Overview

overview

10

Static

static

7

0323b4326b...02.exe

windows7-x64

10

0323b4326b...02.exe

windows10-2004-x64

10

0898a80dc2...92.exe

windows7-x64

10

0898a80dc2...92.exe

windows10-2004-x64

10

0aaecf7f77...91.exe

windows7-x64

10

0aaecf7f77...91.exe

windows10-2004-x64

10

150e8ef3f1...02.exe

windows7-x64

7

150e8ef3f1...02.exe

windows10-2004-x64

7

23e95ba676...7f.exe

windows7-x64

10

23e95ba676...7f.exe

windows10-2004-x64

10

28e7dc4aeb...33.exe

windows7-x64

10

28e7dc4aeb...33.exe

windows10-2004-x64

350b0d6ae2...d7.exe

windows7-x64

1

350b0d6ae2...d7.exe

windows10-2004-x64

3

3a6ebac4f8...ca.exe

windows7-x64

10

3a6ebac4f8...ca.exe

windows10-2004-x64

10

3fe801df14...4f.exe

windows7-x64

10

3fe801df14...4f.exe

windows10-2004-x64

10

41367ad447...00.exe

windows7-x64

10

41367ad447...00.exe

windows10-2004-x64

10

48f4749f13...77.exe

windows7-x64

1

48f4749f13...77.exe

windows10-2004-x64

3

499d936c22...82.exe

windows7-x64

10

499d936c22...82.exe

windows10-2004-x64

10

4b5a6926ab...d1.exe

windows7-x64

3

4b5a6926ab...d1.exe

windows10-2004-x64

3

4bb0d8eb6b...81.exe

windows7-x64

10

4bb0d8eb6b...81.exe

windows10-2004-x64

5de3d5a337...ed.exe

windows7-x64

10

5de3d5a337...ed.exe

windows10-2004-x64

10

5e2b2fe65d...20.exe

windows7-x64

1

5e2b2fe65d...20.exe

windows10-2004-x64

1

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

  • max time kernel
    141s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2024 03:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe

  • Size

    279KB

  • MD5

    5df4ac6e94ae7e9f9eb28d8f7f464946

  • SHA1

    79f222f94fa265896c5e4578b91ed4ebc100058d

  • SHA256

    3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f

  • SHA512

    18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

  • SSDEEP

    6144:IS1cGDFCQuthKvzggi4quAM8QRofVjjdQxpBkAI5rZ/OuHqxwbmmjO8Sw6Z/rqS8:71cGlutwSuAM8QRC6pBAZmo9sZ/rhgt

Score
10/10
ryukcredential_accessdavediscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
contact balance of shadow universe Ryuk $password = 'oqsuyezb'; $torlink = 'http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion'; function info(){alert("INSTRUCTION:\r\n1. Download tor browser.\r\n2. Open link through tor browser: " + $torlink + "\r\n3. Fill the form, your password: "+ $password +"\r\nWe will contact you shortly.\r\nAlways send files for test decryption.");};
URLs

http://v6nhthxmhpfsody4hitwmk3ug4tavdwl2av57qqid2lvz3nppikrmxqd.onion

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Ryuk family
    ryuk
  • Renames multiple (4935) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Dave packer 1 IoCs

    Detects executable using a packer named 'Dave' by the community, based on a string at the end.

    dave
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe
    "C:\Users\Admin\AppData\Local\Temp\3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Users\Admin\AppData\Local\Temp\NTLwTBJYUrep.exe
      "C:\Users\Admin\AppData\Local\Temp\NTLwTBJYUrep.exe" 9 REP
      2⤵
      • Executes dropped EXE
      PID:1484
    • C:\Users\Admin\AppData\Local\Temp\pdgSTjMlklan.exe
      "C:\Users\Admin\AppData\Local\Temp\pdgSTjMlklan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2680
    • C:\Users\Admin\AppData\Local\Temp\VbfGgtbXflan.exe
      "C:\Users\Admin\AppData\Local\Temp\VbfGgtbXflan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:24164
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:60808
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:60832
    • C:\Windows\SysWOW64\icacls.exe
      icacls "F:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:60848
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:75116
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:65420
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:63404
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:75516
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:78148
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:79628
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:80120
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:81548
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:74948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5738F1A1A35627A8ADAD27A4DCC2E920
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:79164
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding 969CDBB763911C9F3829C5C1C4241B7D
      2⤵
      • Loads dropped DLL
      PID:82620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab
    Filesize

