ryuk | 6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9

Analysis

max time kernel
190s
max time network
37s
platform
windows7_x64
resource
win7-en-20211208
submitted
20-02-2022 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
Size

152KB
MD5

26118fb26bd9ed25daf7936ecc3e85e7
SHA1

94dbd51c1f1a024ea2df91d636e2bbebdd88c8d7
SHA256

6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9
SHA512

602770e870a728539d59fa1c5a49c6a90f514d9139141840a10d6fb0dcb27969200cadd2cfe52b5f7c6d52540aa9cf4c6e25d235309245d63abe66d321d82b8a

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation. More than a year ago, world experts recognized the impossibility of deciphering by any means except the original decoder. No decryption software is available in the public. Antiviruse companies, researchers, IT specialists, and no other persons cant help you encrypt the data. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT DELETE readme files. To confirm our honest intentions.Send 2 different random files and you will get it decrypted. It can be from different computers on your network to be sure that one key decrypts everything. 2 files we unlock for free To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY Ryuk No system is safe

Emails

[email protected]

Wallets

1Kx9TT76PHwk8sw7Ur6PsMWyEtaogX7wWY

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exetaskhost.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\AddReset.au	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\AssertExpand.wma	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml	taskhost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	taskhost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe

pid process

1076 6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe

description pid process

Token: SeDebugPrivilege 1076 6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe

pid	process
1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe

description	pid	process
Token: SeDebugPrivilege	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.execmd.exe

description	pid	process	target process
PID 1076 wrote to memory of 1396	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe	cmd.exe
PID 1076 wrote to memory of 1396	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe	cmd.exe
PID 1076 wrote to memory of 1396	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe	cmd.exe
PID 1076 wrote to memory of 1144	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe	taskhost.exe
PID 1076 wrote to memory of 1192	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe	Dwm.exe
PID 1076 wrote to memory of 1396	1076	6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe	cmd.exe
PID 1396 wrote to memory of 368	1396	cmd.exe	reg.exe
PID 1396 wrote to memory of 368	1396	cmd.exe	reg.exe
PID 1396 wrote to memory of 368	1396	cmd.exe	reg.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Drops file in Program Files directory
PID:1144

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
"C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" /f
3⤵
- Adds Run key to start application
PID:368

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Documents and Settings\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
MD5
81a7ca119230e62d3d5f2be9136e6bf9

SHA1
f711f1c99621d316fa6b7c1117f6bf761aecbed1

SHA256
fc5edb7ca6c4109db832b98c94a9fe418ab57841d132915be0bd67ddc9398054

SHA512
ad43ab0771bf41321f7454a818cea10fc16af4288c4ab7b0ec9b0df779e1571f8d6c9b68e13b75c260d9b51ef9d1b5ca8d374620f7493f4c0a6e20a3bbbb7c8b

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
MD5
6fe51f8841c9d42122f7f59606be6cb5

SHA1
1d227550d6a72c95df1b5666c5739c0c08f808f7

SHA256
b6500a06308b239fdca95b0651e8de4edcc4bbd4a3b440440a243d5b3225709d

SHA512
a03e485aa034ff00cfae354bbed3aeb419163b19d73b53eb9fb9c789f0ef090b24290dc44a490649f02c3112614aa659848469a631628892a7a9b74727979dca

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
MD5
173b8fc26c8f7d559065585bbfef62f3

SHA1
0e6256124db50f734c568f683e0c4f30b8f01129

SHA256
010331afacff7cd253e24e7a3b52b3674a98373c46d0207ae29db2b0a7c678d2

SHA512
4b5d1993aca045ef6a8ff37d21d0fa6eb9765c139a68c73348f48f2d1bf290c8bbd66a3aa47975b37fd0d6f7364e158bd366fc7cd567634873484af3849ea4ec

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
MD5
b11f75455966fb48e19192a15de93816

