ryuk | d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9

Analysis

max time kernel
148s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 21:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
Size

131KB
MD5

2cc630e080bb8de5faf9f5ae87f43f8b
SHA1

5a385b8b4b88b6eb93b771b7fbbe190789ef396a
SHA256

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9
SHA512

901939718692e20a969887e64db581d6fed62c99026709c672edb75ebfa35ce02fa68308d70d463afbcc42a46e52ea9f7bc5ed93e5dbf3772d221064d88e11d7
SSDEEP

3072:j06qm9E8obCg2QdgYdrp23suV+eGg21Yg:j06qHnOg3df9eAJ

Score

10^/10

ryuk discovery ransomware

Malware Config

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Renames multiple (82) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

2836 icacls.exe
2452 icacls.exe
2460 icacls.exe

pid	process
2836	icacls.exe
2452	icacls.exe
2460	icacls.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened (read-only)	\??\S:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\R:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\N:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\M:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\L:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Y:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\T:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Q:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\O:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\K:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\I:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\X:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\V:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\G:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\J:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\H:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\U:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\P:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\E:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\Z:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened (read-only)	\??\W:	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Drops file in Program Files directory 64 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Filters\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\Alphabet.xml	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\ApproveResume.wax	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt-br.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\RyukReadMe.html	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ta.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe

description	pid	process	target process
PID 2180 wrote to memory of 2452	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2452	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2452	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2452	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2460	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2460	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2460	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2460	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2836	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2836	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2836	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe
PID 2180 wrote to memory of 2836	2180	d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe
"C:\Users\Admin\AppData\Local\Temp\d6b7b27e13700aaa7f108bf9e76473717a7a1665198e9aafcc2d2227ca11bba9.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\SysWOW64\icacls.exe
  icacls "C:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2452
- C:\Windows\SysWOW64\icacls.exe
  icacls "D:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2460
- C:\Windows\SysWOW64\icacls.exe
  icacls "F:\*" /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OWOW64WW.cab

Filesize
1.7MB

MD5
601260f1af0d26bc4c46c2b649bc1daf

SHA1
7a99e20d49c51639c622aa55bf27b36900a0ef97

SHA256
d73e3fb225c7b67304d6cd112d12c08127fc8ab5e1159c29f29fbcbbcf2f4d8c

SHA512
d37d683f1ecbd03e9b5e15b9ba6575e3be046a5d8ab97649074869b07cf504a537b023062f814bdca32636d0af5272bf9f31744b3cdc52743195a9d083f89549

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.msi.RYK

Filesize
1.8MB

MD5
382bbc6923cf62c82df03a61e37864dc

SHA1
339c02176bfd4d24ec6a9759f604644201ac4f22

SHA256
84a6ba670a9a7ac5ce8cfa0a932a322296e90b07947a550b18cc9af574c5eae9

SHA512
bf4a296355b9294a3ae3a73caf71c26cf69a1b193eaf919e1e867ef08b54aa5d98ba7aea9220e33d0c6ada20aded9886a9ad4050bd355de2bd851e2bb1e8c512

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.RYK

Filesize
4KB

MD5
35dd9c93bfafa61d0647cefecbc340ba

SHA1
e98fb87fc13f0ba10f7c7ae6aed0eb2a5e769d29

SHA256
8f3e5d6b2cf48c30de247e88c6d74fc5ba3b6af65e182badad64fc64920fc675

SHA512
e37dfe941ec70f86405174f295632cd4b49e0027b77fea5494d4df7abbde955c6eb3449857509ab9e07aed99680190a2ffff329d3fd7eb216dbe15902e2ed0e4

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.msi.RYK

Filesize
1.7MB

MD5
ae86b66f0a8a7e41e48f8bd9746b47bb

SHA1
619971d42f5324070ba9474a5bbaaa7517bb130e

SHA256
5becd3478673f10a279fdcedbaa829b0888c904df8bf2fc01b5f9302d200eec9

SHA512
d03d64222c534146debfc7bc53c0d6608129bd9243d8af8ae1df15ef1adfe4805338bbb154cdf037ea20a0a130f76cc4486a6d5aff58b9e467116e18c757bea6

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml.RYK

Filesize
17KB

MD5
55fb00a004858cd3d7def1e1202f4e2d

SHA1
b7e084cbcb7cfd4cae44ff222f79f5c7da309e0e

SHA256
d7566e1c645ca81846cdc9e9bfa1719d5a919a0489d96282fdb407d414200346

SHA512
4e63a82a78e4cf4fe94b8ab23e7c49b4f75c60a70c64205b678637187a9b82345319bca03f66e954c4d4b2327feba57e5a782c4f2466188dae8588e2bf31d397