    22.8MB

    MD5

    106ed05598ac23fa113dbdeff0d3408c

    SHA1

    6958f06e9c8e8f2073087b9ce5967eda3ebae841

    SHA256

    0cdd2af93f187db636edb392d3d4b6fdc4a4bc83c702862114225f00e30e9bd5

    SHA512

    09c7b1175643aa0a71c9c2b9aa0b0dc606171462846cb59a4a49101721adbf64f946b253d9d13a7c33ed4d8e688bf56cd2e1125195715f85cd0219157f5cfe6e

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
    Filesize

    2.9MB

    MD5

    c786c06ed71b82fb7af63744295d84ba

    SHA1

    62dbc070078fd8460b5d452629fd52cd4954b32d

    SHA256

    96f7d6982e4c639a8587be66bb94476fad10f302c03fba4165e6b7aa4ef35825

    SHA512

    61558ea99bc3c7428920b80e96f194679a92ef7fdd6bafd948733d1fa87a669d4f121907cf2e21ef98f67aa7973ff7d255fe65954c298fbdfb3ef9fe3c671b0d

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK
    Filesize

    4KB

    MD5

    fbedd486fe470d818ed1bbd013aaac55

    SHA1

    0a5ef0f0ef35794251204da7a9497b4c15861006

    SHA256

    aa23c888602b8de7b351a4720b2b3082d23e035f8a43422c5e796b787fec7311

    SHA512

    b3c92556b517ab7bda7041c24f5f5ab6057811cfd270b09308a958640c1eae537c3c947e8191513c9620ec9ee1c3051051787cc6673b5771c2866b3b4530f0df

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
    Filesize

    23.7MB

    MD5

    e0c196e6774037293456462a893374d6

    SHA1

    24a24551798625664cc954307e825ad156f22669

    SHA256

    3b11bcddc86670c670987830ad9d2263d57a17ff84e0e3862bfaa57e378141af

    SHA512

    dae4424fe09144c10ffea0fd28678b29ba62943cca50b1aafc7e3a38ad82713a33080cbaec6d167e09f6c8bd641ea8304a91a418f3081e3d9fb465e98d9e2580

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK
    Filesize

    17KB

    MD5

    195f9adad2d20dcf1a2b017c942b636a

    SHA1

    157962b5418fd7005a14979c9844603c76eb03e4

    SHA256

    27eec5644d5a36bd39a6c6c05caad0753da0d29cabbf028bdc32fa25dfda1872

    SHA512

    4edbadc6d40ce37c9aa9c7ca2b9cb8b3e3f0990ff409db5228847404c2cb74821aab4312c1fbb585fa88e22dc09083701d4a04e24d19b2776073ac582d4b8dab

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    31KB

    MD5

    e46af1860e47bb7e50cc0cab7d916531

    SHA1

    0886cacd9b0c72bd6c4e30aff4bd487e83b70ced

    SHA256

    ca71ef1ddfaf29dd52962094f63f53cd36e23a321ef8229f747ac4e484525b05

    SHA512

    2cfe345bf7f186fc13caa5c4dcb1bc568f7c7985e87407597d9df4fc0c607dbd1c692a48138bcbb71e9196bcc2393b45680d61ad5aabc1b147e5af97d0624470