SHA1
7264f7422b8d5b72e8028a56f15c3d3c97cbba4d

SHA256
033dec5660c65d8ebf9549a351ee00ba28944dabcf99047e0405992c7a4f0a08

SHA512
075e902f8d47226fba07e8b5c453e744f2356e2415f674b6ca5b009d4f6f912295343c36013ff00f2e05c51a88badcd6c29cc0c3117d7ed313a6703ccbea958f

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
e02112d65292178dabf63ffb20a446a5

SHA1
05f61536973e077343bc8fbf0d093d238c75f8ba

SHA256
0a541be04e3f1af9e7f356d63abdc0b255279d77010656fed759c3a50d86d866

SHA512
82ab1d79ac011aabe4f0cfbc720e7b93a7e4feadcd5355dbe6fb8e920ed491f8a819df56bca0a15b0f4a12efb9dcc038faf3cf18edfd2b8a4afa64ac9a96dc86

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
MD5
e02112d65292178dabf63ffb20a446a5

SHA1
05f61536973e077343bc8fbf0d093d238c75f8ba

SHA256
0a541be04e3f1af9e7f356d63abdc0b255279d77010656fed759c3a50d86d866

SHA512
82ab1d79ac011aabe4f0cfbc720e7b93a7e4feadcd5355dbe6fb8e920ed491f8a819df56bca0a15b0f4a12efb9dcc038faf3cf18edfd2b8a4afa64ac9a96dc86

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
MD5
2c0fb031aa4347ac65daad4d9d860aa4

SHA1
35a35e0c217505458553f39f526d9d7b39c4b2d0

SHA256
6f49b4dd551e8ae982e18d0f775d60684e2ccea68eb441be54e615bae3c69e6d

SHA512
ae549a85cfc104c7cf3c29f0de83afc89c40fb55fbeac564e56323dd0d026dcaeaf7804681541f94014d5b34ea165ef18ebc8030045a0d82084eb2a554c56b14

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
MD5
2c0fb031aa4347ac65daad4d9d860aa4

SHA1
35a35e0c217505458553f39f526d9d7b39c4b2d0

SHA256
6f49b4dd551e8ae982e18d0f775d60684e2ccea68eb441be54e615bae3c69e6d

SHA512
ae549a85cfc104c7cf3c29f0de83afc89c40fb55fbeac564e56323dd0d026dcaeaf7804681541f94014d5b34ea165ef18ebc8030045a0d82084eb2a554c56b14

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
MD5
6eb06910aeb88bd14e1393c5dc752cfa

SHA1
348d3dbd084de0fa3d3a252129ad929e7ad0eb1e

SHA256
25350bbf442affb9d6991ac3a0c2092ad8ad2dd8ff2313e7f1419037e609a235

SHA512
afc0be7c13b9b2633c8ce637570a69f8c4aceeb7afaf08414f69df522a188f8625b6249b3b7e1f815ef5b29c4bfda6580286e20be210b498bcb902f039b7a462

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
b8493113adc265da6fcf6fafaa799154

SHA1
1d13dbd2d39c2f5004205e21e51b244950996a41

SHA256
a2ddd93416b55e2ce6c603038280475db1d1829453a6af5391ff480d0848cc51

SHA512
b57111d31d404404d4f69627ca881b2d7f353bfa2b5913b8098513815567eb61cbcb7c09a74f5556ed834ec570bc3767a61fc143b2e140b5145207188c219a84

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
MD5
3d12fef54cf097cf39b210e80a525320

SHA1
370d056e5e5ec2d63a62016263584c827ea1e20e

SHA256
87ed6a3ca7cc7bb539e6cd29b3fbe8d6bdf8b549142957b32c2fa4f8e3aa2161

SHA512
59c5161dffa71a6a68af70d821ae3b872b85f5742577a1c3bb2eb01e483ad7313a085df947f28ffce9d0d9a57be2141912d9f53b15246331cc0e1056ef09719a

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
MD5
9c072c0e66135a45e8bed1f6dde3fadf

