Overview

overview

10

Static

static

1

2025-03-14...uk.exe

windows7-x64

10

2025-03-14...uk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/03/2025, 19:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-03-14_b6b531d5477d737cb153ec5201c5baed_ryuk.exe

  • Size

    134KB

  • MD5

    b6b531d5477d737cb153ec5201c5baed

  • SHA1

    fe228587cb8ff1565fbc0e825f45fac0726c4ec5

  • SHA256

    9d2bcfa82facbaff874c61534ef4bc647ee072b218c4903e87012e1683e30bec

  • SHA512

    c4d84ba0e25d0e8a4d694a9924183cc65168c010e18d539d2003b02ec13d43c6a2f3594266ab4dbbce7de5f769f86192e9320cd2ddee332ac0ad161de27f1426

  • SSDEEP

    3072:4MQVQQA/chSW4wL2uY5Mfz/qfsbkPnwaT3T8uZoCKq:XQVQQAKSW4wax5MfasWobq

Score
10/10
ryukcredential_accessdiscoveryransomwarestealer

Malware Config

Extracted

Path

C:\users\Public\RyukReadMe.html

Family

ryuk

Ransom Note
[email protected] balance of shadow universe Ryuk

Signatures

  • Ryuk

    Ransomware distributed via existing botnets, often Trickbot or Emotet.

    ransomwareryuk
  • Ryuk family
    ryuk
  • Renames multiple (5881) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 16 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 13 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 7 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 25 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-03-14_b6b531d5477d737cb153ec5201c5baed_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-03-14_b6b531d5477d737cb153ec5201c5baed_ryuk.exe"
    1⤵
    • Loads dropped DLL
    • Drops desktop.ini file(s)
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\MsMoaxEPWlan.exe
      "C:\Users\Admin\AppData\Local\Temp\MsMoaxEPWlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2064
    • C:\Users\Admin\AppData\Local\Temp\IqnopikZmlan.exe
      "C:\Users\Admin\AppData\Local\Temp\IqnopikZmlan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2800
    • C:\Users\Admin\AppData\Local\Temp\NEjICSmFClan.exe
      "C:\Users\Admin\AppData\Local\Temp\NEjICSmFClan.exe" 8 LAN
      2⤵
      • Executes dropped EXE
      PID:2696
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2356
    • C:\Windows\SysWOW64\icacls.exe
      icacls "D:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:1612
    • C:\Windows\SysWOW64\icacls.exe
      icacls "F:\*" /grant Everyone:F /T /C /Q
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2848
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1796
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2284
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:572
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "audioendpointbuilder" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "audioendpointbuilder" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3044
    • C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop "samss" /y
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1400
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "samss" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1868
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD31CED0C0ADBA5AB7461C57D05E5F51
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1296
    • C:\Windows\system32\MsiExec.exe
      C:\Windows\system32\MsiExec.exe -Embedding F3333289DC032481270E637122D7A1DB
      2⤵
      • Loads dropped DLL
      PID:2364

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK
    Filesize

    2.9MB

    MD5

    063bf4b0edc37465810e16c06a6edacd

    SHA1

    9277f6360cbb85194215fe0ab5fcaf5a71add72f

    SHA256

    caf78a3c389765c7175d34d6e954163389f4249bf31a8f5d5362fb76690b6471

    SHA512

    d29a3b6f89112e669b6410cb4d5fea42bc36805b417a55d776e5824cecbd35ee8ebac20a1e1d5c8b4f7d76c701ace77d69ab9c140ab9e3917b6cae0dd4aabac6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    31KB

    MD5

    638def4df43ca29063ab902d70664c07

    SHA1

    dfebed80ba00c3707ef078eb34fd722195fe140a

    SHA256

    354ff02ebb699ebadd73c71af844ea216641fdc6d0a157733b753aa910b31098

    SHA512

    7840fd5778c3e85862e60b3a8f67887414a3470ba9611922830a20b423739ce97618a59f2351a743b3df1d8f870058c2a02381f8e75be7a0ddb9388a7b4c00fa

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    e560ca14b6465d46b55d330b054b859b