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK
    Filesize

    699KB

    MD5

    bfa828e96fc609fb3b87f32367db8f94

    SHA1

    687c16d5e97035cf8999ff92640a3f91f7cca8bd

    SHA256

    3f2d712b0539bdec28b0b9379a07464d55d29c9f7ee61beba46e43f170569378

    SHA512

    08d0f2c5cb76c022335209db504c64d2a9c731fbed1edd46b88a4ed232747a24aa775d7aecdf319616351c74261530df63cee711de481e119b8164a7d20caf9e

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab.RYK
    Filesize

    16.1MB

    MD5

    8185fefe1e30865c16b6ea206f315faa

    SHA1

    01d24fb1956e19e6b0a71150e8b1c6637535526a

    SHA256

    d77e49c2f3ff6f55e15a1b0583fcbae44db18d43a28b4649e0144fd84b10a539

    SHA512

    489cd3e9ab67a9499530e7fe9e38a1bb54f394abcbc6c6766d79c4b026486f974496b3a98c7ec9e15f803a36bed8cec5f4563e8b957bf70c046c1564a1f98aa6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    4db30832645ec84cf2626b5d56a759df

    SHA1

    01004414ef63bbd13137932e536335a0a65b8642

    SHA256

    89919c1bbc6ca17bb13ed1bcc9df41744dd53bba5ddec14c53e2a46fad5b1612

    SHA512

    4494842945e4d1e47b4d9a35ad22eabf90f7793b7dcb73652abafd1a8c13e3242db2f8d60c8744477af85963642d9c15c2ac082c1d0f6d4a859c9b7a8f3adaef

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
    Filesize

    1KB

    MD5

    839e72d388b4370a4ba10a07d80d8153

    SHA1

    b160258a0d6b8fa13da2657b4cf74a234958b4d0

    SHA256

    6a02247af96dec494dd872af0c3dc82c1f42f17e0175c23fd8b2a47078a59b38

    SHA512

    086adf5f98da19f7da2aa60f04b2a2c2bbfabfa9abc46fb45dba9d36e28e2db9c708944b93f13c38acd97dfae3160003d29f7a08423d1526804d13c6ad6a0dbf

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    e55b7ebef5f62b0f94095cb8acb42364

    SHA1

    3080fd9726f26870782a08bd7f9eda084fbfc6d2

    SHA256

    7b777fc54b63b0f4fe604c4ae7cd9167776ad2567b7192035660d2e16239e976

    SHA512

    1cf12a9f801a4162e9bd591229873d8b81850c75adfefa4d50fb4e125c9e4226fe4c77746ef432b949a6dbc86d5af9d08b00de343afddeeb1f86475e36dc17ea

    Download Submit

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    c7516b4b5ec756ae43f5bfc261977379

    SHA1

    71364e6efb2dc90a7f120450ef26e1c82e236d6d

    SHA256

    80877dd25271325c6d2790e42837a41a01af3f8fd081a2ee0324fcb456f68fc1

    SHA512

    8efe022d8694e1661a1a2c096ec8d842814c6d7b32e3f525b1aa6af3c3234a73ff860f0de4bc3709e00c535c42409199087f0490fad6ee4fd3f6209780bf3563

    Download Submit

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
    Filesize

    1KB

    MD5

    c22149f3aa5404b9bc3b0b6d95fd71b4

    SHA1

    9cd404e99b8e0a3683cd8d9d6de3d0cfa84cb73b

    SHA256

    bd6eca7f635782c07faae24c2c8ef1156562db2fcd04512822b8d37ec091593c

    SHA512

    892d2baaab1563b186620bab62bfb5104c670b0bf320ec2806f0a81909b1a8af3b1370fb69a1dc9f63f844c0b08ba76a4c76e0f2544e731cdf37129fedf3d5aa

    Download Submit

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    53538a150db23e944e6711f1a818c45b