SHA1
4ae2be969f61ba8d898904ba6949f1ecda09b29f

SHA256
2f6417673d01a1d02081ae347d23d69f99d2eb3656e89c2341b2d5228a4905e1

SHA512
1ef7ad416116c3318a04965465d7e6d9065f912fb24218a3280dbdef532e5c78c5a29484126baf41dd2bc385e560dbf3b595b852302e5e80b76af1b16aa93be9

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
MD5
a8b2fb11165feaadf825b3e4760ca262

SHA1
816bcb71515ff1f5587ccd4a3c4150ab41eab606

SHA256
218459a5e06b58d4a3e925ed9e3367c3c6245d2a13dff0cbee6820676d640bd1

SHA512
cc4636a91bb740c1c9eaddf8dd06e47ceb7367c87156b4a404deb65dac50f73a6133d75b056671b76fcccb4e774d92151531e4def40a1ba3587fd3163487b57e

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
3903cbffed2916a861b96f4307eefd4e

SHA1
20ef6d79423dcb2af7e571fb17bc6f5b85779981

SHA256
0c699d4b16bc429a150f47b32169cb7572116ff19e747afdc831d1069e7c7bd8

SHA512
2d4c1029f1908af51a714c0feb7b452f3d5ae8919dd1ab44b1fe2997ba1ec006173eb6648cb9b187e27f79770dbc685cd11a48b6a95b425b70ab375c33aff8d4

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
MD5
02dd86cf838da0aa60640c0c8a8212e4

SHA1
98753b5fd60fa6acc9c04ff564f395f5df2ab165

SHA256
798d3a25af2f03f5927ad0e1b86dc8bb07b979251c026e62834c3135e3d8a8e0

SHA512
6dce7c7eaf59ce85937752b207368fba57744a80b903a84a0f3b88cc787c4de7db1d0cef654146a810114fa99211c78e80a3c6ccae8a90a3587fd441adb9fa91

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
MD5
9401588e5ad5fb5707d32d1f66082239

SHA1
6dc0ceec06b9ab9e139fdea574487015926d953b

SHA256
33d7ad3b22c7ab9eeea12e51cdef6061fbc55bb3a2e2f2643418b7b28efc431a

SHA512
334cedad41014a0865e7e112ec4ae575d44e1b0de44e047d75400774a5bcc6f146a0fc4a783d67b072484d5bd1fc73bffa607ecd8ab8e52af9ee902cc37df126

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
MD5
8230959c2dd915e1b96878612a3f3a94

SHA1
15512985c6d96c7b62ad0f5ac13865d8e2638abd

SHA256
ec8ba4239926398ac06b7af0d8bab31c6dd010f844fe4218686b3675c00e2143

SHA512
005d550390bc5b762d65b6911be52bfd58a2b8e466ffeaf822e13259bfbda01c5b8f2d3d43ff572fd1f751fd0a68ae394873f930fd954be6b6561dc0ceec4f2c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
MD5
60be7f876897b92126d4ad94ecc050f2

SHA1
d43e66fc87bef51fd66fe44d5927cb2c290d7c3d

SHA256
f7a032b4800d5bace193006d979bbd263463ebe3bca775885f1a495f12a9ae97

SHA512
9ca4511268ac1ffa66ab961c670c2c96b84f522f79dee7c652bfa0f5a936d460e1f2e019ec2f14f23c3c6bffd81189a6b474a7f579a8a6328b3509fa36d8bbdc

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
MD5
b8d387b837a2992ad4b015b63ccfb85a

SHA1
39791e6cd9c83706ab442590443d9eeb09831a25

SHA256
7e5e162cbc167bb6bcf3b31bfad307322898ca1d17553a8996eb77f8371c1fd1

SHA512
5637c7d76f0a5557e97a410840e2123f3919bdb8ec2452118f262d6d90f7c64f699a690a83a658f886a3606b85d4fb1e895473ee2b634518d59b181b81563034