    SHA1

    6ce4e5da1f4ed9675afee871f5f6bb2bf9f4ccf0

    SHA256

    5fb5558f8c0ecfc173d8fcdc2328db8566def26c4172e6e650e803472e2d00d9

    SHA512

    8f01b5e3a72d293c251f81a09df9e51ecd89c734bac2664abbb59e2da581b947a798dcd14be64c723fae603a9796056577c3012d610e694fd5467108c41ae1cf

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK
    Filesize

    1KB

    MD5

    de11cbc6d6904d908463f116f68ebadd

    SHA1

    a71a3c287cc67e79b2bb17e4059a985d383fbe4e

    SHA256

    c3b737c377c892b7a72244fd57152d58f35c94c293b76bad7df64952b0f9e554

    SHA512

    6710ddaec1437d8c4f4dc4221717828a41351765aeedc57a737230470130a30968124b0d73315ed324672393a91b01a3841ab3acb6b52f1541d4ef91bc620da8

    Download Submit

  • C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    7d32856d62ee909e99f2ccdb5e97ee73

    SHA1

    f0fbb556ad36a0cc00e18ceefb659c3150a9c0fd

    SHA256

    9d1a018c7018d1c19dd448808b907d974d654300a38b64592a23633471292ab7

    SHA512

    3d6fb826558676b90117ff599bca0578024e44508c67a1fe54ea5d30a1d3d1964698eb5b454cdfee6f55d87f70d602ca5f2c66604077a1881b4e72b2a2c97512

    Download Submit

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    d813428610c59dd3e81579d0aa29f9f0

    SHA1

    79219e7f818b01842c6778ebd4c59e551308b2a2

    SHA256

    b8633a9134532b928693febcf966027c4351063fe2a889a54010e21275656b58

    SHA512

    af9158c49739f2404b5028d39218dcc9279e26872a262d28fddfd79446fd00219a5072661be38b49f0207670a3ff08e9aaacd8b44b68513858214f58d4a63654

    Download Submit

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK
    Filesize

    1KB

    MD5

    614ade3b7ee94ce17f0cf7e56f72ee09

    SHA1

    1cdba25533c908fa5ec2531ab324cda3b304d3da

    SHA256

    9b8989f8cae55761fb329e6136799c0316d8b69de606e9c2c6b3b30bd244f963

    SHA512

    ab7188a73adfbe70331f368b82318e90b5e637f20a225d103a2f62add84e9f17a114c2e4607f8a43135c8f2c80a85bef6e044732ad19cc12b6db4c125132eba7

    Download Submit

  • C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    25c7be89bbf2cc8bebece839dae603ba

    SHA1

    94118f9d8c7401e98b35efb94a6feb83e2d54e36

    SHA256

    797906024be893765b9211a996f0b41ca6f47e5442d619867446bdda6494a903

    SHA512

    25c5abe14c243e75269fcb5de3b1dda4be8fe35d8b76673b3f2f80fa7e2a16fb1d5d5e0a9a98382f66d977eb9c13f7b707814a7eae05b838590af3af0840e378

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK
    Filesize

    9.5MB

    MD5

    35c0ade7062e0a29db7233a1627ebca1

    SHA1

    3608411af750955583b8df89fdb13cb9dbb135fd

    SHA256

    1e19053988b614815650a42730fa36b5366daa08aac4a44b985e2570e9d561e2

    SHA512

    03f87e152785315d21e9b26f18e9a533fc1299ad897704111b2802b7de8a44eb0ceeff9f6aaa4337fc8eebee21d7bb94a87366a1ca2163a9b30e1b99db5cf6d1

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    8ab38d621625fb693757ebebbd44345c

    SHA1

    ebd9cf0e6e75864b235367e401ab848c354e3bee

    SHA256

    076e8f6b1c56e5192bb69d75f63e2606b9c5bc8d009cc45349f3280203b40027

    SHA512

    9fc516b9a664ff293a557fe770fb17acd3a91a27a114e8ac7a2bea1c03a134a771edcd3545599262d36f5fbee6cda814e13ff0c08f7f6a49034adca3b2f4eff2

