Analysis Overview
SHA256
6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9
Threat Level: Known bad
The file 6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9 was found to be: Known bad.
Malicious Activity Summary
Ryuk
Checks computer location settings
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-02-20 06:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-02-20 06:04
Reported
2022-02-20 06:59
Platform
win7-en-20211208
Max time kernel
190s
Max time network
37s
Command Line
Signatures
Ryuk
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" | C:\Windows\system32\reg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\7-Zip\Lang\ext.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng2.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\uz.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\zh-cn.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\an.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\af.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad.xml | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ne.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ko.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\lij.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\nl.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\vi.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ja.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ar.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\AddReset.au | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hi.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\kor-kor.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\AssertExpand.wma | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\et.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\id.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\mng.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\co.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fy.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\id.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\dicjp.bin | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fy.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_jpn.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\el-GR\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\yo.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-delete.avi | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskmenu\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ru.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ast.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\ku.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gl.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\gu.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\az.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\ar-SA\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\en-US\boxed-split.avi | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\auxpad\auxbase.xml | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\et-EE\RyukReadMe.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\History.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\fi.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\va.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\el.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad.xml | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sr-spc.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\sa.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\osknumpad\RyukReadMe.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\is.txt | C:\Windows\system32\taskhost.exe | N/A |
| File opened for modification | C:\Program Files\7-Zip\Lang\hr.txt | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
"C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" /f
Network
Files
memory/1076-54-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmp
memory/1144-55-0x000000013FA60000-0x000000013FDE8000-memory.dmp
memory/1144-57-0x000000013FA60000-0x000000013FDE8000-memory.dmp
memory/1396-59-0x000000013FA60000-0x000000013FDE8000-memory.dmp
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_bc8e1036-7fb3-448e-8ad9-a824b1a03b8e
| MD5 | 93a5aadeec082ffc1bca5aa27af70f52 |
| SHA1 | 47a92aee3ea4d1c1954ed4da9f86dd79d9277d31 |
| SHA256 | a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294 |
| SHA512 | df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45 |
C:\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\Documents and Settings\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml
| MD5 | 6fe51f8841c9d42122f7f59606be6cb5 |
| SHA1 | 1d227550d6a72c95df1b5666c5739c0c08f808f7 |
| SHA256 | b6500a06308b239fdca95b0651e8de4edcc4bbd4a3b440440a243d5b3225709d |
| SHA512 | a03e485aa034ff00cfae354bbed3aeb419163b19d73b53eb9fb9c789f0ef090b24290dc44a490649f02c3112614aa659848469a631628892a7a9b74727979dca |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi
| MD5 | 81a7ca119230e62d3d5f2be9136e6bf9 |
| SHA1 | f711f1c99621d316fa6b7c1117f6bf761aecbed1 |
| SHA256 | fc5edb7ca6c4109db832b98c94a9fe418ab57841d132915be0bd67ddc9398054 |
| SHA512 | ad43ab0771bf41321f7454a818cea10fc16af4288c4ab7b0ec9b0df779e1571f8d6c9b68e13b75c260d9b51ef9d1b5ca8d374620f7493f4c0a6e20a3bbbb7c8b |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi
| MD5 | 173b8fc26c8f7d559065585bbfef62f3 |
| SHA1 | 0e6256124db50f734c568f683e0c4f30b8f01129 |
| SHA256 | 010331afacff7cd253e24e7a3b52b3674a98373c46d0207ae29db2b0a7c678d2 |
| SHA512 | 4b5d1993aca045ef6a8ff37d21d0fa6eb9765c139a68c73348f48f2d1bf290c8bbd66a3aa47975b37fd0d6f7364e158bd366fc7cd567634873484af3849ea4ec |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
| MD5 | e02112d65292178dabf63ffb20a446a5 |
| SHA1 | 05f61536973e077343bc8fbf0d093d238c75f8ba |
| SHA256 | 0a541be04e3f1af9e7f356d63abdc0b255279d77010656fed759c3a50d86d866 |
| SHA512 | 82ab1d79ac011aabe4f0cfbc720e7b93a7e4feadcd5355dbe6fb8e920ed491f8a819df56bca0a15b0f4a12efb9dcc038faf3cf18edfd2b8a4afa64ac9a96dc86 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
| MD5 | 2c0fb031aa4347ac65daad4d9d860aa4 |
| SHA1 | 35a35e0c217505458553f39f526d9d7b39c4b2d0 |
| SHA256 | 6f49b4dd551e8ae982e18d0f775d60684e2ccea68eb441be54e615bae3c69e6d |
| SHA512 | ae549a85cfc104c7cf3c29f0de83afc89c40fb55fbeac564e56323dd0d026dcaeaf7804681541f94014d5b34ea165ef18ebc8030045a0d82084eb2a554c56b14 |
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab
| MD5 | 2c0fb031aa4347ac65daad4d9d860aa4 |
| SHA1 | 35a35e0c217505458553f39f526d9d7b39c4b2d0 |
| SHA256 | 6f49b4dd551e8ae982e18d0f775d60684e2ccea68eb441be54e615bae3c69e6d |
| SHA512 | ae549a85cfc104c7cf3c29f0de83afc89c40fb55fbeac564e56323dd0d026dcaeaf7804681541f94014d5b34ea165ef18ebc8030045a0d82084eb2a554c56b14 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab
| MD5 | b11f75455966fb48e19192a15de93816 |