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
MD5
248a31d1e76f16b4902d844b29d748ad

SHA1
e986b753742bfe5cf1cb456ff1d1abcaf75fdcde

SHA256
88521bfc8f796bd0d0275a941ee66f1633db713b031ccf4bb32aa62366c3e123

SHA512
3a071ab33bd34fa6107eb4703905cd4c2e34300651e2d52a75338599a8a9498b8fa029b8049d2add96e9c60b9dd3ca91afe4ab606cadddcbfb509f2d3631b565

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
MD5
5d2f53717b24628b9a7b8e03ddd648ae

SHA1
74015a7946fb90880e311de251b01dc2f089e127

SHA256
21ed62fc2c94c0e71a359b79ac5fa4201b8e3a29d90766fb304846be645c1989

SHA512
3603ea2c59fb469840bcd5283ff615a360aee0e742c392ab260ca497771aa7c336e9a4e9d6c0f961131b7855fa789ff149a663b5cd028fbf154fddb5f140ca7a

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
MD5
c97cd9e269442f732e95b860fdf887e0

SHA1
9a3eae0327bfd71fba05162a3cf23e3c96bdea51

SHA256
1055f51e28fb87b6288e9a1ea89af34c727d61f835b7ece5341b0df68061a43d

SHA512
f99f0afa819698a5c6749c715cd216f1e12ef8bf90791e381e702d6c0bea58afae32febeff2bfb3ad436da73f2d6d374552d118e9b7490ead50ef54dc7923a3d

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
MD5
606b5206e51be78440a5447d564198dc

SHA1
7eb3c0db60df4ab6d85c530b811afd4d52c28c91

SHA256
a5710bea3b77c7239dfe9b93c7703ad02d8f219fc258a021eb3eb1872d57169f

SHA512
3dccfb79dc6f674a5e5e99e430e7530f79cce7b0b94351f2e6d575b1f8b9b1bce1624a40c4e16d81f0d482f5845386d6431b5e39f027ade87a71e98425fadd82

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
MD5
6829fe9ca4893d0a020465d1d9f411c6

SHA1
45ea7aa8b0b3da9fc4c8bc0d9e4139848b10300e

SHA256
acd2ac13d564f938214a110977c6f69ccee21db91a4433aff37c978e69b56fe3

SHA512
0b2782056dff1e4e5da4e8a2deab85dac9cb128cf465d9ac2ebe1e6cf672d783d792d8822730f55126e21be2c2bcdbdcb32ac833bf0157b830da280eacbd60c0

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
MD5
a9c7f2634bdb7ba857076e62c20a219e

SHA1
1148a8df7687d076f5386125434f1ed82e0d797f

SHA256
d665c3694c3e36a6643475022535de7cbb14f6080dfc079b7dfb688af9804df4

SHA512
86ead50efa02ba3efc935365d80ad9c4a808531bd8dcc40a52a85aa5ae7e513c12ede7631bb9c721f3163f9add7752f7a4ca5ee44a8b36d73783d346d28b7574

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
MD5
1b653398b917e355d7ebaed705d93a8e

SHA1
9a2b5d6b704e2db91b3e08344c5e7935a63c96b0

SHA256
8dc966551c720b555c3d8abe1648e2542788af3e9de73176c2edb94a9b848ef5

SHA512
4a5a6b961ddaf2d572547dea1e9c1f9a0df414e1bf1f83670c2933fa2c20f2d4ff2780342bf282bf5251cdf2f5c8bce0b2cd3e5de6ab29c2bf62d069bb8670d8

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
20cb238287132195f7b87cf0d2ca2c71

SHA1
05c9d1334b096a474abf93801ffcfc6c2e10c2ec

SHA256
3e6405a705de8ea81e3d36fa624c5eb14c9f4dcc7c67b02c5e95cc75916d7de6

SHA512
251b3b5b5b4d5e2f6138c4957bce26ef40218eb95f2740016c8b2a8ca3c5e95940c22599216e1ae5fb2993794fd70665fb846c9370b42bad0116afb801c7d1ca

