337e36b154d4fc5474c338ed4adfc459a6d16354b65e235e45691f19bd405fb73ebd3f851b4e2916198e9d01b75754ecef65893382f988d07a

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
ec2869b29904f836b568fc4a2d64caac

SHA1
2afb460f01915c4b909816e2be89a030366d5751

SHA256
7e221e6c13249a544cbbc475f0b3a9e2aaead229e4037f2444714a6b3a7363cd

SHA512
10cd68e78612637a9629dcc1355a10e4ac48c6fedc44326f302b39223d406f0c56664b23ca9fd1018fee9dadf1337dc9376b0fdef6169b37144eab35844062dd

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi

Filesize
23.7MB

MD5
61cbc70eb35e836fc5a4040fc4a2fce9

SHA1
71fa08a68ffa2e9aacfeca7da0a242df6394718c

SHA256
bf4e3193d80fc90e90164136c99c63576020d41fc63d867c8b8d773b3e4d90b5

SHA512
0b4cc421445dc1d496f14f5b56dfc696610b1e169fe6b58624868c22414519cece424daa917af1319db3cb7d9a8d301bf1c44ebae5d8896a7587474e2a1fd1e8

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
275c90e4503eefc9815e20435a634489

SHA1
7671ae35774e1f24c14c421de0b9a9150a66db81

SHA256
1fb92d523936b4ed36ec8a178a3e044f4776d1b873cbed37b1d49c7b5d73a037

SHA512
d7057a18773a1eed8893da8e279cc5314562378dfa36d186137696253efd32878344c4c8c1116d2e512a0aa31cbca83f6046e4e83bf0349570de7355a0a3d323

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
76dc84b83b2825182b6b7cd101a7fd81

SHA1
4805bc1b201289c735e6fc5dec3b087b52d5fc77

SHA256
4029956b3b0287bfe08fb49909cefe00c898ddabd9c0766dc0e40221ec4a6e0c

SHA512
d7110eadce395c1410f4edff800dfde5523328cc2afd26e406721d1ddd7d9ed4afd406c7907d50a4abe5ba5fde034569e7b03a63b760e2b86eb87f08256c6918

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
6f6df2f785b00748c1e8387216308280

SHA1
768f2e99269aad1fe1ef8b35e32fdafff53bdfd5

SHA256
1457fd324e851b42ebb2b4e6847fb1f953f09718d0a59be89eecdb55a18262da

SHA512
7c22cb5c7e9140b64315381daac858079948864eeb9d12855617e71b2dea449507e66a4b5e3e84c13920362ec13a33cb10e0b1b9bd7af5fe3b1caa33c647b3db

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

Filesize
16.1MB

MD5
aa9464ecdea8d557bf6e5ff52b67381f

SHA1
6b5148a7083ed469d6cbd991728963176f026c7b

SHA256
3ea041bc61e0501cdddb0ab3d60fe4043609295f6082f4c7815989082eb5ecb3

SHA512
98a9a76e01462a788145a534d2858445c5a4a9a0e436736430b22f6569caf0add9bd1e2841bdbe7d6350570290361c9ecbf06602c7afba5d7fc78daa45befb8d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK

Filesize
1.7MB

MD5
42f89510c445e831dd205ec0c744ceba

SHA1
2400fd25756ae70585dee32009d71fe4d0f251d5

SHA256
1d8cc225d4d4e4745a611add21891348308c273ac03929a82b50414ed837abeb

SHA512
73c5d940eef0653fac555d282b71b7005ea863899a5001c1c1d23e4a4828fd74ba9c16bbababf4d9bacd7ef6e77a1d22c8b05979a5dbb5209aac786bf4a1b641

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
aac59fe570b7cc34de87cb136a7734e4

SHA1
9d1d43e0c6245b1545caf932b10c68e51b2f62dd

SHA256
9aba7a17370d0b54d246423e8832b9f41dbfd5684ba843f016d19fce672846fe

SHA512
8aa66d6f6631021a4757ba8765dc2f77da8194cebf049012403591441c1bb7981f55ec026682bcc51be12e8e7cf3b662e27c2b9a43edf16d51427c658a198c36

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
9c3ae6c7d0f13d3818476076c689f43f