    SHA1

    a9749994f795fdc74c4847aa99545d5dfdf38036

    SHA256

    03bf20c674fa4202d6d127a5ca7e32beb6f852367652b858ea082ce4d0de319d

    SHA512

    5f46b1cc17617f357f079af4d21abf7f5975503628da39d734dbb0ca0a7954830556a8cb0e3b683eeba1b6a5dd9018963a202d3a5c80b1c9c13fedf59112d4be

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
    Filesize

    9.5MB

    MD5

    a7f4cd6d28b2c7260cf64e0e0bbd34d5

    SHA1

    a1b7f89b2b95a0564c228f342dbb54ff33c06f71

    SHA256

    9349dfecb82c30992feda8cafc422df76fcd90476f20f20178b29a6a09219383

    SHA512

    68d5985855adf2933d44f3c3d145e087a966065bbad5d22e24866efb6bdfeaa1703c221215809995eff01490cbdc4cafe04b94794418cee98250621141d0a0cc

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    233647eb017f78cb25913127e8b86ebb

    SHA1

    0b481d4ae992456d6e4b14057e1ab6c8772b0147

    SHA256

    57a9db9ed92cff200017ff75440ec2acefc912a33f5ef572af4989c0ebde540b

    SHA512

    15577095c74718fce3142f623f0c671178520367132d70261b06222bf317bcc0e15c17e81fcce2804f5195a3559aa9c6eeb022f28ae05756932c9b88b09778f8

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
    Filesize

    1KB

    MD5

    35d93e4ec9aad2764d5349f8a8d532a5

    SHA1

    a46f948e807adab8a1048956fb123518a7ab0323

    SHA256

    839d5784bdd76166a1bb5042df9058e0a8a1dba3fca781b7a6569e13cf664b6a

    SHA512

    281768784a62ff7da8657e34720d48ec0c55a0fec4c4cfcb57e3d78912dcb1821025ed42ff8ced25fee0d809932d48cc4deaaeb8e31429851f812cd09fbc8513

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    1KB

    MD5

    fc402b7f650eb81cc2cb06b205d231e8

    SHA1

    80f521f531d7d2b658705a7b477205941ae16c25

    SHA256

    04398d3f721d1066a942abb2e64ca38127d9a55c6fb31821164e6c458d2c7ac9

    SHA512

    aaf445ee23f05e45f2df0ef37ee279ad96d569ec57c908b4da61629376c326bdb24962848f8fc9828894eb2a67f32e776ef7953f6ea4691a43baf1d202a38f9f

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK
    Filesize

    14.1MB

    MD5

    e6311a035d3469f6e68d8b0f63bfa3c5

    SHA1

    90b411ef3d26c18f571400922311d43e1f214453

    SHA256

    ed22c318926162e922d50033d4bea16a24591e66bbae7bb1bbd80f0768d177a9

    SHA512

    032885346024a2ca1c7028adfba43c28d7189428eb5356153d642949ef557ce6f06404fb8c72ee8c33b31e2b5db96b3d11b26433f221ac7cdb546899cd648982

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
    Filesize

    2.0MB

    MD5

    39859bd5392038fe44341d674b89b9b7

    SHA1

    c3192ad34b9a0f22a9e326a77c326071b5226d08

    SHA256

    4602a1d60c31ed428358c9b1da0e51b2f8ca1816b7e06c0fb28e61d940a81312

    SHA512

    59ce6f3b9bc069219c16dee388b697b6e0aff1b57741cd080b3d52505c9a8459786eb2eec2c112f161ddb11daa03a99cc8e5120b61eed6e830b71758647f55a1

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
    Filesize

    3KB

    MD5

    c33a334e0dd2ec975169f99e70f1d44c

    SHA1

    e8d54eeaa3170bef6f4ba7f41ad26f50855187b5

    SHA256

    d9a695b061e32231742e0da2b4fda7409a8cb5d46bad5fcec243e3063cf15d4e

    SHA512

    19fda348951723c2b04551db5507b2263fe7a89249a92aaf56af812b343269b45d1cb0c85f0a327154677c7262ee02fce255cb715c790a03f72cd9c5d8cd8976