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab
MD5
55c2d9f8671e3e62c1faafc6532f4ef6

SHA1
05423654b077da001c67956eea6803b643a375c6

SHA256
4770d2f88e65f43911aea2547901a13b08c92ecb1ee9e478d24dcf8a73714a1e

SHA512
5a0a1a1aca1ef594832bdb1fb614b82b7c11edacb43e33d0931a3b1db0d3684f942a4751bec91aa1c965bea9dc0808b2372c88d7f29b29265699f1e33cc6b05b

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
MD5
4b3a80ff6f7adeb6a8963eef5d7e1fe9

SHA1
e6a9b78b3ca6bf0f3515d20b3597459d94634475

SHA256
632c66afc3d3699f68cadaab774cf8874412073abc874ff29096b1953bd95881

SHA512
1f88e7eabb90bbf0436e48e0a3f56748289ecb89e6b8a45e422f54a88154755f1f6167d073ae039edd5594c349d1847e075bb1215fabe8e809ec605745778724

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
be7b9729828ec330621492c67a21deab

SHA1
88ec2d582c8290beaa5c7cfd3e421636b305ac8c

SHA256
b17dfa64ffd4131350be282714b6292adc9e45c7a0f089c13a86ffb0d64b6aa3

SHA512
bf86e1ec9629594049b7d4d342f8aa622c2be1b84ac79392d47ca79344ec2cba200239441e8bd7034b8681bd1a82fb47ef75502bd117b5d6f88dec4a50d6eca0

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi
MD5
88edf697193e706eaad9245f91d198e2

SHA1
5725db79b33c9a4ea27fb7993298a397400e042a

SHA256
e20b36fa3a3a300f19743abe47bfb5ddab51f8e70cea479e065c98b77cd1da55

SHA512
c67d5f006b8041540c65dfdcf11347f770b59ff3d5ecbc2e34ae2db273a3c50b71cea950071b7ebf8e1075fc6342aa8df06d4bfb0cee229eb2562579ed24b473

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab
MD5
863a00ce1a41cb3af6ee20f987151acb

SHA1
6cdf1a9d36b280494497417b5ba2d95583385077

SHA256
3872b01dbb9146033ba8d584a4645fc30d9792ca3ff6ddcc7f7f57cd63bf056c

SHA512
bf7c34e39c699f96b8e12ba700cc9d9dc0eb7d7ebe617d1fc0d6bba231c4f1d83ba4ab57bdb1391c7d8d4d68a51a3b964646b25de3cda4611ff3d82fbeee384d

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
56e55ed48ba4d235699570d476a708d5

SHA1
4c8c3cd2c4fcfdc876914df454310b37e0d73d9d

SHA256
57247a397696073823dfc8661e9c13b334abfa1e3d3556ad76f20e67563226e2

SHA512
c7e56d00b671114476df47066656df20f806352b1cff31c334d7e03d2b5592a717dd6c55da5ef8cc41b078a68c5d1b4b3b39e81da6d40a0f80b8d4b9539c036a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
MD5
62a6ba58237dc42b5659aa42faf38052

SHA1
46b7d5a30d45aaa5c5c613ba2c2dd6903a5b6bd0

SHA256
20be68cf89c87fc91f77383385e9ca00061aff05a1a9269c8c6a0ba0c0d13b3f

SHA512
5d52112f537c6935d89f0ebfe799383f9a6023c5ab230cb89bb1d835a332c93c8532d523ad3dea85b443f3bb86099900adab707f7a7766c9a885f44ce81a432c

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
MD5
2d7d7d079af6557cbda3470909980215

SHA1
318ac861ca76e2da13d8ac441dfe88f3e169a57e

SHA256
2dc98a743c003d452d3b005664d2a5e1dc034b9eaa18f948193cf08b213c364b

SHA512
39bc0bc1d26a2b6bc3b1d8f6dbe380fa2ba9bcfe0d7eb100e26622bf97e6387f0ef487478f4962dae5c9b8047b8617661637328021d60f436b122dd85cee7d74