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK
    Filesize

    1KB

    MD5

    370264ada1bf16e1ac2d9534410c97e5

    SHA1

    a54f09088cd787fbc8b2aefbe45dfb211a552a8c

    SHA256

    2cd20e5ccb29dbd02cbb62241f170e6235f36fe5c929a42f526accf292c51c8b

    SHA512

    95a03f46e3a959250144cddb98fc4826490f1102af6b83a7a40f92ad1257e4f7f242cdf1b0cbf7de554eef21b89d41ed0f125138bd2c0493b2acb8c11cead743

    Download Submit

  • C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    1KB

    MD5

    b2f829d111e86b433aa6c80928dee161

    SHA1

    a39da00237d3d9bb9b52943386d9b64aed0df341

    SHA256

    4adb85a830db3a9fba3b1c78fb590b428973de338553b5e1efdf83bb6c6d0fe1

    SHA512

    c6a8877171447b6d6a77675cd421efbf572a48bdca294fe6e504121bf22e873a55aa29cf8dab64a1d2c3ed6bfe287487b0e59d56a8c313d136d0421f12d81fca

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK
    Filesize

    14.1MB

    MD5

    1dd94c0d5c5f3809343705e0ff42032c

    SHA1

    b76a5a4b83cb0870b283abfbfb929e336f5d9b5d

    SHA256

    752c6763c0ddba3534d912806581aab3b54215a83b6b23cff39147bd352a9b8c

    SHA512

    1138f20516ee741a7ada088b2fffe17c2930c56033d0e310c5c22380ad2c00c451bdf026808e9475125b0daf2dd40496a38c4827a5df901ea1b93876fcd083de

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK
    Filesize

    2.0MB

    MD5

    541e3512fb4af7f945306b3bdebc4d02

    SHA1

    fc41a2f21191a7405dac7d82e0e87d6eeed56b96

    SHA256

    0c8bfe6f70f458585b63d74994b3e78a3ef3e57ef629a872deed4156492db0c7

    SHA512

    d4b8edc72d60c5f3d5410634a6ca2947dc5bbb7cfb8993528e3d05170d43194b9d3390578cab81b21317375f08068c3b1a755660a21d2869d712f670f74a9a0b

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK
    Filesize

    3KB

    MD5

    ac731828484d47ef5124c3ba1fcd9e2a

    SHA1

    70020b4ff2b9d09e9dfd4555197e43c041066303

    SHA256

    a4de39d1f66a58bf0cae228074b623a72b2c7c6627f652f92fb9321fb8849e94

    SHA512

    5098c7a1eceabedf1d3bf426cdb1445708926c747149f029dac84dc01cdf7613ad20d02eabe59faaf141c0584b67919d69fdadba4c50d32d1014cf7eba9dbf51

    Download Submit

  • C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    4KB

    MD5

    2caba7379b74e968c687f95fcaa2bf8b

    SHA1

    1d38afa3ebccb45daba60c96badf049ed0fed0aa

    SHA256

    42c0ae81ec1536e5ca9b43fd6c3d14934fe39e861cd8e8f4ece9520dbe613e75

    SHA512

    cc54ef058181ead1cc5f9b7a53f6c4ce08698221db17a38a0d70f064732b3d8719ce83fd2a989cd34ea5732f3f8923a7cf69fa84b32ce4b5710a230976ed9ae2

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    c9ff7d65af23a7fc54593d0b301bf6f2

    SHA1

    8740d2f14e8af170ff9b32ce75f614cb72cf4acc

    SHA256

    baed27e7cf31de9e51de573d5bf3b7330fe6803ce86f0663f2353b8d6c1c1b6f

    SHA512

    1667242e8e8f46bfa3c30f3b9853e59ab9dad2efe09b705012a00e6342827c70accb7412eb4c8bbdb1cdb9fb58f0df697f7dca3ba78014dcf320bfdcc02788bb

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK
    Filesize

    41.8MB

    MD5

    940a91541b93ef27f4f050803049bfe4

    SHA1

    0cf3b12249852f14dce9e6b0fa1e67b458ef9b64

    SHA256

    19795062ea9fa8653e58321d04af192ca192db33d0bde75f171db47ac76e43e1

    SHA512

    d818b327b962cdb1d33083f8d7c4d8ed883ea49ea1920c765f3c17b2b6e4becbfce2daadfa38bd3e8f4beba2b35c4329833de9bd8057502b74460208eae2cff0