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    4KB

    MD5

    edaa2d55a305ff1b64cea0d43e654638

    SHA1

    4c8e327f12416c4bee805d44267d092706a3cbe3

    SHA256

    c20293a5f8b18e2ce026983de387f09d8bbe802fde2182b4698ef9d2bfa67c57

    SHA512

    ddf98c7cd9a768ce40657dd5cacc482996b23315cf9653423b81613f5180eafa4b922a19fca8286c7b28c7b87cc30b336958534a92ab6b18243c16f1264ef209

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    af42072fcc00aa3dcd320c94bbe88f49

    SHA1

    b776b39032c708dc1b067c5d292279913228e93d

    SHA256

    5ad99a25d7158cd974c94603494e93150f38119f59d49c42397150e8079e2e3f

    SHA512

    fc42b0d64614d89c5425c22bdfd2eee072a4f1d3c734481e959db5a6fab3b15e8e6eaad0d7fc223923ec7fa275ccf68f0d0c1631abfa290f1fa55743af1c506b

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK
    Filesize

    41.8MB

    MD5

    daa4b99c50801978da62cb5fe28df88c

    SHA1

    462b273b4e8468bd99c1499fbde05a56d73cb2f1

    SHA256

    149315803d631417fccafb3fc1c6dc79c2f715638544be8cf5d06d72f81d53de

    SHA512

    d63cbe81c0facb469b16efe6654a49d7610f2bfb1b5efd50cd69103a3ce7a566dc1c6a2742ced7ef4658ecf3a66a762663359fe6b1287ec3690ad98ade9c27d0

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    91954cc4b2b3852da850248a4444ad89

    SHA1

    dfe00d3e3c7a4d24a7e819a978bdff9c40d8a94d

    SHA256

    41c25392629d8214186bad1fdb037b016ffc256646bd201cd12a216f0ad53dcc

    SHA512

    558fe82ab730ef4d134ee243c775531b780234a20e50a1fc2c2c19af2cd4e655693203cb5ff9cbbc9a19b359fab40901bcdf275c0077822d1653832fcc25ea56

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
    Filesize

    2KB

    MD5

    405d55af212d334e0f4f8bf646233080

    SHA1

    7e0d0af687537236630e45f4d82ecd573095a148

    SHA256

    232d442f6f415a9e80803a015ecffde63629c08a2b2a1a610d1b44e903283c13

    SHA512

    791da8cbcfcaa1b30d96d621b0dce236a9c4946bac87945f6e926520bd462891cf7758344c9f71ae9da2602c9fd77a2e9dc12e12777222e08b8efccd6e598ce5

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
    Filesize

    10.4MB

    MD5

    6d5ff0d176ff3a84f4618a68cb8ac39c

    SHA1

    91193d56dc884cdf6fcad0cef2f7aa7cb2887999

    SHA256

    c6427893288aa2880629cd56352680c5e3730f87f389ba3dcd84e4ca8e2c4d75

    SHA512

    444e29ee8d10bfe4ef92277c821eec89162fa565707cd45c9c1cddb07c19fbbd58de927102c369dcf356ff9eebf66f20a114959eabbec28b546740c1051f3264

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
    Filesize

    641KB

    MD5

    cefae58948abc5fd4cf8780b3dcf623a

    SHA1

    73ccac234e693e860f3b248c2f2fd86cfd57a104

    SHA256

    ea404eb19d3f222d4a79758a085dcc156bd7ae2f064dc03c19820b148c7f9f59

    SHA512

    da04edf72382c5ff38d87ba2f60bb38878f385d831cd0a22658bb83f33329a3b7f7977d06731013a433dc7e15f1ace1084486df90506e56319c322d4d91fd0f8