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
MD5
fa4ed635331087fa3f50622056ec4cee

SHA1
97f1011b810bec26c4ba02dfd56b90721a3f2862

SHA256
bd1c78785b7ef9fa06a4feae191b1f23b767467548785747341f1b815392f59b

SHA512
739b9016bb132afac0bf8efe1b421d83f3a56fc5cd6f52a5af355265e9b1b9f07064d3a555120359a35008bbe1d0baf1d9224805daa2e04af60f132dc670a419

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
MD5
44eccd530ebb7ede8b31a11da47df620

SHA1
082d3d6f236b0a136582ec5ea05becd2b3ddcc23

SHA256
8fed6f742974b0e452b7420fdaf567b541020312efd6c98b2f112b93bb825047

SHA512
a6523a3342a075874e6d773b996786c0a84868d50c5a82ac54e2915d41b8b3aeaec89c8a29426268bb6acf04f96b3b2b0b310d320cae1e1d0d39ba95e4d8a7b1

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
MD5
8bc4b2afc49cfb1b335dea6b6bd90643

SHA1
1fd963671f8a2450ce430a6223cbdf1be0b39c80

SHA256
3e58199d1691290d57b49638de27531de5d14c581465d16d9b4eb8df8967e5bf

SHA512
061400b398a8a0728434a51948a0fc892e4ebc2302e4b57717b0b7dc44641054c71ce88fd8e022f69a30c6d5dfd78c8251ec18e36df7742a00f91ee7ad84f19f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
MD5
135feb7ed1a1a23b4a5e4f12bc17c358

SHA1
c50a065856d84fb226c35ab461a97f37cbe9a466

SHA256
a6f6c083c2b69093d5aad9f258644dae0893d8c8a2345ad499cc3fc86ec8df2c

SHA512
6456e9855474d8d50572745703c201139812171d03430638f5d4c6fef8168ee2dc333c2105ad04679f605e98396afaaba1e77080c92782c9a1591ca9ce21930a

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST
MD5
3cba8e19e0191fd83e276d1442ad3704

SHA1
795f36b1425adccdbcd488b43f80587ab4712fa7

SHA256
39a61220f4daa3f312e42014b1ade12ecb00657789b2012f6ea73d10dc49888d

SHA512
3ff719050a8486879ccd2ab2b08563b19ccf96a9822cb57604fb2719d0d5194694239192e709279adb4d8ce231ec7212815fdc5541797d8667676a89ea6ff14d

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml
MD5
07db37f7ca85404ae8d0f0d634c8886c

SHA1
9b84fd57cf98a1f3bbe167eb1c91bd8d0dec2660

SHA256
d979c663135c2b9f46adbbc7f8d1f740f8f4dc5c64beee3449ad7b70ccb15576

SHA512
9b4c159afd46122e95a5c5f34e75c56975217890a103b5d6b7fc1f4793461ebec705600f82bc70ecd531edf72306473ed811f51eb87e83c6458049091d1940ce

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
MD5
d178fbae2b1e16722bf05e0b3c49e7ad

SHA1
4fc47fe44911fcb3047d7868d52078fca8ffe963

SHA256
6efece990f6a09bf8bf5c48525b6064d7342779fe23b74a1068e429928920cf0

SHA512
4dbd0312c5cecf0b750be40ce5bbaa99c57ce9889f9240e8ae3cbec37d5edb2187668601566b07c40735dd9b471f1ea015401be4f16718b84505f9fb3422ed7f

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm
MD5
d2e0161c7f9a34617286214e41ad2d08