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW.cab

Filesize
1.3MB

MD5
661affdb1e762a55f7ce42ce53af2428

SHA1
9c48e08a2003be911d77874cd64b0c2bc5d9c526

SHA256
f8195de7472f548b8666d931c18d42bc68582b2d490d0f64585621b64b7ffd42

SHA512
7c4c0f20900d36d6c81aea1a443176f7e269deaca9ff1a9d50b4fe25cf7a6f2f09a67265cd1ee0f4ceec6c2ce8ec79f3940cca8aa024120bc85687c2e4d325fb

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPsWW2.cab

Filesize
1.1MB

MD5
296e2ab188f1a9a3c39af7e6fcd16615

SHA1
33166687555a0b68f4b0ec8b2349270fb7e55f33

SHA256
2da7864e379b1c80b6addbc7d66b42851defaad042632c886c39f360a6c1e063

SHA512
1a96c6ac56d94dee48a113b334928b066ad128d265fbb0a26c27bd839d16c3951a7bbd7be3f427fd6b22ada6d9fc5eb75ae815efac21632a152f4a2c34ec9e52

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
31KB

MD5
e4cb806b1211d12c2b8f729f4e9b81df

SHA1
efba21e508f1a40104e179debb3ed7ffaf6a6adc

SHA256
2f2b9f87e4e91ef3f4dfd4df49c7ba0bf2dcf6d0dcfd9735b763d8c636f7e6b0

SHA512
918e69a531bdce0a85c38a8c765d73874576895d26d913aab744d059a4d6ea97e206d3fde780c771775714789babf1768784aa7bbab19d6206e080d25cf8a859

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\pkeyconfig-office.xrm-ms.RYK

Filesize
699KB

MD5
2d1c70365ac4b9ff5b2d78eb65c9ff56

SHA1
161ce972c29b02f95050d8e8cede32f09945c2f6

SHA256
01f598c9af9de201faa539a8d594ca6cdc1e07291346774cafff48017fca2ccb

SHA512
b234a7dbe151ddc1760fdb094b7bffa989de50c9782b564f8553c70ab09f0af890ccdab3031635ff3b8e9b07cadfc0284f10d28159d8f565f65fca21626f2a08

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelLR.cab

Filesize
1.1MB

MD5
b051d1bbf4ba4a82aafc7c2a68772344

SHA1
e43e6427dcc830bf10f66f1307ea8b8fa7b41e43

SHA256
e4de72ca63e09d8d5cb12e2203ee1d0da2aa0285a23b61390e86d62e2d0051fe

SHA512
1b397eef36c652ae13351fbe9a66e9a16cc5e3322016883cc28ddce7564671a3f359de2bbaf661a1e0f0914a2ea35f4e18ea6479b28b5b6e29788fc37f22fb52

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi

Filesize
1024KB

MD5
6196d014f345da0ea1387e369c97699d

SHA1
cd7ea30c9e2c9132e4719ce232d0bf1df767a24a

SHA256
800c16ee4dc90ce359dee9634b033848b4a2e37d48ee398aef09588b0e3cac5a

SHA512
1a8092f99153e0358a37c699322be610eb5b864ad9693b641906b64a37cf3d3d82b9f2668fa92262f11e42656b58c3675f810ae43884ca1b7b9a962f01e29b96

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml.RYK

Filesize
1KB

MD5
8cf9820d0d13e69595c5859bfe6ae748

SHA1
b62a5194f7711de94ed4285ce003be812c6ac51e

SHA256
a0532af4964d8a9bf69aa8452e1a2e80dcbc53aea4c93fc7991b9fc418992280

SHA512
fa392cb0c7a9c84d10df0e374e6806c843061e2009e81adf5e00b53e1847d0d8a4821dca1848c8de3e0c93caa0727a31dd2de1e56c99ac0ca072d85d0bde3672

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
f3b540cffd90cece7b77e855e2683788

SHA1
11840544bbf3d21a2156b8cc309800c8aecdfb0b

SHA256
f72e1ea78227021ec93ca404d4dba36c8b9d163218d45bde2b24f969bc974dd2

SHA512
53c9e9918418e0dbe5cc4607b135df79a56e96f1913592462527fcab91088990fc5c6f55150cfa82ad89e719c67469283fc06de68ae7262e14c4fa61db16956c

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.msi.RYK

Filesize
1.7MB

MD5
3e2af85f96177a068d380821d7d9eb30

SHA1
695ee6624b21c970b6a7253b9918ce1157a2bd73

SHA256
b209363a4d37857ef04f97405bb0d4860dd34db2416b25b1e2bb2a81e2bfdb09

SHA512
fe1e3f2a5cf3f800af6c73945c2a0b55324e11a94ca295f16e4c3489b335f9cfc9b2725097170a4a4361147cfc254ce552a073890de9b2ee1ed0ad4097520aca