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    cb456daf0b52595d2f47e7d537fdda2a

    SHA1

    b8ad4f665e21d98114ae0ebeb915c8ae365e6071

    SHA256

    fcd6ff1c38e944e816d9af92d36c1c5d8545b1b539cb0c8378bd73c70ac748a1

    SHA512

    d4bb4ac36af8cbc6e7c095e9ba2ca9ea560ed85def04f89083b66b15caa597fe8722edaa162071d07fc85da69d3a1807fa03aafa87451ed4b4fbb26a6868d080

    Download Submit

  • C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK
    Filesize

    2KB

    MD5

    3ae5f57fb4fe6f40f6fca09d82070e2e

    SHA1

    b7b44bd293071f2be46bf4442f18fbbf7fa8d338

    SHA256

    c8d248066e1bce29c99df2881a39537b119dfaba28fe639a36e9dd39d909fd8c

    SHA512

    257740504acab5c3cedeb0197a8810842e0acca25314f9971e04084a7f58a9217d75a92e0e68628f4e86ce7d7adbe7f9a6d2213805a0e397ab4f946c0ba74839

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK
    Filesize

    10.4MB

    MD5

    0fb18191aa7cdcdb018ef818da17bb44

    SHA1

    90afbb2fbbb62dc05368c67c83fd4ec9c67001c1

    SHA256

    2e87cf9ca9079b2af9d24c859517aa1f76eff595faa4bac144939dd7b4de5f7c

    SHA512

    873fb42b251cd51dd6bbddf8383c2d41d65e58bbef06bc8beb3b9c10ee45f9aae1f2b1736396a0c274b003b74b31a7ec4d00ab71e1c1a58614c0435302f490d8

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK
    Filesize

    641KB

    MD5

    641492a731a1b4aa4f83a9c31373ea99

    SHA1

    c84551c5e4870b69f0ea09e33e19fe3623e54764

    SHA256

    9e56a9230b03d4b39b4aa3a5d69cbb27bb4282e424526fd6817c957d66b76de5

    SHA512

    3d918340ff51e3c87518c7396de04bbd691948c56ea100ffdf012fcf2045b81e4f1df93b7e52beb5609c56698709a2d569a034fe788fa998ba92febeddc6ca9b

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK
    Filesize

    1KB

    MD5

    5687d2d08d704a63b04850510b72239e

    SHA1

    f566eeeef6e6e6d494e65858a2a61aba6fec9ef7

    SHA256

    1506dfc73aaa17f628c219adc7d588b1358e3bcae93867d6178e5032a7dad8da

    SHA512

    4ecb852598326f2b629a1a3c2e53aca9056c730b4e57a66bd39fdad1bcc2d3f5d04e8af1a81ed483b16e2eef3ff04e14f49327b49bfb4e18dcbb18c8ba5c0675

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab.RYK
    Filesize

    12.6MB

    MD5

    fa4629079785d2e196e0bf51b94e02aa

    SHA1

    f11f9c01cb49f9b0a29e01850ab4c70f6eb7975d

    SHA256

    d8996b6f50f7bfdd162bd4136d007da951abd2960dd1f3e595aa02ef4db1c190

    SHA512

    1a28318e2630c7dd777d6d9c2881201f19aa3a322be498ed33b6300758efcdce1821a4d268167b05534c3ed1b959cdbaa9a62fef0cdf170d90a6b30380ef883e

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi.RYK
    Filesize

    647KB

    MD5

    e2ca2947387bdcd6650be5f6a4d6c596

    SHA1

    bce57c4b680ef8ebc6c08c266735d5a0d7f42edd

    SHA256

    e4af467886f6abf859754df8aad32ba5b27b54567e6b8388fc95434515070a56

    SHA512

    fc7deeb6c41dd19b0b8d3f834d99ced16c82dd40d24b528135283ef8bc4c66ec893f2a96d9b607094d2164ea463beadecd1f85d09199a5e10ebac65ff7eae4fb