| SHA1 | 7264f7422b8d5b72e8028a56f15c3d3c97cbba4d |
| SHA256 | 033dec5660c65d8ebf9549a351ee00ba28944dabcf99047e0405992c7a4f0a08 |
| SHA512 | 075e902f8d47226fba07e8b5c453e744f2356e2415f674b6ca5b009d4f6f912295343c36013ff00f2e05c51a88badcd6c29cc0c3117d7ed313a6703ccbea958f |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
| MD5 | b8493113adc265da6fcf6fafaa799154 |
| SHA1 | 1d13dbd2d39c2f5004205e21e51b244950996a41 |
| SHA256 | a2ddd93416b55e2ce6c603038280475db1d1829453a6af5391ff480d0848cc51 |
| SHA512 | b57111d31d404404d4f69627ca881b2d7f353bfa2b5913b8098513815567eb61cbcb7c09a74f5556ed834ec570bc3767a61fc143b2e140b5145207188c219a84 |
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab
| MD5 | e02112d65292178dabf63ffb20a446a5 |
| SHA1 | 05f61536973e077343bc8fbf0d093d238c75f8ba |
| SHA256 | 0a541be04e3f1af9e7f356d63abdc0b255279d77010656fed759c3a50d86d866 |
| SHA512 | 82ab1d79ac011aabe4f0cfbc720e7b93a7e4feadcd5355dbe6fb8e920ed491f8a819df56bca0a15b0f4a12efb9dcc038faf3cf18edfd2b8a4afa64ac9a96dc86 |
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi
| MD5 | 6eb06910aeb88bd14e1393c5dc752cfa |
| SHA1 | 348d3dbd084de0fa3d3a252129ad929e7ad0eb1e |
| SHA256 | 25350bbf442affb9d6991ac3a0c2092ad8ad2dd8ff2313e7f1419037e609a235 |
| SHA512 | afc0be7c13b9b2633c8ce637570a69f8c4aceeb7afaf08414f69df522a188f8625b6249b3b7e1f815ef5b29c4bfda6580286e20be210b498bcb902f039b7a462 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
| MD5 | a8b2fb11165feaadf825b3e4760ca262 |
| SHA1 | 816bcb71515ff1f5587ccd4a3c4150ab41eab606 |
| SHA256 | 218459a5e06b58d4a3e925ed9e3367c3c6245d2a13dff0cbee6820676d640bd1 |
| SHA512 | cc4636a91bb740c1c9eaddf8dd06e47ceb7367c87156b4a404deb65dac50f73a6133d75b056671b76fcccb4e774d92151531e4def40a1ba3587fd3163487b57e |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi
| MD5 | 9c072c0e66135a45e8bed1f6dde3fadf |
| SHA1 | 4ae2be969f61ba8d898904ba6949f1ecda09b29f |
| SHA256 | 2f6417673d01a1d02081ae347d23d69f99d2eb3656e89c2341b2d5228a4905e1 |
| SHA512 | 1ef7ad416116c3318a04965465d7e6d9065f912fb24218a3280dbdef532e5c78c5a29484126baf41dd2bc385e560dbf3b595b852302e5e80b76af1b16aa93be9 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
| MD5 | 3903cbffed2916a861b96f4307eefd4e |
| SHA1 | 20ef6d79423dcb2af7e571fb17bc6f5b85779981 |
| SHA256 | 0c699d4b16bc429a150f47b32169cb7572116ff19e747afdc831d1069e7c7bd8 |
| SHA512 | 2d4c1029f1908af51a714c0feb7b452f3d5ae8919dd1ab44b1fe2997ba1ec006173eb6648cb9b187e27f79770dbc685cd11a48b6a95b425b70ab375c33aff8d4 |
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab
| MD5 | 3d12fef54cf097cf39b210e80a525320 |
| SHA1 | 370d056e5e5ec2d63a62016263584c827ea1e20e |
| SHA256 | 87ed6a3ca7cc7bb539e6cd29b3fbe8d6bdf8b549142957b32c2fa4f8e3aa2161 |
| SHA512 | 59c5161dffa71a6a68af70d821ae3b872b85f5742577a1c3bb2eb01e483ad7313a085df947f28ffce9d0d9a57be2141912d9f53b15246331cc0e1056ef09719a |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi
| MD5 | 02dd86cf838da0aa60640c0c8a8212e4 |
| SHA1 | 98753b5fd60fa6acc9c04ff564f395f5df2ab165 |
| SHA256 | 798d3a25af2f03f5927ad0e1b86dc8bb07b979251c026e62834c3135e3d8a8e0 |
| SHA512 | 6dce7c7eaf59ce85937752b207368fba57744a80b903a84a0f3b88cc787c4de7db1d0cef654146a810114fa99211c78e80a3c6ccae8a90a3587fd441adb9fa91 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
| MD5 | 60be7f876897b92126d4ad94ecc050f2 |
| SHA1 | d43e66fc87bef51fd66fe44d5927cb2c290d7c3d |
| SHA256 | f7a032b4800d5bace193006d979bbd263463ebe3bca775885f1a495f12a9ae97 |
| SHA512 | 9ca4511268ac1ffa66ab961c670c2c96b84f522f79dee7c652bfa0f5a936d460e1f2e019ec2f14f23c3c6bffd81189a6b474a7f579a8a6328b3509fa36d8bbdc |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi
| MD5 | 8230959c2dd915e1b96878612a3f3a94 |
| SHA1 | 15512985c6d96c7b62ad0f5ac13865d8e2638abd |
| SHA256 | ec8ba4239926398ac06b7af0d8bab31c6dd010f844fe4218686b3675c00e2143 |
| SHA512 | 005d550390bc5b762d65b6911be52bfd58a2b8e466ffeaf822e13259bfbda01c5b8f2d3d43ff572fd1f751fd0a68ae394873f930fd954be6b6561dc0ceec4f2c |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
| MD5 | 5d2f53717b24628b9a7b8e03ddd648ae |
| SHA1 | 74015a7946fb90880e311de251b01dc2f089e127 |
| SHA256 | 21ed62fc2c94c0e71a359b79ac5fa4201b8e3a29d90766fb304846be645c1989 |
| SHA512 | 3603ea2c59fb469840bcd5283ff615a360aee0e742c392ab260ca497771aa7c336e9a4e9d6c0f961131b7855fa789ff149a663b5cd028fbf154fddb5f140ca7a |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.cab
| MD5 | b8d387b837a2992ad4b015b63ccfb85a |
| SHA1 | 39791e6cd9c83706ab442590443d9eeb09831a25 |
| SHA256 | 7e5e162cbc167bb6bcf3b31bfad307322898ca1d17553a8996eb77f8371c1fd1 |
| SHA512 | 5637c7d76f0a5557e97a410840e2123f3919bdb8ec2452118f262d6d90f7c64f699a690a83a658f886a3606b85d4fb1e895473ee2b634518d59b181b81563034 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.msi
| MD5 | a9c7f2634bdb7ba857076e62c20a219e |
| SHA1 | 1148a8df7687d076f5386125434f1ed82e0d797f |
| SHA256 | d665c3694c3e36a6643475022535de7cbb14f6080dfc079b7dfb688af9804df4 |
| SHA512 | 86ead50efa02ba3efc935365d80ad9c4a808531bd8dcc40a52a85aa5ae7e513c12ede7631bb9c721f3163f9add7752f7a4ca5ee44a8b36d73783d346d28b7574 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.msi
| MD5 | 606b5206e51be78440a5447d564198dc |
| SHA1 | 7eb3c0db60df4ab6d85c530b811afd4d52c28c91 |
| SHA256 | a5710bea3b77c7239dfe9b93c7703ad02d8f219fc258a021eb3eb1872d57169f |
| SHA512 | 3dccfb79dc6f674a5e5e99e430e7530f79cce7b0b94351f2e6d575b1f8b9b1bce1624a40c4e16d81f0d482f5845386d6431b5e39f027ade87a71e98425fadd82 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
| MD5 | 20cb238287132195f7b87cf0d2ca2c71 |
| SHA1 | 05c9d1334b096a474abf93801ffcfc6c2e10c2ec |
| SHA256 | 3e6405a705de8ea81e3d36fa624c5eb14c9f4dcc7c67b02c5e95cc75916d7de6 |
| SHA512 | 251b3b5b5b4d5e2f6138c4957bce26ef40218eb95f2740016c8b2a8ca3c5e95940c22599216e1ae5fb2993794fd70665fb846c9370b42bad0116afb801c7d1ca |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab
| MD5 | 9401588e5ad5fb5707d32d1f66082239 |
| SHA1 | 6dc0ceec06b9ab9e139fdea574487015926d953b |
| SHA256 | 33d7ad3b22c7ab9eeea12e51cdef6061fbc55bb3a2e2f2643418b7b28efc431a |
| SHA512 | 334cedad41014a0865e7e112ec4ae575d44e1b0de44e047d75400774a5bcc6f146a0fc4a783d67b072484d5bd1fc73bffa607ecd8ab8e52af9ee902cc37df126 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
| MD5 | 6829fe9ca4893d0a020465d1d9f411c6 |
| SHA1 | 45ea7aa8b0b3da9fc4c8bc0d9e4139848b10300e |
| SHA256 | acd2ac13d564f938214a110977c6f69ccee21db91a4433aff37c978e69b56fe3 |
| SHA512 | 0b2782056dff1e4e5da4e8a2deab85dac9cb128cf465d9ac2ebe1e6cf672d783d792d8822730f55126e21be2c2bcdbdcb32ac833bf0157b830da280eacbd60c0 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
| MD5 | 1b653398b917e355d7ebaed705d93a8e |
| SHA1 | 9a2b5d6b704e2db91b3e08344c5e7935a63c96b0 |
| SHA256 | 8dc966551c720b555c3d8abe1648e2542788af3e9de73176c2edb94a9b848ef5 |
| SHA512 | 4a5a6b961ddaf2d572547dea1e9c1f9a0df414e1bf1f83670c2933fa2c20f2d4ff2780342bf282bf5251cdf2f5c8bce0b2cd3e5de6ab29c2bf62d069bb8670d8 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml
| MD5 | be7b9729828ec330621492c67a21deab |
| SHA1 | 88ec2d582c8290beaa5c7cfd3e421636b305ac8c |
| SHA256 | b17dfa64ffd4131350be282714b6292adc9e45c7a0f089c13a86ffb0d64b6aa3 |
| SHA512 | bf86e1ec9629594049b7d4d342f8aa622c2be1b84ac79392d47ca79344ec2cba200239441e8bd7034b8681bd1a82fb47ef75502bd117b5d6f88dec4a50d6eca0 |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi
| MD5 | 248a31d1e76f16b4902d844b29d748ad |
| SHA1 | e986b753742bfe5cf1cb456ff1d1abcaf75fdcde |
| SHA256 | 88521bfc8f796bd0d0275a941ee66f1633db713b031ccf4bb32aa62366c3e123 |
| SHA512 | 3a071ab33bd34fa6107eb4703905cd4c2e34300651e2d52a75338599a8a9498b8fa029b8049d2add96e9c60b9dd3ca91afe4ab606cadddcbfb509f2d3631b565 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.msi
| MD5 | 4b3a80ff6f7adeb6a8963eef5d7e1fe9 |
| SHA1 | e6a9b78b3ca6bf0f3515d20b3597459d94634475 |
| SHA256 | 632c66afc3d3699f68cadaab774cf8874412073abc874ff29096b1953bd95881 |
| SHA512 | 1f88e7eabb90bbf0436e48e0a3f56748289ecb89e6b8a45e422f54a88154755f1f6167d073ae039edd5594c349d1847e075bb1215fabe8e809ec605745778724 |
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfLR.cab
| MD5 | 55c2d9f8671e3e62c1faafc6532f4ef6 |
| SHA1 | 05423654b077da001c67956eea6803b643a375c6 |
| SHA256 | 4770d2f88e65f43911aea2547901a13b08c92ecb1ee9e478d24dcf8a73714a1e |
| SHA512 | 5a0a1a1aca1ef594832bdb1fb614b82b7c11edacb43e33d0931a3b1db0d3684f942a4751bec91aa1c965bea9dc0808b2372c88d7f29b29265699f1e33cc6b05b |
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab
| MD5 | c97cd9e269442f732e95b860fdf887e0 |
| SHA1 | 9a3eae0327bfd71fba05162a3cf23e3c96bdea51 |
| SHA256 | 1055f51e28fb87b6288e9a1ea89af34c727d61f835b7ece5341b0df68061a43d |
| SHA512 | f99f0afa819698a5c6749c715cd216f1e12ef8bf90791e381e702d6c0bea58afae32febeff2bfb3ad436da73f2d6d374552d118e9b7490ead50ef54dc7923a3d |
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml
| MD5 | 56e55ed48ba4d235699570d476a708d5 |
| SHA1 | 4c8c3cd2c4fcfdc876914df454310b37e0d73d9d |
| SHA256 | 57247a397696073823dfc8661e9c13b334abfa1e3d3556ad76f20e67563226e2 |
| SHA512 | c7e56d00b671114476df47066656df20f806352b1cff31c334d7e03d2b5592a717dd6c55da5ef8cc41b078a68c5d1b4b3b39e81da6d40a0f80b8d4b9539c036a |
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.msi
| MD5 | 88edf697193e706eaad9245f91d198e2 |
| SHA1 | 5725db79b33c9a4ea27fb7993298a397400e042a |
| SHA256 | e20b36fa3a3a300f19743abe47bfb5ddab51f8e70cea479e065c98b77cd1da55 |
| SHA512 | c67d5f006b8041540c65dfdcf11347f770b59ff3d5ecbc2e34ae2db273a3c50b71cea950071b7ebf8e1075fc6342aa8df06d4bfb0cee229eb2562579ed24b473 |
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab
| MD5 | 863a00ce1a41cb3af6ee20f987151acb |
| SHA1 | 6cdf1a9d36b280494497417b5ba2d95583385077 |
| SHA256 | 3872b01dbb9146033ba8d584a4645fc30d9792ca3ff6ddcc7f7f57cd63bf056c |
| SHA512 | bf7c34e39c699f96b8e12ba700cc9d9dc0eb7d7ebe617d1fc0d6bba231c4f1d83ba4ab57bdb1391c7d8d4d68a51a3b964646b25de3cda4611ff3d82fbeee384d |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\RyukReadMe.txt
| MD5 | 8176df5b8ba0f3e389b4e697b7f172b1 |
| SHA1 | 9efeb2bb33fe0b6d8092102a6742992cbcc2af26 |
| SHA256 | 5ffe9773e50166c57caad558aa055c862dcbb010393c42c27fb9332fe15f7516 |
| SHA512 | 30b04b65eeeb3fb777da4abb43f8728ad993bf935bc2662cbe77617a2d8ecf1f2c2595ac5072a55d4c340cc976ad04620a4e545efa9ca151ad4acc383230ee06 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
| MD5 | 8bc4b2afc49cfb1b335dea6b6bd90643 |
| SHA1 | 1fd963671f8a2450ce430a6223cbdf1be0b39c80 |
| SHA256 | 3e58199d1691290d57b49638de27531de5d14c581465d16d9b4eb8df8967e5bf |
| SHA512 | 061400b398a8a0728434a51948a0fc892e4ebc2302e4b57717b0b7dc44641054c71ce88fd8e022f69a30c6d5dfd78c8251ec18e36df7742a00f91ee7ad84f19f |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Microsoft.VC90.CRT.manifest
| MD5 | 62a6ba58237dc42b5659aa42faf38052 |
| SHA1 | 46b7d5a30d45aaa5c5c613ba2c2dd6903a5b6bd0 |
| SHA256 | 20be68cf89c87fc91f77383385e9ca00061aff05a1a9269c8c6a0ba0c0d13b3f |
| SHA512 | 5d52112f537c6935d89f0ebfe799383f9a6023c5ab230cb89bb1d835a332c93c8532d523ad3dea85b443f3bb86099900adab707f7a7766c9a885f44ce81a432c |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.msi
| MD5 | 44eccd530ebb7ede8b31a11da47df620 |
| SHA1 | 082d3d6f236b0a136582ec5ea05becd2b3ddcc23 |
| SHA256 | 8fed6f742974b0e452b7420fdaf567b541020312efd6c98b2f112b93bb825047 |
| SHA512 | a6523a3342a075874e6d773b996786c0a84868d50c5a82ac54e2915d41b8b3aeaec89c8a29426268bb6acf04f96b3b2b0b310d320cae1e1d0d39ba95e4d8a7b1 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
| MD5 | 135feb7ed1a1a23b4a5e4f12bc17c358 |
| SHA1 | c50a065856d84fb226c35ab461a97f37cbe9a466 |
| SHA256 | a6f6c083c2b69093d5aad9f258644dae0893d8c8a2345ad499cc3fc86ec8df2c |
| SHA512 | 6456e9855474d8d50572745703c201139812171d03430638f5d4c6fef8168ee2dc333c2105ad04679f605e98396afaaba1e77080c92782c9a1591ca9ce21930a |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
| MD5 | d178fbae2b1e16722bf05e0b3c49e7ad |
| SHA1 | 4fc47fe44911fcb3047d7868d52078fca8ffe963 |
| SHA256 | 6efece990f6a09bf8bf5c48525b6064d7342779fe23b74a1068e429928920cf0 |
| SHA512 | 4dbd0312c5cecf0b750be40ce5bbaa99c57ce9889f9240e8ae3cbec37d5edb2187668601566b07c40735dd9b471f1ea015401be4f16718b84505f9fb3422ed7f |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml
| MD5 | 07db37f7ca85404ae8d0f0d634c8886c |
| SHA1 | 9b84fd57cf98a1f3bbe167eb1c91bd8d0dec2660 |
| SHA256 | d979c663135c2b9f46adbbc7f8d1f740f8f4dc5c64beee3449ad7b70ccb15576 |
| SHA512 | 9b4c159afd46122e95a5c5f34e75c56975217890a103b5d6b7fc1f4793461ebec705600f82bc70ecd531edf72306473ed811f51eb87e83c6458049091d1940ce |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.msi
| MD5 | 9debbc4e59c43d8a894d0d901831ef4b |
| SHA1 | 06026e9f960ab77d478b9c5cc907eb943e7d9e4f |
| SHA256 | 83979a8d92aa4ed8cbd1fa81fbda8a4e7e2e87de6b420fff2460b04a7c9f6ebe |
| SHA512 | b025040e0e53ff4a9345a22b32d43c60d7e25c10b7cc749227c5319effd38438df6a75a622256410e55937add8ea16333dcfb31bdf38c9ee694ece7d0e4857ec |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml
| MD5 | 25a4a6553b0b55802eb3c1cf923227b6 |
| SHA1 | 29f7697932ffde97606c9a2c061e93a5bfaec73e |
| SHA256 | aac70b55b37cb2877e62d5b9fd7b5278be675b46523cdf433e4b197b0aa66787 |
| SHA512 | 8e600de22c274f212e48e52131ea0d2452d8044003a31e4519e508ab9478909b294412fb0c3b59d97b63b7036fbb96e678faa7834ecd04fbaf78a563b52066a6 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\ShellUI.MST
| MD5 | 3cba8e19e0191fd83e276d1442ad3704 |
| SHA1 | 795f36b1425adccdbcd488b43f80587ab4712fa7 |
| SHA256 | 39a61220f4daa3f312e42014b1ade12ecb00657789b2012f6ea73d10dc49888d |
| SHA512 | 3ff719050a8486879ccd2ab2b08563b19ccf96a9822cb57604fb2719d0d5194694239192e709279adb4d8ce231ec7212815fdc5541797d8667676a89ea6ff14d |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.msi