SHA1
9795445436d8f662758c115bff0f3117667c15f3

SHA256
c8c58cacd3d86ab7d957a66b9c4808d98dfa0f0dcbbcbd78c5d576756483601b

SHA512
5902db57d2214a32f1562db1fccb047c2f2c64039d0ab2374a2267e3f5f8e16f7d87c734ab2dcde5e8c0073ab8cc4b361fb71a84e467ee8cdd27818369fc917a

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab
MD5
842d8cc020a7132ac8a9fb69cf4c6289

SHA1
02af0b47e42e05d7eebd5bf697a9bad8147a0af5

SHA256
1ba16fbe366b52a7ee9a5fa7937b1154233894d9244fe5b22c8a70d9d183cd51

SHA512
2744226715fa68544da2941f5c05630dc4c678ff74b3bdbe74ba40b7a33af60821d2f515882f40bea3cf74d8ad17f6975cb62b5a455fc638eb6fc3c0f99c31b4

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi
MD5
8e26355fdc406e0c9ce882c554b6c3f8

SHA1
7a7b0cb3b94b44e8e06e61a6dfcb6a9f52d48e12

SHA256
63ef667e880db419e07e68c919dc89eef923469515c7fd024a95ae194e8a191d

SHA512
01290c7216b5428d1cf864da64cb935662b06c6af3a58171285dd9975182d028d8e5a41514a417dc60305d2ce4bce54e76072f33028c73dbb40262130e62ed48

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml
MD5
d370cfa2a24694aa874e5c460f78b842

SHA1
845bb47877727422eafdc425868f97e368a0cb41

SHA256
a20d6fb3caf69a30e93de35de5f7d135ddb8861900182740e9d501e45a756f93

SHA512
3b58a5fa02d2297f68a9611001e88c461b54dd9744aecb245a80a49531a9c3b43f0c7287e25c9b72eac99fad8f74bbae3992c45f00df8e827eb0e5a4d320fc6c

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi
MD5
9debbc4e59c43d8a894d0d901831ef4b

SHA1
06026e9f960ab77d478b9c5cc907eb943e7d9e4f

SHA256
83979a8d92aa4ed8cbd1fa81fbda8a4e7e2e87de6b420fff2460b04a7c9f6ebe

SHA512
b025040e0e53ff4a9345a22b32d43c60d7e25c10b7cc749227c5319effd38438df6a75a622256410e55937add8ea16333dcfb31bdf38c9ee694ece7d0e4857ec

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml
MD5
25a4a6553b0b55802eb3c1cf923227b6

SHA1
29f7697932ffde97606c9a2c061e93a5bfaec73e

SHA256
aac70b55b37cb2877e62d5b9fd7b5278be675b46523cdf433e4b197b0aa66787

SHA512
8e600de22c274f212e48e52131ea0d2452d8044003a31e4519e508ab9478909b294412fb0c3b59d97b63b7036fbb96e678faa7834ecd04fbaf78a563b52066a6

Download Submit
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml
MD5
86af8a922430201aaea977d32b1345d8

SHA1
029b2f0a5a65d44a60c3d5eaf7e79984858801fd

SHA256
84c2997f983047a9c7a116bc8d1f1192b5357e830eef443af9d2559a86fe162a

SHA512
147e5c8e2c5ba922bfea329963152ae90342b092ebcc19f8b2e66fa0235357f80d6e5e9e389c6a46a9081c59bb5118737c25d3fbab61cef9b321c12a505f7d69

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\RyukReadMe.txt
MD5
8176df5b8ba0f3e389b4e697b7f172b1

SHA1
9efeb2bb33fe0b6d8092102a6742992cbcc2af26

SHA256
5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516

SHA512
30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06

Download Submit
memory/1076-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp

Filesize
8KB

Download
memory/1144-57-0x000000013FA60000-0x000000013FDE8000-memory.dmp

Filesize
3.5MB

Download
memory/1144-55-0x000000013FA60000-0x000000013FDE8000-memory.dmp

Filesize
3.5MB

Download
memory/1396-59-0x000000013FA60000-0x000000013FDE8000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads