ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Size

321KB
MD5

04ba14a9828b000add142d0bcb42ac2d
SHA1

928a705a481384dee3aa9985bb2a9e1e6827902f
SHA256

28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33
SHA512

2fc56d6fdf360c0435f76822f3d99288c3b31462931eb128c7ed895bf93d88b00663801c1a5394b1ae5bb081ac76b004deaf46fdf2b0b9c027b2945a7c030909
SSDEEP

6144:ba4FsUiep6JzvI74kZO/+SJtwOW8HFBwK3SBDmhYfFQ:ba4Fs/7IfO/+SJFW8HF+KCIG

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer vmprotect

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral13/memory/2320-2-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral13/memory/2320-1-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral13/memory/2320-9-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect
behavioral13/memory/2320-31008-0x0000000030000000-0x00000000303DF000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe"	reg.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\QUERIES\MSN MoneyCentral Investor Currency Rates.iqy	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.GIF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SY00170_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SlateBlue.css	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Seoul	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\PIXEL.INF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\Equity.eftx	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\subscription.xsd	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00407_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01954_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\BOLDSTRI.ELM	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14710_.GIF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsplk.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\Parity.fx	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01145_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01357_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\rtf_center.gif	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Niue	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187881.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02085_.GIF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-options-api_zh_CN.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-ui_zh_CN.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00466_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21421_.GIF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\ODBC.SAM	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB2A.BDR	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher.nl_ja_4.4.0.v20140623020002.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Waveform.thmx	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\SHARING.CFG	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\java.security	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\WATER.ELM	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\vlc.mo	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0234657.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSCOL11.PPD	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Honolulu	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\org-netbeans-core-windows_visualvm.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\INFOPATH_COL.HXC	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.di.nl_zh_4.4.0.v20140623020002.jar	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\ExecutiveResume.dotx	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\is\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21301_.GIF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\TASKL.ICO	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate.css	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\photograph.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Puerto_Rico	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Internet Explorer\images\bing.ico	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerConstraints.exsd	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RyukReadMe.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01183_.WMF	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
71308	vssadmin.exe
71696	vssadmin.exe
70220	vssadmin.exe
71404	vssadmin.exe
71828	vssadmin.exe
71520	vssadmin.exe
71728	vssadmin.exe
72008	vssadmin.exe
72160	vssadmin.exe
71032	vssadmin.exe
65168	vssadmin.exe
71788	vssadmin.exe
69992	vssadmin.exe
72060	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
Token: SeBackupPrivilege	71100	vssvc.exe
Token: SeRestorePrivilege	71100	vssvc.exe
Token: SeAuditPrivilege	71100	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2724	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	30
PID 2320 wrote to memory of 2724	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	30
PID 2320 wrote to memory of 2724	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	30
PID 2320 wrote to memory of 2724	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	30
PID 2320 wrote to memory of 1088	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	18
PID 2724 wrote to memory of 2940	2724	cmd.exe	32
PID 2724 wrote to memory of 2940	2724	cmd.exe	32
PID 2724 wrote to memory of 2940	2724	cmd.exe	32
PID 2724 wrote to memory of 2940	2724	cmd.exe	32
PID 2320 wrote to memory of 1168	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	20
PID 2320 wrote to memory of 1440	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	25
PID 2320 wrote to memory of 70940	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	35
PID 2320 wrote to memory of 70940	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	35
PID 2320 wrote to memory of 70940	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	35
PID 2320 wrote to memory of 70940	2320	28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe	35
PID 70940 wrote to memory of 71032	70940	cmd.exe	37
PID 70940 wrote to memory of 71032	70940	cmd.exe	37
PID 70940 wrote to memory of 71032	70940	cmd.exe	37
PID 70940 wrote to memory of 71032	70940	cmd.exe	37
PID 70940 wrote to memory of 71308	70940	cmd.exe	39
PID 70940 wrote to memory of 71308	70940	cmd.exe	39
PID 70940 wrote to memory of 71308	70940	cmd.exe	39
PID 70940 wrote to memory of 71308	70940	cmd.exe	39
PID 70940 wrote to memory of 71404	70940	cmd.exe	40
PID 70940 wrote to memory of 71404	70940	cmd.exe	40
PID 70940 wrote to memory of 71404	70940	cmd.exe	40
PID 70940 wrote to memory of 71404	70940	cmd.exe	40
PID 70940 wrote to memory of 71520	70940	cmd.exe	41
PID 70940 wrote to memory of 71520	70940	cmd.exe	41
PID 70940 wrote to memory of 71520	70940	cmd.exe	41
PID 70940 wrote to memory of 71520	70940	cmd.exe	41
PID 70940 wrote to memory of 65168	70940	cmd.exe	42
PID 70940 wrote to memory of 65168	70940	cmd.exe	42
PID 70940 wrote to memory of 65168	70940	cmd.exe	42
PID 70940 wrote to memory of 65168	70940	cmd.exe	42
PID 70940 wrote to memory of 71696	70940	cmd.exe	43
PID 70940 wrote to memory of 71696	70940	cmd.exe	43
PID 70940 wrote to memory of 71696	70940	cmd.exe	43
PID 70940 wrote to memory of 71696	70940	cmd.exe	43
PID 70940 wrote to memory of 71728	70940	cmd.exe	44
PID 70940 wrote to memory of 71728	70940	cmd.exe	44
PID 70940 wrote to memory of 71728	70940	cmd.exe	44
PID 70940 wrote to memory of 71728	70940	cmd.exe	44
PID 70940 wrote to memory of 71788	70940	cmd.exe	45
PID 70940 wrote to memory of 71788	70940	cmd.exe	45
PID 70940 wrote to memory of 71788	70940	cmd.exe	45
PID 70940 wrote to memory of 71788	70940	cmd.exe	45
PID 70940 wrote to memory of 71828	70940	cmd.exe	46
PID 70940 wrote to memory of 71828	70940	cmd.exe	46
PID 70940 wrote to memory of 71828	70940	cmd.exe	46
PID 70940 wrote to memory of 71828	70940	cmd.exe	46
PID 70940 wrote to memory of 69992	70940	cmd.exe	47
PID 70940 wrote to memory of 69992	70940	cmd.exe	47
PID 70940 wrote to memory of 69992	70940	cmd.exe	47
PID 70940 wrote to memory of 69992	70940	cmd.exe	47
PID 70940 wrote to memory of 70220	70940	cmd.exe	48
PID 70940 wrote to memory of 70220	70940	cmd.exe	48
PID 70940 wrote to memory of 70220	70940	cmd.exe	48
PID 70940 wrote to memory of 70220	70940	cmd.exe	48
PID 70940 wrote to memory of 72008	70940	cmd.exe	49
PID 70940 wrote to memory of 72008	70940	cmd.exe	49
PID 70940 wrote to memory of 72008	70940	cmd.exe	49
PID 70940 wrote to memory of 72008	70940	cmd.exe	49
PID 70940 wrote to memory of 72060	70940	cmd.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1088

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe
"C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe"
1⤵
- Drops startup file
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\28e7dc4aebbfea61a2ad942f00ecab3bbb32a636679587a6fbd6c8dd69a0ef33.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:70940
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71032
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71308
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71404
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71520
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:65168
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71696
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71728
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71788
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71828
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:69992
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:70220
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:72008
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:72060
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:72160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:71100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata

Filesize
754B

MD5
6603d7d1c8ab372e5502cca29e574fe3

SHA1
e201e0ab6adddca00d87822344da72c092fd0fdf

SHA256
b478200893825cae7d5e78e6ff6b6ebff2437d705624abd88dfa7efc927dacf2

SHA512
2b3eb2fad1e46c6c913aee80f9d32cc94ad012250034144d63bbc54782e0f01acbdc9747280cf819db627bbfd582f3bcbdd11cbe8ddf30cc601ccd6326bd471b

Download Submit
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml

Filesize
562B

MD5
7fc030fce1988a087c9c7b4db5ee97b7

SHA1
66c2c9d3e8f65bb11db87df7e22866a3ee2bdfc8

SHA256
695b5fa8f53af3549786007f79c5dd61cadb40c1bf1b36c1d6d1585580f7ee5e

SHA512
75ab08675139255bf54a7c92daa3d78d72a39bf6482aecc9728d988a4269e0c947de80c612f0c53f1f478bca1a7d11ab723ac9ba9872e2235aaf6e514596a7fb

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn

Filesize
674B

MD5
e017f416a6ad09cd9f57401adab41144

SHA1
dee29e1f5b40a7f79b248d03d6846fe521a451dd

SHA256
14dbf01b1cb0e1b7b3082f5bfcf1fddae5f9c19607029a55d438b1c61c2d382e

SHA512
1b40cfdbfe8371b4fd276f7dfeb5b1dc5caf2b12f0b0dcb85f5feca0a24d21b917c32d521cbb57ba8152b93d650941804748cc18e6cfbf35a5395daa82fbb0e5

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW

Filesize
13KB

MD5
12a343d30306be8a6e14b3538d751fd2

SHA1
7402f5c7c31ce34688fab45e897f1e36d6194126

SHA256
b42c7063660f16a6adf39cc2c77a2eeba9dc2113129274ad2270ed3494a5ee88

SHA512
3784ad6392b4ca72fc73e322db3195c08d724f8efdb09f427f48713ef00150f7d18e48a511dac9fdc4d49b557d1d73c7d7d10e91314b8107c0cda4664fd09c50

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW

Filesize
13KB

MD5
1602afa42d2099d371385704f0d58f34

SHA1
1f0f9765951ff98b8a9af2c177f6cf7b5e7fc1b6

SHA256
54827162fc68584845477420cb454ad4c24f538791a61fdafcdb359f19efb5fd

SHA512
a357c22ede110c94ecfc78171fdb473de248154653497f203eb287748b40f04edecfb0bc97a066ee7e4d281116588fe8559d242508df9376be12e03eda4729da

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH

Filesize
10KB

MD5
d372d44a7c3d8c1f396a72f5f26dc370

SHA1
9ba5d82e036577e462720c213561b680fb7daa31

SHA256
11cbb52e8825bf342df890b022d78031b58665778694c341a918c3a40a435b60

SHA512
ebe936ec780180bf58c7e6fa0b25b3cd2536af94219961ab2e7819f4c4a8a565226dd8bbf95f38ae6e810dbefc69b51f7b91831f066fd7a8bba95815c67881c1

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD

Filesize
9KB

MD5
f040b907c50230b48d62988700e9471d

SHA1
192a756fbd65c8ab5646a10ca3adca08fdcc166f

SHA256
4c814a409bdd251e328090cac4709d355faf265d5b9b3580fb9d0e56875af20c

SHA512
71c02ad8b2c6bfaa14cbfd02e5bb3e2a149f3b2e4780f3795e7f217fcd046895ab8a1379a433641be7182f55657de54035378e82a905bfb3d24ce73bb6f2e71c

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn

Filesize
626B

MD5
7b85b5d59cdb80820dc5d4236a4fd838

SHA1
c6fb829b8231c832b67c4af264d055e016b5a438

SHA256
446345f5cdf8ad0785eb0424d5c5dbe7172bda1b7285b5cbcf79af2444e0169c

SHA512
b3f24a53f6ef34174ec6a43311305bc47ced7f81cb13bfa27f616596056c69da5735b304edb0f2d41ef3872f154dadf749fdd98e0d1ca81db01029bbd94de3be

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn

Filesize
658B

MD5
9ada6a421d370a58004beecfa7d72384

SHA1
3c4d0eeb74f96c94ddbf3a088f6600701a02ca6c

SHA256
7698313534e6971958db4753fe946a22dabd31bd804718de1c87068266a2f575

SHA512
f2fe4a238887bb8515114833a4fa0509e7f0eabca6f5636296e448cca141ed8745481cb894a55937ef84116780003886014ee8b098e9d11979bebe8e4595f92a

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn

Filesize
626B

MD5
60418868246bab6ff959182ff3960a96

SHA1
808b51030d3badc5c1a2579c38c6954e4059f4ef

SHA256
201408442b63d627f6339943aacf35349b71a7fe89001d4ef08f41edb8af553b

SHA512
542429370ac1ec0ce8d931846d8e60a541896695bf6d2aa64e1d63f6307d3dc5404109124a64f24e2242a1604b2b4b4a61ee8f8bc520ad6bbddfd60e18dc607d

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn

Filesize
642B

MD5
73b8c49bd75d7460963abe3eaede48c3

SHA1
b234ec6cf4e701181b393da8a9b495e988359258

SHA256
cde8913853eb430747ff727a5b88cae4ba62f9669341ad3f902ce1bdf7ba676a

SHA512
7196ea5d1e12a8ec865eafc49311dfb4cc43da4f6347c19bfab34a96d2af1b535ecaeab475047c23e9f35a127729dcc23859a46a44ccbc10c6229450482cdca5

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn

Filesize
658B

MD5
ff32a4903b2d136f5050d1113e91efe9

SHA1
e3c3e82d8e1d8d5ea04618cee88413e74ca20592

SHA256
24b34106e6e28ede62e541b66c30ea1048bfc1bf23e27ac415013e6f153e0321

SHA512
4b5db7a92d196b1562a3f4a92c5b823882da91341f5fb00a9bab463a0e01b77a5e9663310ceff7f81776fe510fbafc4ce5f7d6e5220fbe1acc032e285627d758

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn

Filesize
690B

MD5
225f78748162d43545a37e615b51249a

SHA1
345167a9301ee809ab6e801e4cd2102b61954fd4

SHA256
3935dd2cf0ee3a06d7831285c7cbc22c6f5f3bb57fdde6249fb435172c682d61

SHA512
fbf5d509a679239f90076d0bb9065f7cd2d18f5696660b93e8965732c9bbe2bda4bab716e0edc51132eda8eb0ad6e8804396b63ff17cc5739804c26cafc68936

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn

Filesize
658B

MD5
8d5519d0bd6890b6894c3c003f71230c

SHA1
bf076ec7c6ea24f01bb663f6c38ea8319b9e3085

SHA256
c1679c3dc33deb07166239dcec6edbd7f249d0b6a6d9d5ff5af8d3f76016137f

SHA512
951e828e060f2c24065a30f824f8f8800078dd1aa94ad74c4bb60e1ba8408834bf829ac0c125415222f0de021c4747c54a597bf4075d51d11df084a35a046122

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn

Filesize
674B

MD5
ad53f7a87bf59b0327b6e3b421e3cafb

SHA1
bd9941ea3817b4bff418a3b4200a5f299a5355c8

SHA256
e1eefac9542dc6912f0e4e050fc1ccef135a9aa3eaaddc4fe545701b1724f8d9

SHA512
9c7a6f90b367b5369884425f6b11565b033108647af8dc2b7923c7046c1f428d01a64ebfebc31171399c993cf503f914b908f11b852403e564027a7841186e8f

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

Filesize
626B

MD5
18818eb5bad01d4c9c151562fe68eb4e

SHA1
432a33cf95e52b07001d21d8b191ecf216e1437d

SHA256
3b15f20187e11a6a2cfbc763d9eecf1069b1247849e1906c1ce1c31e59cece4c

SHA512
7451f6920a0eeef8fa37cad29089ae9a49ecbaa223f10718b7b60b11d390232ba8db9670e729f36d00fb2a08ca7ad915be4ed36982c5b3e3d0df19ad177c275d

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn

Filesize
626B

MD5
6028feb72640f5930cf97d404caa55e4

SHA1
5334ec8ecfa734f1b37ce88c5f8d173bcd5a2f0f

SHA256
da11db8a27e6eef3aefc4d42c8c61fb6acd92ef439aca95cf005a1535e150849

SHA512
2761416b5792b02c8ed3431296d0fb85ad6458a3e17f14a5a856665f9111412d7e0ce657d2b6e24c28e16f708ca00d264a86fec2b97ce3df06e20bf95b79e634

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn

Filesize
658B

MD5
7d2f889f9e9e5ba773920d77058916eb

SHA1
6443bb233f5f9ab01144eb950f1c22b487e4c3eb

SHA256
27350bf0a3ba970577bdf8881b7b307dfa04e441a5c14f3946125efcff9a0f33

SHA512
458697da425f2d909bccb085d5646713b7d5157c9853ee09de27510b78fc87386a9a2892e9cd982dd3112db496921d06481ad02b6b329edb584f0224e427c94e

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn

Filesize
642B

MD5
5784f808cb23e92a8c098aafa7b36a62

SHA1
a2abf98eadf0939ebe95104b084355eb2ea043dd

SHA256
a0f902b2439a70494d7a90af8c8a953e8adb5bf47ea943dd4d9f00584d66bf1d

SHA512
fc4a59fdbcd332cbb303f34188c790bd8c7b72f0408315f869524d5a6ba7225ca6de26ac1a6a2a88254f3e8e7f5334b9c5f65e9e4fb4237a118c5ad9ab7f36f1

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn

Filesize
626B

MD5
39e29d5bd4c8064258369cfac8c3153d

SHA1
c9dd197946c66141eb609c218162a9a57b5c0dd1

SHA256
9c1a1c7f05ce14fd288c5018c4432160076123a55c2ee774e3b0ce25a779bf44

SHA512
93d2da7f6a94b6c0d411c2e31beea68967b5da538cc90996b7063e6910aee1f05dbde8eeca3166598da15d781082a61a65c5703e80fc07a25962e06f7657b3ac

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn

Filesize
642B

MD5
e7272ca1805aa78be1e29d4c95bfa75a

SHA1
3d077bb15365f3ff59a51b10e12cf7ebef0f4210

SHA256
17c135c8d36d2dd59211c92dc15a693806726ff9eae1b755bdfcebcaf2a1bc6e

SHA512
4bc777af978a4f378bd42bf5a10b234fef3fc07883de2cee1cb8ad564a615b06a169e93af737579cea998e8da3186ecd7ab3c4c9ab9ccf404902a52d6cd4b314

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn

Filesize
642B

MD5
e41ff66991ad21c08baf8c3fe26a2f17

SHA1
552a64c9b6f191bd9a4730f7a49a8de8d82a9373

SHA256
b1cb4e419b114ec7f6abaf2ff26360d1b99c8ff4f98ef8410aee1602984cffdd

SHA512
a3d57be817a0fbabfdcea1c457062cc6d39c07088b465f62f74e1e4cd06bba92a929a8c7575fdedf8cfeabe5a539d738dc2af5af0c6f9d3933b68f142c924221

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn

Filesize
674B

MD5
1d008234cf8412403a63eabe41ef29e5

SHA1
4dbb5b3f0a84190758ad7dbb547cee1b5e060b26

SHA256
a942db686c92dbb7b7d5ce6797af5f7320a314998ca64dc6e85ee2ba822e9e24

SHA512
8a94d3f38234d02f97b81aa395598632cc68e01571f50552721b5eab7702e5e7743d47b83d3204eddb57310af9d9be0e1cd1a589bec726a486d2ee197d083dd9

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn

Filesize
658B

MD5
c43d8a9515c75039f0cb80f13747339a

SHA1
dc996166474ee1131d7b774b6832cfd2c6e8f573

SHA256
9dec8fc7e37f8d3686002c4397085d91a2a49c5d8738c138620193a9054e63eb

SHA512
0a64b97e29ee2147ab7f5e49b9959d26aeb13b43344de15ed65007c1846450d5b77d40e9a8cf04b49103292b971134b436ea8c6adf3e0d0e6d6c3d20f7589d0c

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn

Filesize
674B

MD5
0d6163911e9a23d23ad82f6430849396

SHA1
37af09ad28ab6dcf959457f6e71724ebf87816a9

SHA256
fef20fd616ed9adaf6f30564138f80460289ebcc0c32101e93963ed9d2de0a55

SHA512
63db52ddcc0b4397b585139b24b16ee63201a50f419112be6ddfbbf3ad223c5ca76e918eb2b43dec648c0c253069e853ccbdab03ce6a1c0b2a8bd82a6656f704

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn

Filesize
642B

MD5
42cf09563d7f6f8003daef9874d2b46b

SHA1
1e9739f0df559e98b1b276fbaa7e11123d6dfb00

SHA256
11f311a4657877ed158c643ed31c71e744a67417ab1a2ce7bfe3003fe0cb6586

SHA512
92163715e77b7010a75fdf9bd5a2615217191336c9de542ad6cc5bc221603c23229b5e6af05d25b270fb5878114e7d94becd19d5354d15b3ecad1ddb6fa72109

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn

Filesize
642B

MD5
f6343d38e5ee964b0cf5495f72319f0e

SHA1
842417e0e439359763948519543ac4e6d77ac86e

SHA256
ee5c566c6f5be2508dcb0ba5b6a97cc5b00307ddff42bd2394e8dae13cae600d

SHA512
e0261f602039d800fbcf876f71a12f105958374876cdb49d6c38c909ef4cf2b85f7899902b550d4c628a5c9edc972307b8f38aeb76662bc19cedd75b6eb4ec11

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn

Filesize
674B

MD5
55459455630dcbbd28a6638dad0dd3a7

SHA1
806efb3d11a8e07b129cca4f328adb542d7eb379

SHA256
bc9b0bc2ba15cb5b2db777c2b6612778cffcd71a409296f70af29b5edb439840

SHA512
76f4e184ca0bf518a861a4c0f1ef8f1451779b81d2f5e555942727f91606522c1ae36656266b98792fa1d96d955f76fbf3f6eb39cc60b7ce11e0069ec66d5223

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl

Filesize
6KB

MD5
6e2c6fcc0ca40e246842961929bacaaa

SHA1
11c2417630d5c6c88e1b07d0ef30eda9b23164e5

SHA256
3cbc0e304cd0bd57b54d15f3f7c296251e3e164f7fe6d769c36e330c9ed438e8

SHA512
3908881021e1d06458f20590d9ca76ab82983d8ef2fe4a04ba746d62cd0e7daeca122d5105ab1436594ab3f99caf158dcd4955db09f9ab7426b68a76bb2fa2ce

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_CValidator.H1D

Filesize
12KB

MD5
5e54c90352c84378cc51f8ea3ab9a71e

SHA1
f6427e9b284780089a595a21f8e743be177b4eec

SHA256
3182fc5c9efdea6d040f73d79daed304c0ab52e2e81e514d761e4ec19ccb44b3

SHA512
47cabbfad1a5bcf1e5874135eb26d2ad433fb6acd1e6589faa026e21f260a43fc59aa6429782516b1826c8ab427d40ba20998b09ff83ec49c3ce77dd48203ffd

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
d75f68ef5ff4946c2a769821bd962d0e

SHA1
6f9b8859d0f00c10ea8657e4ca411f18bf24b27c

SHA256
586cafe42b8dd5e533d5cfff5d69987c797b03e43c18677eee877f603176a2de

SHA512
6aab19e8fe0cc6283ffff63271f3f2b3f0747ff41570c45c839e9654adfa1b782c47ec829f75a3601bb6123b26a01f900c5bc589179f0c5052c357771f878c8f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_BestBet.H1W

Filesize
409KB

MD5
c7aef9a7926d9074d06ae7471536bcbb

SHA1
7909c70776c2a9ab039af28b2e363f24901a24e0

SHA256
14b77efeeebb7f3676704a2b35db08fd4ecf4f968c1daae731c5f40b6d285274

SHA512
b50fcfbe61724c134faecc342e142398633abe527764627cb936d5f697e9e3b53670a8710d25ff5430632542568ec7e9a7c6da80728214ccea51479547326119

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MTOC_help.H1H

Filesize
531KB

MD5
2757a715a4f1f5ea288fea19402e057a

SHA1
cbce7b31f57554ebbc20562ab27fd18db5c1a0bf

SHA256
a1fe4620c6be0c85f14ec381bd4df878dae6945a78f692410cc42b4073b9d657

SHA512
e86d079630bc31a3758d5120a08bba0bd650f0bb78ba2d1753f9643e5e80bfb06a39d923359e9c62e760784c96c4089dd37c7f87b50475c2426fce748f15af0e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MValidator.H1D

Filesize
14KB

MD5
ef0013b44f28456df0b9545766f2b472

SHA1
eb48d8ed3de51cc7c53a53dd1ce47d3f884f05f2

SHA256
c440f014a580b8970a5907e209f5a66d4f34e21edc4e86a8061e5b5912541108

SHA512
440d1a428afba25309b3ffae5c14d05443b4583b46244cc873e80d5026e3b81513705d19365122302d053a25bce30c2410ee995aa5ad3c76da2d1b268d85955d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help{45EACA36-DBE9-4E4A-A26D-5C201902346D}.H1Q

Filesize
1.2MB

MD5
fcdd7a35b5ddb0b60c6064a5ffeeeb35

SHA1
b4d5e862429450d293ddac8b13584bde7fdcac74

SHA256
c128d0cb12b9e67c9dcd61306657dff2faac63797bff322320da9b57dbe32454

SHA512
436828b498fcf27656f6276a897dc36723a688976dd1cd80acce7dd390a7b3184c036a7ab726f4a353343161ab89f8fe6ce16802b9fe4ebc1d585eb3711855ce

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D

Filesize
12KB

MD5
33ecade36ed265d4570f7f61f21db2c2

SHA1
d9ce8815e4f69fe2ad81c262322a376846ca97fd

SHA256
4b22374287652c6a82c5402c4d38cef1e9cb3bc34dbd5a1d08afbd11a4e28686

SHA512
b7aa3fdb91c0397f5113f5ce2d27aaacf93f6d280f19dd3a10e7db91b66402280fc86ee107edd4579a8e4a2bbd2f455d703e20eecfb021f09e8816c1736c32b9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
68b196c58bde366382462151aa7b710c

SHA1
3f27f87f056bb54269bb606287e21e4326903412

SHA256
ef8fed74c9b5c2ba54a1141dab4aa6b656d6bac65a9fd360cf6aff29b0ed5564

SHA512
c060b47452475fb7e73a986a0175c758f0cc024cee68ee0efd05453f7d34389689687b4685b74cbf31897ef1a17626cb3bda623daca3d8ec1275572c0c953b4e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W

Filesize
201KB

MD5
401ff72738663f852e1f522540d18f32

SHA1
2a84f734c890427db773d508eb01b9e63fd43b98

SHA256
ea92c632619da1265a60f308cf7484e5fe861adec8fc1ea9343539a41cef6cdd

SHA512
dbd2835a0fea545c68850e9c1ebf3df35eed4b04c0db7fae4f51beee4bc493dc80b0a3044ccb2c6237b7108f63ce2d421f500f2af066539c5b693b91bf0bd331

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H

Filesize
491KB

MD5
38d8f1bcee2a7ae0dd08de553fe55a1e

SHA1
364f9b1438ed3a1b843e24baa82a9d187e01902d

SHA256
98e6073cc4b04ae849fbc1580e640ab814c569d7a09c7466f0cd16b5544d6d3c

SHA512
8855467652f96d26af0582d2bb1bc1f2b079c1151616c71b4e40aefd0c45b21f47691fa2bd391794c66dddc465a0f56dbc7937db886c42f82d31723059d79b64

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D

Filesize
14KB

MD5
444b42e91e37e2a94efc7673970902c3

SHA1
eb87a2c0ae9b9b53723bf0a93812c5879f3788ce

SHA256
e3624545f22bd6a69ad9ba4e37c7f0953f52f06abcb4c27497141b3b36e015a0

SHA512
52efa5500b59eca716336aea82bdf6717911f6927fccd909efce96881edd510697b142c10e975d212cd8b66d1b7014b8d854a365c3ab2f70f1c547c673fde047

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q

Filesize
864KB

MD5
3898ec03970395ad5e599b2e51153e97

SHA1
732c49f574510375c467a882a18dd5a3ee41ac53

SHA256
11bc9e2a05e11aa1cac44efdf7eee23e7a9da73c297a2865619290e7b30ba300

SHA512
60fda5d1b7ad12e9298ed13861e7f3693b86a03eec3f4a5e4c93ad0d757859d351feb2244d0d8ebf38d0390ad3df51efc5904c02485f00017308471a2a65be15

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D

Filesize
12KB

MD5
d1300c13d854d9cd67722d6353ad0f87

SHA1
fb7bb3a285cc6f33413fabe645bdcb0b17db0336

SHA256
34d6acd0fb5aaeb36cbe388afe66ba5bce1eb3f27788189a2c361bd030290a50

SHA512
36018cb645c4e070c18e7f1077a92666fbf5ac1e2721c28f5f0083ccf052ac23631bcb5adec98604d6406881d5ed04cb1e0abaad6d09f374494bf0d96ff298d6

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
02b3cd25971c6054d470698aa9c2140f

SHA1
e318e8aecfff8ce7c68bf56d1e74c9feb59a8b77

SHA256
f7224f1f407714aee5bf7d06aad42cac57795f72716ded23e32736bfd079e630

SHA512
b3c4ce81ce25ac5408dd0983f9ca96a0294abb214df8926c977d664f8c7f8c2d9b3465fb1be87a786a6f4c0d7a9f68a011d349720098e3ce44e8e0e9d6c0e196

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_BestBet.H1W

Filesize
425KB

MD5
a28267c2a4e192263fa8206c967f1202

SHA1
6629ffde2af76453e01bff113dc033d00afb0569

SHA256
7107e02550b291159b48b04c231aeeced1e2be70551ce726882c76c2a874f8c9

SHA512
f10b61c218a4095ca696cb161eda3e51a4feff5e232cdeb11a6f84f9e184a52c1c7a89f0bf704c5b6e1aab734230933fedd078d10eab6289dc0106c0f325bf94

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MTOC_help.H1H

Filesize
531KB

MD5
7cf6021ab0caeab64b1527d886f5e532

SHA1
8649f4b8e7ac4e60fa4c407efd34dbbae7909ad6

SHA256
9ce289716bc6bb259352add6ded5b7f1455b14c73f81adf3ad2e77e6f60b8a0b

SHA512
89e83fbde02a76f3b8e8d49cb60d8df3c0b7c9c9b3b404103f9559da1c0fe85d5946d202bdff6d9cdb7f6adbde577e9c1b739de2116b89bfe5b168c7a702e119

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D

Filesize
14KB

MD5
52290aa78ca6e1b39dee89dce310c20a

SHA1
8e3f93b904654447450f05652d1377ebc82c502c

SHA256
8ab3c85b1130895e3fb78c30a0cf32d26414f86f7792593134eeb7c06017c497

SHA512
566ccd16adb11e456e9531f5af584f6b74606da2b6e90260497ab05485ca8bcf42bce25b0274ecc455c5f7e4c79ee5125d6328af2a27cfa68a5778b4aa9d6c75

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help{68DC71DC-2327-4040-8F03-50D6A9805049}.H1Q

Filesize
1.0MB

MD5
dc082059712321f318fce89cf2e49594

SHA1
4d31117f8c15d153c119c79c07674c4bedf9af01

SHA256
87f3cfe685100dbf432d5eca92904bd5e08d876ff3c374f502abfffec21ebc09

SHA512
973628372c524cb4366e95cd83c701e427c9bb0c27594f7a51235891417f07298d08f87b165148cc44cc68f337da0d8a670c5e1741f3fba80ec3b018ac821a56

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D

Filesize
12KB

MD5
24c75c510a260a5900f69c7870b089d9

SHA1
3f3010afdbc8b2875366072e0ece2c83577bc6de

SHA256
3315367bc74a13a1fd6b90138f80a33c938f3556ca24de8b614f698155b6ff3f

SHA512
047aa6b3556af22328b0dfb53fc68f50ac4b55839cd15b09523fd82f6e87ff059a97492ae8392c92da28df2771e8e75ef213e3a77db7dec21955765e6f9d0268

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
1a3c136019ad1aa60281f3bee22ef958

SHA1
1b36878218ddf6351acd8c91c845720d2fb8659d

SHA256
53569aa492dd6f18a21273767d9664e61baf906c853388ea0dcb5d4972b118cc

SHA512
bc2b6da8acb00130b0f0afeac3954f03b551ac696cb597ba7bc3d33747d656f9560a971895b36919502d96b0b4cf28be55a2afe9739c566dcdb2467248a2fbc1

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
0eb64e052129dede10592d007c72c331

SHA1
dfbb6ea8ed532f71d2c41ce84199dd5e03c571c0

SHA256
c4d008567d9ce0524ae5cbf23c6612d1cbc6329e3c198e27069bd2deb99ad427

SHA512
640ef111a4ecfb9f4fbcb5a83d839b03fcf18da699a192e7460f777081fe39e7d10852cb5d56e175eaf5d1d0748c0b50dc8e8e0d24488c2e201c3761f5348e18