| MD5 | 2d7d7d079af6557cbda3470909980215 |
| SHA1 | 318ac861ca76e2da13d8ac441dfe88f3e169a57e |
| SHA256 | 2dc98a743c003d452d3b005664d2a5e1dc034b9eaa18f948193cf08b213c364b |
| SHA512 | 39bc0bc1d26a2b6bc3b1d8f6dbe380fa2ba9bcfe0d7eb100e26622bf97e6387f0ef487478f4962dae5c9b8047b8617661637328021d60f436b122dd85cee7d74 |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.msi
| MD5 | 8e26355fdc406e0c9ce882c554b6c3f8 |
| SHA1 | 7a7b0cb3b94b44e8e06e61a6dfcb6a9f52d48e12 |
| SHA256 | 63ef667e880db419e07e68c919dc89eef923469515c7fd024a95ae194e8a191d |
| SHA512 | 01290c7216b5428d1cf864da64cb935662b06c6af3a58171285dd9975182d028d8e5a41514a417dc60305d2ce4bce54e76072f33028c73dbb40262130e62ed48 |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml
| MD5 | 86af8a922430201aaea977d32b1345d8 |
| SHA1 | 029b2f0a5a65d44a60c3d5eaf7e79984858801fd |
| SHA256 | 84c2997f983047a9c7a116bc8d1f1192b5357e830eef443af9d2559a86fe162a |
| SHA512 | 147e5c8e2c5ba922bfea329963152ae90342b092ebcc19f8b2e66fa0235357f80d6e5e9e389c6a46a9081c59bb5118737c25d3fbab61cef9b321c12a505f7d69 |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm
| MD5 | d2e0161c7f9a34617286214e41ad2d08 |
| SHA1 | 9795445436d8f662758c115bff0f3117667c15f3 |
| SHA256 | c8c58cacd3d86ab7d957a66b9c4808d98dfa0f0dcbbcbd78c5d576756483601b |
| SHA512 | 5902db57d2214a32f1562db1fccb047c2f2c64039d0ab2374a2267e3f5f8e16f7d87c734ab2dcde5e8c0073ab8cc4b361fb71a84e467ee8cdd27818369fc917a |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml
| MD5 | d370cfa2a24694aa874e5c460f78b842 |
| SHA1 | 845bb47877727422eafdc425868f97e368a0cb41 |
| SHA256 | a20d6fb3caf69a30e93de35de5f7d135ddb8861900182740e9d501e45a756f93 |
| SHA512 | 3b58a5fa02d2297f68a9611001e88c461b54dd9744aecb245a80a49531a9c3b43f0c7287e25c9b72eac99fad8f74bbae3992c45f00df8e827eb0e5a4d320fc6c |
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
| MD5 | fa4ed635331087fa3f50622056ec4cee |
| SHA1 | 97f1011b810bec26c4ba02dfd56b90721a3f2862 |
| SHA256 | bd1c78785b7ef9fa06a4feae191b1f23b767467548785747341f1b815392f59b |
| SHA512 | 739b9016bb132afac0bf8efe1b421d83f3a56fc5cd6f52a5af355265e9b1b9f07064d3a555120359a35008bbe1d0baf1d9224805daa2e04af60f132dc670a419 |
C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OWOW64LR.cab
| MD5 | 842d8cc020a7132ac8a9fb69cf4c6289 |
| SHA1 | 02af0b47e42e05d7eebd5bf697a9bad8147a0af5 |
| SHA256 | 1ba16fbe366b52a7ee9a5fa7937b1154233894d9244fe5b22c8a70d9d183cd51 |
| SHA512 | 2744226715fa68544da2941f5c05630dc4c678ff74b3bdbe74ba40b7a33af60821d2f515882f40bea3cf74d8ad17f6975cb62b5a455fc638eb6fc3c0f99c31b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2022-02-20 06:04
Reported
2022-02-20 06:59
Platform
win10v2004-en-20220113
Max time kernel
43s
Max time network
119s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" | C:\Windows\system32\reg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe
"C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" /f
C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\6da342cf712dc4c102bf41d23bfdae763b189091cc9ef98033917e92dd1c54c9.exe" /f
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 52.182.143.211:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 72.21.81.240:80 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp |
Files
memory/2280-130-0x00007FF7F6810000-0x00007FF7F6B98000-memory.dmp
memory/2312-131-0x00007FF7F6810000-0x00007FF7F6B98000-memory.dmp