SHA1
69833532ed8f4f08600772f076c1f14581e5d043

SHA256
4c3a3e8b2eee05a056a1c2ead35e288f883146a9f87e21093ff48d9ddc0dd047

SHA512
67c1554d460e592dc5b4e8736cd1d41b9323f02fcb5ff7598ca34cec95717ac19df28b708803e6b17f926ecd434e3ee2474ac408af3a6ec1a62137d518a163d5

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
33c8ed082cf286b530f2b9dd2008b62f

SHA1
2e2da2e573a343ba017ae4fab2d7499eaeee46ce

SHA256
501555a37d24b5e710fbf267df1d0a894c85ab5f82db2887847feb051805ee14

SHA512
4ae826abdb3609a5625143fb00d325c5d28984a1e62404baeff5ba79c3027227b972bafbfc843480f94f61455bd8b3c20eaa0b04a17c2d819766f7ecf2d6736e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
4936fc793fe73159a369a72fd9522c88

SHA1
dfa1134761de6397164876adb3a1c6d31addfa3f

SHA256
841e39503186836a7cb6a81fc85ae3982dc6db3c9ddc718d31bd9c35215d297c

SHA512
4bc7efe239753525dc024bc7da8b06cafc77faf273548f61755e721fbafb64cf9e5c5dc750b12116e37d0f51934264b5f9f0fe062e4f58b608ab8f3e12e7f2ec

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
fc5f2341d5974645823ecba0ad3324e9

SHA1
63d294934370968bcee61f4affa96f92b845abfb

SHA256
4f813acb4f6f4c288978c14c03f02b95c2a9b3b25f55b4bea887b9063a2a4563

SHA512
4af52145af24341214232eda083896b38a3a32b9fe3b468dda7b95e168ae9313320d123d8aeedd342ee8175fe5e19cc8353fe959e6b09d52d7e2c2383fe97989

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
ff9dcf6a8822b0ab789a53ef37527b95

SHA1
b6b20aa4863c2092d5144cbebf38feba9c35b566

SHA256
519294af23bd2217af988612b8410d5282ca8f4790060cbd36e09f3c817496dc

SHA512
f56e565a7229bbdcbc1a980839b989539649406b5c960454d3794df39cf84d31ff1bcb34e4789b8cf4d751ed7abf6b0bedfa3f0dfe4d903d08e49de13310073b

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab

Filesize
14.1MB

MD5
57e18ab33958cfdac7355c721b489128

SHA1
24429ead4ba8fc7fee97b6f939bbac7377dda153

SHA256
8d21054a5d645ae07f9b9ea42de317f0b97c7400eb4592ff9f9d074361280a67

SHA512
1bfa09092d6171a0425a77dd7c5487228a3c6c5db405b97d49f77fb97be60cc757d0974936506f7dcb5324bb3b47e06534e74bb5f2fb75ba0481bd307ab0b734

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
2.0MB

MD5
ccfae34debeb294f9291ec98c9b42558

SHA1
3690a4ad92f1b98c9773cc1592de3c9b9735cd61

SHA256
ee7e02940c907330ab6ffc2c528b504f0eb980d316265c55fad55e0d3fa14dfb

SHA512
8574028a28034bc87822063906c4e71f9e454a591787ca6a59d14781b240da47b5725b9536aa1083297dc2dc84b073c1bc35a776b0568d587e3bd7b73e7cbe8a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml

Filesize
3KB

MD5
e9c3e071b2de37f4171ff9823ee3f7ae

SHA1
fafbc7222df8c2a0cd5d63390fe3ba3cba495d6a

SHA256
15346e10df800a20aed3b8a411dafb14358ae2f2a3d1a5b614cc563a27621184

SHA512
a0c4339c3243925b76fd63631b0a8f678b58da8651671ffe6200131164350cfc66f84403b0119c44ff71f273f462ac3825bae483def4c8594d3cfae0ba9986e4

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
00372ccfce0703e2e12c0f5ac7725325

SHA1
b07a9982f81b0bef17238191bcbe85bfba81cda5

SHA256
168c33c411b152abae85fd27eb959f76d28a13224889e4fbd52e6d7b583811f3

SHA512
d0684dcb9107cb506b28943c8f15734f9826d4f8be388ca008705e18ac3c329c9cc791766940dd7e81b88577c5dba26d578aab9dbe711d09b1ffcf41d6b9f19b

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
be2e2ef989092ae24fd689d751d6348e

SHA1
322dafca896e220c21ef707809ed84288bad0394

SHA256
51de9648d9119f0cd1dc31bf5d38a039d2ca0a079e2754b0ca4df9cd6654a1e2

SHA512
756c38216a21bdfbd7f854fc4cbde5188a716c3be9d53e19c2ad8645f7e43d27241c05718610e950fafffd2beb4f8ad40d9ceab04a4325c3ae2d0279ce9e5138

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab

Filesize
41.8MB

MD5
8b72e516fd35a9b72b314c3a5b377bcb

SHA1
47b9845b8c3847a34fd246409d08ccbd73ca21e5

SHA256
c3c868f302a05142da5d66dbc2ce821e6e17900f8c6f9ad8e3dfed4712b3232c

SHA512
ba7cfef7845a7074aa7892c9b52340886d2a6f7abf3ec94eda81aa7c1e090d52d6958e96948ba3ca09817aa1efa19103a86679144165d3c2550791a8b71cafef

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
1.7MB

MD5
0d58f895bde21f070bee1511cff9075e

SHA1
5b2156c0fb483a7c086e12dc55f92da795c54e89

SHA256
095724294318f0cf97e446e8e1e1a8578f0b3819b9d6ba67a163c9ae753e8a90

SHA512
77ce0748554ba4883314a50eb9c7e571b3a06167abfec4f47db28b421e0a21e8cdd23829cf799bcfaf3bca7caa34e572225482f3db2886cc870bd7b6a128cb71

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
cce222c532e8a69b240d9da7de2b8a48

SHA1
8af25c8e1749c87af64c7be36750fb27aef4fd2e

SHA256
50463244e3aadeafa8019dd2f48bbe5927abfd13e5fdff27c29bb87c22957b46

SHA512
db77b9c3097e028539b7e9be5c197cba2fb1b2d85b2d38c6461d713da934d302a9aaa5401e807145cc77d60e6f11f216bd77ed070de0967f4e07e8028498c4f4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
10.4MB

MD5
52fd94b4abb0d85edcb08d02b60f3c05

SHA1
4e2015107fb9a2a00d7943dc74fe7ab027c1d64d

SHA256
c085c74615cfa120a5923fa59931d9d9717c41418a2f81781974ce69d0d8505c

SHA512
e4303f405679838e4354cef76f0975cf973d35dba5b41e35aee6590fd06e9386969bc5ab650513cd54977fbaf5bb3eccc1e23a998985f94423fc9d06c59b81db

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
130c1dfc30f333debe3d61f749aad96c

SHA1
bc531ac9c4ccf08e1ca17f34851ef619b496b36e

SHA256
c4b9af970713131c015d23e6f1150978c47e3ac95b081be497387f8da6ec0f4e

SHA512
2c3cfdc17cdd8698578e2f02ecbf920912ef4c467495b4ede5512cf6e9a0c0b59d4546dcc4c557cf3dcac74b26aa2f75f96a9c38bad6ff727fc32b7c0ca7cd28

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
c38dd10cc0d27b22363e3c2499c63817

SHA1
592e90d1c25764a8abf17079902680850ffa83c3

SHA256
5653335fd2c568527dd4fc5269c72dbabda493a840f21a226e42dd386ff1a042

SHA512
a30ddee525ea8510ead21f74b0afe0d6e1038810218a5738a72695cc2136a947809d4270719ed56f3d83b3b1a5c1b4fb1771d69104e13d32449bf518912895ae

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK

Filesize
12.6MB

MD5
71a3ad285ead37de1dcb7639cc1320f3

SHA1
a0bcb1b1f93aca05c25e5645b0e30260bb280359

SHA256
ce590799967480e1e065b8dd33246e841ae79c70b3941169f32e666e3172ac6d

SHA512
d04824ff970684894e4df1af60ce2dc3a023d915b0d2e55d6e02de3bcb2253c7f4691539edd173c1be4374fb263b1acbe22c795561e78f2fe099bcbd3497b053

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK

Filesize
647KB

MD5
b77abd4daa91eb83bc106d2dbc5379d9

SHA1
c7527bf9ab220fa368a7d55c14b50314fb70ebc4

SHA256
d0d9ed3965684680a244f15e202e0df19d1d4f8fcc0fd4c830b9a22c91e282c0

SHA512
4b210c0df875fff422284c401e714922f4e2af241751e215f29649b5ab5bc44960711cfba1ecbba5c7ddb5198ef12777c7ad7a4d69661a04421f596e0b293ab0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK

Filesize
1KB

MD5
7c8a7629d6643a8d7dd425381a6ae747

SHA1
dbc0adbaed80ddc18f1b1df7febbcc8de299836a

SHA256
2a648d36819d07778098623f00b6a03344e6af78d8976d70acd8c090027d5f0c

SHA512
439cb9c63e993465c1006af6f6b992de0496670633d97fe41d614430eb0c0352417d9f45f607c0e822f79b1c2ec51383c490fe23eeae355502d566de04cb6da4

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab

Filesize
19.5MB

MD5
1517b75ae9b83952f59db8c45e763678

SHA1
52acd3710b4603cc0f10fe459b01fbc2813b8c33

SHA256
45beef936aab2244ae48b72a63c88974a82f90cfca001765531c2bb538d0da88

SHA512
c6e305be76b792acb97df37ab17bab6e3c6aac9fff646d850acec9b85f00c29a253d5f740202cb15c9ae2352e42873a44f5caa1fd71fa0629cef02f6dc7fbf31

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK

Filesize
652KB

MD5
108cbf89cfb3329612db7d612974cf21

SHA1
0f71808671b054c625e0258ecc0ef2b60a203582

SHA256
6eaefe4c3cdd39ef99a1229ae6d134508940fa744f7e0b7a10a53b9f35227ed1

SHA512
ea89f5c1eefd34a04d25d4d2bb4157c7c125830ccab782edfe37d06f9353757167b0c062e91c3b648883fcc3b497d77054fab6501280eb5afba8c46313e8adb6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK

Filesize
1KB

MD5
806afe393349ec5bb69ba9652eb9e17c

SHA1
391b2b4f5dd7ebf900b24afc0616562992241bff

SHA256
1c8d6e3118556bf69d0ba4b5e035b205ad0b17c5610bddecd041ff16520768e3

SHA512
5dd366a196ee623d3379ca0dc3974b28dca445471c11daa54ea961b08cbf2b1a89010de101a179a8a2b142df196c34c808d72bc04797c91128e5640d0ef3a363

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK

Filesize
635KB

MD5
4c6964b73c3fe57aa3eecf713bd20c7a

SHA1
98a37557ef5356b4f9cf1dc1ccfa0d1f12f6222e

SHA256
a2203e8c471473895263b2eb04335aeef848b5ce8a7a60953629e814d720ba60

SHA512
0a8fcf1c558b63e77410875047af491893d13c26f3fecf0ac6ec916c77ec9bc01fdc188c35da8211c9cc6975629508840edecb98271e9d4661e55a59abcbc1d0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK

Filesize
1KB

MD5
46840ea8435e74dcbedce33dc7f9b033

SHA1
c9e9f8d12c888dfd666eb3cbe7ce4905fe0d2031

SHA256
33cf7b46713b9328742f7ec8c792f47cb13987f9161cf57fb8d5db2535bc3909

SHA512
a4319477861c16f364cef0377e201059e18e30f61452e71bdb82dad0f065b63621e664b4d560a76f980397903aa01238dcb042df5af6fc6f6007047c94477b6e

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
6KB

MD5
f334888b4fbd10290786975caf26e9e8

SHA1
6b5478bbbea4c3b43dcb2a525b11f6752bc46e50

SHA256
e7bd1c8e67330c25b2aa4fad2c96a2d11e064305f3fadd78e12d0bbeb284d1d3

SHA512
7031159d0f667699c88e4f33ad4f85a84a4c7289d3add9915e75d6dc8188e059607a110f7d5ba03d6c309594d66d4c60cb2ddd1ecaaede396bcf66df2e60d570

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab

Filesize
15.0MB

MD5
dd9c62c7b22b48bc4d5fc409fcae15fd

SHA1
7d932097ccb7493d65bfd893a58bb366d9f3da39

SHA256
6ca506a04dc07063aae18b64da3230c7a1ee93270e96698ab76e2ee29ff11acd

SHA512
10aa2fae742d67ef33cb32097a0a7c2183c26affef6a70b88b5fd5a60d4d1ea2727bd118e57662f545f100833dc33fa47804d8e3e31470c2d360241c3ac5daf5

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK

Filesize
2.3MB

MD5
75779df6c35bae58b6f2f60736cdf511

SHA1
fb2bc014f5d821bf4830b131b702e6d63603894e

SHA256
92707fd038165bf9b5ae1f93bdb1ae0d929805dc38a573878638bf31f99c6fa0

SHA512
2c17ea6a428c6c5ec4870be3d785fe90fd24c96665ce7c2d67ca2c2fc36dc1060d228913fcced0ba23c38a08c8e31f5af7b4dd2c2967e9358bbedca6a7e53711

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK

Filesize
1KB

MD5
87d30de0e5a9077c907b5f5484bed287

SHA1
3b86baf98c0aa7e1161805c74bca59362af40a1b

SHA256
7f4ee411ac38b01a1ae767d72a9bb4e476cd8e19dbea517eb9ed6c03a3a34d71

SHA512
1e984d437eb997025627d93e83930cdfdf7915ec83bb4314af8b77b2ab947bfbad482caea6d74427514972b669d89c1108b15a2cf0f2f17618384dbacd745a70

Download Submit
C:\users\Public\RyukReadMe.html

Filesize
1KB

MD5
c1dbe634e57adc9ac9a227993936c158

SHA1
24888239bc85423fa87849c3f4b8896fb8c0332c

SHA256
6b96309e5b97c6b3a8b694fc989cf251406f7b9be58876f2ba9cb8aeca055034

SHA512
0f1c0131cbc948650c051a3c0fcb44146b7b4f06e443bec44f59e7027311ba7092a1814707f88b6d55e72ef7c2691c1e745a7fd0a1008a69c7770b1b414a193d

Download Submit
\Users\Admin\AppData\Local\Temp\TBnZxfGXSrep.exe

Filesize
468KB

MD5
9296a9b81bfe119bd786a6f5a8ad43ad

SHA1
581cf7c453358cd94ceed70088470c32a7307c8e

SHA256
0aaecf7f77132def96c13d480e32d759839fd65fa76c73e29f0f53c50714c591

SHA512
64955ec13d7e874d8aeb9490b2ff814473e02ef93eb071bab460add8b5966f660ddca1ba80cf1055f7d2c5cccaf4ad62d908356547c8c13387e622e5dfc849a1

Download Submit
memory/1268-8537-0x0000000002A60000-0x0000000002BD7000-memory.dmp

Filesize
1.5MB

Download
memory/1268-4640-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-0-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-11626-0x0000000002EF0000-0x0000000003067000-memory.dmp

Filesize
1.5MB

Download
memory/1268-10815-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-45-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-42-0x0000000002EF0000-0x0000000003067000-memory.dmp

Filesize
1.5MB

Download
memory/1268-9085-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-3-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-398-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-7309-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-12286-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-29-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-2073-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-27-0x0000000002A60000-0x0000000002BD7000-memory.dmp

Filesize
1.5MB

Download
memory/1268-18-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-657-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-1-0x0000000035010000-0x0000000035011000-memory.dmp

Filesize
4KB

Download
memory/1268-2-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-76-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-6-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/1268-4-0x0000000035010000-0x0000000035011000-memory.dmp

Filesize
4KB

Download
memory/2516-43-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2516-5186-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2516-47-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2516-3145-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2820-14058-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2820-12010-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2820-28-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2820-49-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2820-8742-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2820-31-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-8006-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-9783-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-4854-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-15-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-40-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-30-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-3139-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-5011-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-838-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-11345-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-46-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-17-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-291-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-13147-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download
memory/2876-16-0x0000000035000000-0x0000000035177000-memory.dmp

Filesize
1.5MB

Download