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml.RYK

Filesize
1KB

MD5
092ac597960afb259e26855ed6f184ab

SHA1
9243ff699113c61fffeb02ce15fb68157e1e90fa

SHA256
978d5490d0a3bd0e0da85aefd2950e3c66f2165c84243dd79cc7edb32cd36276

SHA512
c0d6cfd10f2c0a786883c3b0fd220b906205b2529a783e9d9190b08d02375f9302f02e8db9534eda5a0a3bfc5ce054c81447198f2c39921f762ce451221e2e99

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PptLR.cab

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
3953c311c6b979ed84e79a6130ca5c2a

SHA1
9fcced407842a94c57a1df8edf55a6ff2bce66ab

SHA256
c2c6bec7b0ab5443ea009d36fc9888e58f30a1de45647b34295a3bf8065c7051

SHA512
2ec4f759dd34d17ae0d3d2eb0b972690db8fdadd434cb179dc472642ba2f87e5961c2cf2f54e3cf9f7b325e0dae58e0dfedd5afddf8940d6897a1d5956629b55

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PubLR.cab.RYK

Filesize
1.5MB

MD5
7cf37154f0e9afa024e1981d346f0668

SHA1
0bdf3ba53397e9be2713cb84764273a6a09514db

SHA256
98c157653034f92b0d8bf89a979592f4e2c8572b9acb1a712ef051a24d1898a0

SHA512
bf0e133d216b9003168a206b324c8e15de0c73f7fde9184804504155b13f9ea27ae49547752f7c4c4b1c70568045d59709dc7dc32056b14f8a76efb844cd4ab9

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi.RYK

Filesize
1.7MB

MD5
058fb4f766fd9563f9b42e2c369ff135

SHA1
9aeb035c0d4e7db232fc910c4c8c5fb4960d3eeb

SHA256
274347a3e699185da4bce8a162b3ec960724c9692d5a40a62db7bcd655e01222

SHA512
fdc4709685b0de7216d808ae5ba9901539a7568a691b82cbefea3d85c580ec7e62f3ee83a0319d3960b1d589782468c79269ba5ff65d93719e2e540dce99ddae

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml.RYK

Filesize
1KB

MD5
6f8ff6f9715c666b5292caa9920fc594

SHA1
c87eaa7934a12b4b93ab59985cd1324d16cd91b6

SHA256
575226fb285a8b969ebbeb63dc277758ab4cd392970bd7447fbb1a9a0618a4c7

SHA512
eca1ceccb37e91b60d87da22f61204efaf49c02b51208c92b4495b663e229c489c5655edebfc9dbd9f64d02a01b69d9dee140c309cbceb707415eef3d64fce47

Download Submit
C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
1KB

MD5
e877f5a11a5c86d2181505771a3b01db

SHA1
9d783dc9694f676cd59319d7b074968bc3a72679

SHA256
085b16a9f7cddb65ce5917f6ec4b25cdf60f57bd48720ceabc77fa0bac812f49

SHA512
77404163b4849a00d7e841e5489bd22c02233291742806ce3408151530392dc50f55b95446aec7b42b5862b8fd21e9a97b65597fdffb5e810480918aacc775eb

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlkLR.cab.RYK

Filesize
1024KB

MD5
aa93205a636cbfc692c085469cfaac24

SHA1
8956e515ffa00ca64fae1a51c1267c45fd60d1f6

SHA256
100b7d9f795e0d876c9406e7f85439c0bb3536fdf73550c3a42b559d3fbff22a

SHA512
af34ff64b7fbaa73611558993022705126be69a4311c3ab23f281f8642c3b4b40c21ad0e61cf53cf54a436aeef891670d5cf40a6e2eaebe25f2cd9c83aaadcfe

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi.RYK

Filesize
960KB

MD5
3693748befa76c56ea99b31c1ee0b5e2

SHA1
2c912f6e713d70e918f307ea0d65d9bbfd8b2069

SHA256
ca18be5b201d9f6b6b5ec769d11f572a452e2a855b16def6e42f5b47baa0898b

SHA512
49b2934063cc312e49f62ba09a5878b033e835794509472b9190d2aa93b5eb071c26d86af1c6a1c5e8ccdcc43bbe48389d227932659846b888ffa0817d8d5391

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml.RYK

Filesize
3KB

MD5
5c1c5563862aeec0c98e85ccfafa0a30

SHA1
66499f7e503c74c3bbc5315272f399a0b8ca7ee9

SHA256
316d9c10f5b73de8b29575d77586a7fbf9987e996257e857d36ad880c4f74cf8

SHA512
fc66b97fa6f847d0a3afa2496f6bf0ced9a34affe1d5f403120c36b841259925b1eaef52989a1b16e20d19fcea3b196acbf24b24d10830f9449f24f9c5294765

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
4KB

MD5
f21a16d1d01cdb9fdaf8a7653000970d

SHA1
f979ee178adc8ca2735d88d6356d09756a09c67c

SHA256
1c02e4f439f7370ff4d2e6f480bca3959f6d59042fc5d0512815b4ee76042e73

SHA512
a9747ea3a9eac08fb34fc2061ed076ed5aabe3fe3d33c7f4ca5d00ae1bb9b221afb07fbbb048eab63341284fd04130a03d0df65a4a6e06ca82f98e3e5b646d2f

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml.RYK

Filesize
2KB

MD5
b84752d5391533019522c4d775d56e4c

SHA1
3dd7895335d441741d23f50de57caa0962e99d91

SHA256
8ee384502f480404e533afef95e30976bf5a5feb2ac19bb8d6fcf6c00e05b867

SHA512
5dd13c7fd81f07913fbdabc089d0c364396f291c146ac4831c5e08d72c32487bf07d58d2a6274af87635d7f094a2779dd6d0e52b63ece3096ade12be2050efab

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordLR.cab.RYK

Filesize
896KB

MD5
68a4f12e0ce8164475d648aa9f7123b2

SHA1
fa28910c3ba7b154ef5709043eb6b25bcfafd630

SHA256
0a212d7029a09fe6156cc52565c03dcf08d720dab92b80ef0c79d47bfe21dc38

SHA512
c7430bc76ad98070b4a8d98e996500da999c8a3be3ba5cb782078c450434e567af90c787f5e101de3a3edc618158d6967db0b82beefe396ae0adbb70253aac77

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi.RYK

Filesize
896KB

MD5
bb829a72ea5bdd862e7dda7b3f2fb7f9

SHA1
e9b574a167bf14a6d77a94de6a5beb5770f4ae6f

SHA256
98f0f9c12e81f24cc944b076b9b8a13283ab237b87cfddb54688747455372839

SHA512
58bf017ed8231391615d34ddb6d5993b000efe746bf956bcfa37886f4f67658a822f1a22ebd76c2fc2cf75c1262f60c351bb3d0f4b6209c1ab826c88faddc869

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml.RYK

Filesize
2KB

MD5
8f65a51d2bf09dd497ce79f840b1482f

SHA1
2bce63fb281586c74f344e4465278a72ed60318b

SHA256
f27be360051827cda8c6b0efc7f5c176302847255989cecab2d5d8ac8bc20fb0

SHA512
4b188c340cc4dae052e61c8f9876e5bcf59915915e6d1752ea5ce3ee103e0d6679353dc7725ca1eea88386991a4d16c7df8662a5a75ff0c1b56703dc5d66fd50

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.cab.RYK

Filesize
832KB

MD5
8da11c05aea560412c93bfc54042e27c

SHA1
65ae2204a2d498dd82c3b1e04b2bd8b3ed16c208

SHA256
81c44ddedddf27425192339586639dff4509b561a7090a69b28ae6a2ae6f851c

SHA512
53d68af59e5b70f97877cfecf62c6b5cec9523c2d9ddc791baf891000ca15e7a994203436fd49c8d37351abc64eda7ce8dbe31eb92dfa3373c5654d7a260726c

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi.RYK

Filesize
641KB

MD5
15f58123014a1ac30811dd8ab88b52db

SHA1
ef3b3266191887c2c799ce954f6859fac20e85e7

SHA256
34b8b358e4376504d8aed0a6a3396d8a5bda0de84628c4a8b2f0edcf83330104

SHA512
5b3dd7098ebb40ee160fe3f4c4cd00329d0ebbbce6c1b954a57578f29ccc0bf4a80df78a2410f098055f053ef782efa1710c673c2983be45a18ac74ca0849cd6

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml.RYK

Filesize
1KB

MD5
52b1a8cb8195137f2e62cbe6f33e6454

SHA1
5431e24aca3b7527eb6b3806c64358f59503373e

SHA256
2d61998afdb4fd8a5cead7b45f7cee01229743b1ec8372ac6418ed8bc2c0ec0c

SHA512
1ce034838a3e845799c67fa9b1382d26d584ead925d181ac69378a2fc643f34fa0cc00eefaa325c88b86759e65e28cda0b5b6faee9ede97cdbdf29a812a4a62f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\RyukReadMe.html

Filesize
1KB

MD5
a275819b461f6458af0dcce3dc69bab2

SHA1
4211607b906db1280376dbc9202df7f426b2921b

SHA256
615ab23d7c60104e69412960185d34163add0d6f7238dc22a851cf2c12de2b3a

SHA512
8b744cd272ef41a44dbeaa098090fba83843dea2af32d41cee0f6800d067fd89a6d8486153c473729a9f7a9c2cf723dfa4c6f870c5179d216554878c695925f6

Download Submit