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml.RYK
    Filesize

    1KB

    MD5

    38c161b0b772398f041ae4787452eea9

    SHA1

    c47cbe1e9f175b49ddf2a0e7f6601f23ecab1256

    SHA256

    0dcd538942cdf9908164afecae0a7b94b722d392d6b8d271645d40cafa98659e

    SHA512

    85f058d9685e680236eb04f13085c70c100d4e307d18a538de4f02489fb59d52d13cbd77e588bd1ec8b657ba7f8e9db42a118f1ca884692bbd3bf44305ba443a

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab.RYK
    Filesize

    19.5MB

    MD5

    fea10a7c000304cebc0600e935f577c2

    SHA1

    12ba7e05a7659cbe0455443988ede47e0c346469

    SHA256

    dd50c013ce52d168ac43a7b1549a72a9846d7ab6b0e5a7dd6fd3892df4d44447

    SHA512

    d8334f283c0c613d190d5799c838f0c7b0bc9804b0332412c6cd5f9edc3253de0a27fb667deb2a747f641320c5bc22935bbac7ac3b5a0ca469a724b9e2fba7f7

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi.RYK
    Filesize

    652KB

    MD5

    b0cf4db1cc5614b93a985dcfa945290a

    SHA1

    f643368c4b57d2543cf73de0f9b59e60809d26b1

    SHA256

    15991ae0bf9a04ebd279c58b4ab49d8a81352051cead9f9b4c7fd06f912be0fc

    SHA512

    bcb1fd5cd9e552db5121c47ec3847a96b6233782fa537170d0ae52e6126f106c459a14cb2bca480fbad68f1238bf5a58aa24bd7a3ef135887d576f168f56a88b

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml.RYK
    Filesize

    1KB

    MD5

    7b8a15f053648a6b4ea7a7939e275b97

    SHA1

    2a20b0ce4593778e97ce0a0fba1b47f064d9798c

    SHA256

    3b3d468661646fe41c60ea1a3228212e630924fd224235331f8f9e45c584aea6

    SHA512

    86c07821ab90ed4efbf4409471fe142e7f38f7cc079e0b0324700fe5e4570e3d8416eeba5d81d8332e43cd75e46f57ba8b6dff62cc868665f5936ce47fd32254

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi.RYK
    Filesize

    635KB

    MD5

    0efd84e69eaaadc2fe83f3ddf00df388

    SHA1

    2b104f23998df4996acd072046676f0509204a96

    SHA256

    0327101eb744a17e71bd42b620781f2fc4b5d5439103d322b4e06a5daec10711

    SHA512

    3321903437dc9ad232065796ddecc9ee797d308c5fcae94b462695dcd3458bae2e2e91ba7e97723a58f6cdecf7470d5c12e2df74e103aefe926beeff269d6f83

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml.RYK
    Filesize

    1KB

    MD5

    c3a61209a209183c5a515aa2fc06af94

    SHA1

    31804a977f861b72048a85a689f3d676e5acbcb6

    SHA256

    7842e6b7adbb4116ee8d611ed98f810b2839f622cdd138bd9cd02593540683ca

    SHA512

    9436b8484751175c6fa5b4c3365e796afe476337e75c9a265721a84557e8f471452d5437f86b3b50868058724c74f3040e557e5dd7f5caed3f6422a5157bd7dd

    Download Submit

  • C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    6KB

    MD5

    4c8791bd0cacf2cee5af8b132eb6f3ae

    SHA1

    e28be9b960c97f549d562b63f0333c2bd4c23130

    SHA256

    4714605b38870f9be6a4c059f9b33b73890191fdc580a12df40191521873e6b1

    SHA512

    b9e797b36f9c2610993f50153002895eedc36a8876ad3d5e60dedb583d0d35514e87a2ff62ff3671e3d70d4c9a215bd43100fb291cfd7c5097dfa2acae68c6d6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab.RYK
    Filesize

    15.0MB

    MD5

    9f745317ba3dbaf1f42616e8ab54b9c6

    SHA1

    9e7b9553da4e7e7a465b6051597e3bcbca60fc68

    SHA256

    4de9ba9d39ec4da35d84c2d12904940811df0aed9365530d2e2e9b2aa84ad944

    SHA512

    a586c0909cf8a38725425e46a762d892a745dc43e10e2e0401d664088a3e1153e7b7e093e295850aace07325f0ef10a3a57c5239b5e636ddbce603900dceebe7

    Download Submit

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi.RYK
    Filesize

    2.3MB

    MD5

    0f06c03a11b7eddda67419a10ea88e2c

    SHA1

    5bb0cd3140410ed70073c20e00da473ddf82d11c

    SHA256

    8dacf1cb58f677b01258bdd0bf58c640f169c2390af8fbf3f2285edf63995cf6

    SHA512

    82c4fbd3546d4fa97a04665f3f0ae95e577dec23f15f07cc3edcc85371e5d0a9cc2baaf7858eb90a67009609c40117026e28f46ac918fb8a719b9f58cbe640d6

    Download Submit

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml.RYK
    Filesize

    1KB

    MD5

    b68e946461cccabcec6797cba12f42c2

    SHA1

    90bbcee951376d79d41419fcd3ebeae56ba17470

    SHA256

    8cdab1dae692048fa83df155101a8ed87756557f3c385a585a4f0f747b9a4bcd

    SHA512

    652299aa4916d1260f753e42867102a93ea3510fe554867324c0637c39e510e8c1d14dba2429d5ff9984d23f153f5e17b342f295cab68de02cdf201fcd682ca8

    Download Submit

  • C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml.RYK
    Filesize

    2KB

    MD5

    48b1e8b1ea617b831f93ad3defb6cb60

    SHA1

    ddfebf34a6e52cb994d69118967d31112004fdf2

    SHA256

    eccd7bb2f251e7054b59358eeb2ecb91e33c78abcce5284863f47aecaf8a9382

    SHA512

    e51756bb927d7a28f7b0111ffc64fd1e9f04bd0512a7a882ab42f4780da58fa0841db4b01c26aa421aa687868efb3980bd6a624ba407625239c5fbe5e090b185

    Download Submit

  • C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi.RYK
    Filesize

    1.7MB

    MD5

    415951458a340b98c383885725cbcc30

    SHA1

    07a5ed3a51c11d515a3da178db13c5c2c777a574

    SHA256

    15621ae667294c67d9b5840acb69909a710869c32171c8f0b90e81a042ce5d8d

    SHA512

    5876e9d32ae589429e58555fd74731ba17c7c140f6a64b434612944df2c2f181133d783d337106155048243c47d3d41a29aff2ab985208512b4c307faf597181

    Download Submit

  • C:\Windows\Installer\MSI8251.tmp
    Filesize

    363KB

    MD5

    4a843a97ae51c310b573a02ffd2a0e8e

    SHA1

    063fa914ccb07249123c0d5f4595935487635b20

    SHA256

    727ecf287fb6f4953ee7748913dd559b4f8d3a022fa2ca55bc51cf5886c52086

    SHA512

    905c081552d95b523ecf1155b6c7e157652e5ff00cda30c1c21124d266eb7d305c3398d6832316f403dc45d1b639f1a5a67aea29922cd1a032f52e5247ec55d2

    Download Submit

  • C:\users\Public\RyukReadMe.html
    Filesize

    620B

    MD5

    7498f7a90d67844d93be08f9933fd45c

    SHA1

    1df59e562d66b30c3553fa053f64e375fcaa26a9

    SHA256

    1b3bbf380f9edbab15b1bd538c898ab1c2c2afb94ee914b5dc7eb0d586a00eff

    SHA512

    e2caa2ed7c4c12faa59d351435b0ba6115ed4f8348716bef29b0809c56331843311214097928110da392ee992ef75db1ee44f3c0420c34ff2cfb35e6a3065923

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MsMoaxEPWlan.exe
    Filesize

    134KB

    MD5

    b6b531d5477d737cb153ec5201c5baed

    SHA1

    fe228587cb8ff1565fbc0e825f45fac0726c4ec5

    SHA256

    9d2bcfa82facbaff874c61534ef4bc647ee072b218c4903e87012e1683e30bec

    SHA512

    c4d84ba0e25d0e8a4d694a9924183cc65168c010e18d539d2003b02ec13d43c6a2f3594266ab4dbbce7de5f769f86192e9320cd2ddee332ac0ad161de27f1426

    Download Submit