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
    Filesize

    1KB

    MD5

    69628b0445aa3f36a9d247767307e89e

    SHA1

    36de065800dfeaeea91f4fdd93dc7c1bdeb9ffe9

    SHA256

    f5a7b075f6fb646f5a89ebb84eba802fd4ab7ef85e266a66134f2b3e3343eeaa

    SHA512

    c0a9b9f5134e566ee2c360eb8bea3937f693fc2c9b7d8c9db7cde226ac73e4282880a9cdc0765ce3a52bb54406766770dcaddc7873de544c8b28242ec8fe445e

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK
    Filesize

    12.6MB

    MD5

    29332848c6b80c424ad1f95f35be01d8

    SHA1

    6e110a9e956072a4fcde87945ee623c5044b3b38

    SHA256

    9c61508aa9981cdd3d84f0c3306a90586ee489d94770f23bd35f0ed655e62cc9

    SHA512

    3647a1f19755b1a007d93a0e7adaeea085b54f2e99660d33f92858c5e50a33466034338d6084b0e359cb8308d9ce92918a020a42536022847022df25f41f140f

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
    Filesize

    647KB

    MD5

    48fad17ffcfb4545a99f9f88a0a43a01

    SHA1

    98970bc37d704a345bfe5b5d6bff00a9272d02fa

    SHA256

    cd717f5b2b0092fbd911598b85107cef5f231a6b3e60e63cae19a69246217ca1

    SHA512

    8b2df064d20da8214ddb7aca2f8b57faa061535ebdcd73a55e8103d98478d04f53d7c29246d2317230c2f4a7b3287298425ac18c155184acbc5fc5705a5c78fd

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
    Filesize

    1KB

    MD5

    79745d76b8b99da383ab80aedb49a9fe

    SHA1

    51cb8f2b991aef2742a6f4bf1047645e82424840

    SHA256

    838a8f82dc4fddec56bd406cc5f9160cefe7cde65aac2cb46d6a2940f97f13b7

    SHA512

    657bbd47118df4fcb133e8d2e46398caff214de9ad32a5ff5e3706904c2da072915cf28a4cf24850641bcef6ccaac650731925e20fb7ba6fa9e30b03b34627a1

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK
    Filesize

    19.5MB

    MD5

    654545f052a34d27f95e7c0dae53a0f9

    SHA1

    5d0171568da2239fa22e4830f9f9fd76a2302f5c

    SHA256

    ee16404ed250c6708d36a832bbeaeab5d8eede47d02770a1cdd67478effbe568

    SHA512

    72193f1cad0f61b6857941a6dff5a24fac7794fbe96cd2235bef828f6872226051c8589099e75a8cd63435f12252d04e74dcb186f647933735481df0d86e9551

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
    Filesize

    652KB

    MD5

    7ecc2790fb8a330a28140670d44ef700

    SHA1

    b1b843a9829f32648a36bcee0b5da9732612ffb2

    SHA256

    15444577d63a596f3c011e3d3ed563bf480b675cdb3f9983bc66b3f7d5925494

    SHA512

    89a4af98ef8dfcd6d85151b84e39fe257c392b701d84e84dde3b336aa18d878d8fb9333894817d52753f6cbd2a8021f0a0fa7c85a53805b8a63b213a086738a7

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
    Filesize

    1KB

    MD5

    2df113cd04df4e4fcfef28a866b9106f

    SHA1

    f7802b48bbb1584f9d61c5f3d40577f280936030

    SHA256

    57743fb3ffea47371d81c0afc53219797d19ab0f3c271f787a6377be84535803

    SHA512

    8056ac9ceb3e517e900396f13acfdbc4f72bd261608bc5304cf621ae411bf7e69577b53373aed517e3cd61c051e7ee4b0767368007290e8cbe483737b15c00cf

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK
    Filesize

    635KB

    MD5

    54ea3ef5e5bedfc61e184bed26a492ee

    SHA1

    0302cbfb64d8019b521f929a4146d9cd54da893e

    SHA256

    0e192e1bb8d549d31ae4086432aed9b5edacc8be02b71f9fa4a9fb750c7e246c

    SHA512

    d6e3ddf151e1224bb2ffa314055f2701f35a645675eb134295c4fdd08d34c32825e2baa8a3e6562607f8691d07619ce8f0042ca98601f00b5202dec964fda74b

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK
    Filesize

    1KB

    MD5

    b5a38541892f5b8c349d980e3389a2f3

    SHA1

    3df719f8277be898a450a39230338b13adae82a2

    SHA256

    052e26ff7dbf15484885f710d2824876a98bc635672ab838b0720311041e7a54

    SHA512

    5115c254f6984aa29de432b81e73557b2eb4a9ff4e04f821268a04650c3454ec0854db25b9533a5342eeebedf292462ae304665060fc4465fddd5fdb81ba40af

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    6KB

    MD5

    aff9ce739e9f5d448b7956716e504eac

    SHA1

    1bdf7670c40e6fccba5d3a1ce21459510fa8cde8

    SHA256

    752b633599bed8901f04e411597af43f63dcd7b12f3f5b65153f2501fe60387e

    SHA512

    d1a18288e26df89529ce0d7963c3b8b9046417e39635e49c30a63cc9b0614b4f597cc23d11f6dd6afcf0547f542cf800a17398d4475cac05191c4e48c0246605

    Download Submit

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK
    Filesize

    15.0MB

    MD5

    480bb7dfe5a4a73e88041ac21adf1e21

    SHA1

    ee02f3ec76479c676b4247853ca81ea875989179

    SHA256

    0e625ec6a34110b30bcf2c73d5ceef488937af2202a0e332d7018c510f5b59c3

    SHA512

    ded0e9d22a00104bd54b6debc85effe63747a35b7d214cb0a5305dd3be275eac5b8dbf3f279fcbe834700db504c79306dde119ee5673eba9e3a754456decb60d

    Download Submit

  • C:\Windows\Installer\MSIA155.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit

  • C:\users\Public\RyukReadMe.html
    Filesize

    1KB

    MD5

    5cf0c19964f2de308f48433e78e3d24a

    SHA1

    9a14fcf00d68f64647f4b9d807685d5c8cee2573

    SHA256

    f5e579c28356cce59dd74dffac7f3c066b42e08ec0754a40f7464a9a742c3f42

    SHA512

    2ef4bcb6d4e246618827b1c0fe293a0536a812107ca38836d6fa51e0a10ffccdd705a1ab10b1ab0a2edc9a2ec3af65e938a14ecba014e8de19b55931a5c511bf

    Download Submit

  • \Users\Admin\AppData\Local\Temp\NTLwTBJYUrep.exe
    Filesize

    279KB

    MD5

    5df4ac6e94ae7e9f9eb28d8f7f464946

    SHA1

    79f222f94fa265896c5e4578b91ed4ebc100058d

    SHA256

    3fe801df149ffae08275e24be6bce3de67e9d5407c0417542001f726541fbe4f

    SHA512

    18826a1cb94e73402c279607d1348ba532966fe3223cbeec9cfb534ab425966fadeb001bc80518411b2f8c8d884b2936779950fbc0c5f48dfc01d33e766f749a

    Download Submit

  • memory/1484-16-0x0000000000310000-0x0000000000338000-memory.dmp

    Filesize

    160KB

    Download

  • memory/1484-40-0x0000000035000000-0x000000003502D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1484-74-0x0000000035000000-0x000000003502D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/1484-79-0x0000000035000000-0x000000003502D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2336-0-0x00000000002F0000-0x0000000000318000-memory.dmp

    Filesize

    160KB

    Download

  • memory/2336-4-0x0000000035000000-0x000000003502D000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2336-8-0x0000000000240000-0x0000000000266000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2680-31-0x0000000000270000-0x0000000000298000-memory.dmp

    Filesize

    160KB

    Download