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MTOC_help.H1H

Filesize
546KB

MD5
ea80136125043ca77b6a883e09d6c723

SHA1
93ff27cd9012a1dd240391c2de4fa6f936866961

SHA256
23010d727e014daa7c563e15a1e887aeebb39786ef08e36109b007bec2738746

SHA512
7b5c50ab854a888d38701b24c81ddc771bae1e75b42415026eb0d3525a98d6b94bc86f6fc1b19e0a6e12a391c454819f446d030fe4f2fb86e32b46bf2ac056ac

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D

Filesize
14KB

MD5
b38d1718d0d7e39e8e713eec439e5e95

SHA1
ee08ced68170ec4b614029c71c41ee3ab2425d2b

SHA256
c605748297a3893e5d669b4a219674ae604e494f10ddaad4fec4fb74f758d0e9

SHA512
8d1880a533cfdef2bd0a148535891537952f57b821cc18fd43b20ebfc7371af997ff086543718e91a825d5f88f7925f89513dcc639681b1b7015a145d04bab1b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q

Filesize
1.1MB

MD5
abf3e6e1694381b0e4c66abeb90607f1

SHA1
1a192d598794031832732e50a610625356d5f125

SHA256
678e500a0d790156c5328df712b63e2343fa4b83f77712f0ff46fe7f37e2ed57

SHA512
df33dd8c4e428deda52532a59dc049dddf31653802adbe0754650952fd9320c1a501ae79abb8ca6f683f8698c1b7f4210d3169f608a9e09bf65b674abcbcb356

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D

Filesize
12KB

MD5
fd9e8c0c75f9aec506865b548acd66c8

SHA1
f39d334903323ddfb51efb778e0eaa22a3916b45

SHA256
8489240e3bd1fc9bf57f40d7cc1c46512d227e9c9e54a5ff8cc6eb01dcfcdd3c

SHA512
d3ef2c2ca2c97bdd74e65e84524871bdea9daea61a1e947a6f760ffa29898b137a7bc3674e59c766099aa134cd30208f643792a0523adc8e27924504e568f0d9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
75af718d6d854b06bf75b7cfa2060293

SHA1
1dd7b45a7bada02e3c04f7f45445f9af5a1e6666

SHA256
2369d63ebfa78ded8f1f1c194031a8f977c36fa54a2c67b39b96882e1217961f

SHA512
3e8079ce7f03c17e8ba414a5c3fd9682fb0e1a098e918f0a394be48507500a0b3ef4080d3570b80e876b281adc5035b90a62fcf79274827166d84bbe16d8d1f7

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
11155cfd4e00bee067a58c2e5a2181fa

SHA1
c32b990bb402595f39e879e7bb01551d2afecacf

SHA256
eb0ae386f47f266b4e4a283fd484ab8748b4a8f421aea11aa3e9efc0f492f2f0

SHA512
8428df0ff099e4896e2fb06fc5ee2e4f54e7992c92d949428aa7eb91b01d90b521d5a132688d453fa00922aed5612513990e493fe3d1d9f5feb50bac6e0c1ac2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H

Filesize
530KB

MD5
5b5bfdf440812403430615e188e69f1e

SHA1
f677057f43fab2a77f0b90b64e185a28fae45305

SHA256
b92b20d6eb752cb1c18665f755705515dd85620afde6be911c023dddb2fca268

SHA512
d0b910f785d9ab6e85d3ee941e808e9ddf6b6483369f8b06af456fc3760b416de1854d79bc08100f5ba98d1a7391653a02f6529a8c7c624f472ac38fb9a60c5e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D

Filesize
14KB

MD5
2df5c2c5a1e8fb674ef075b2e5ee808a

SHA1
929c495b9651a2c9cd038e3f3f777948c8de1084

SHA256
077be73e33f6fed2f129a9dc7a7d8701e61e244244c90afd610856bf9fc05dfe

SHA512
dc7ece98d67923580e27ec8b7bf48b7b4b5a24107a9fe18b8823b278170064f97e17ec990e2bd95b6b48d6a9872e35956e49275d1ed2609afd28b774c1c7aa09

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help{7E352021-69D6-4553-86AC-430B0D8FF913}.H1Q

Filesize
1.0MB

MD5
bc0744d65a9da703cb4dc417e936112a

SHA1
5a795674f3262e55de4c2cf9b0a1d55c75f1c5a8

SHA256
6a7045f67d74d856a525638a9572bf072f6fd3f89821fdd6745792fcbc457bb3

SHA512
44a4ba8c4289e64b7d7729f46f012d5d5b10fd5c6f17c32534ec011e8933b524b8cb4d3408d485704bf919e210ee810b25fbcfb7f86ed8a5a49e7d6c5122247d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_CValidator.H1D

Filesize
12KB

MD5
986c3ce842ccb3c65e1787bcdbe12231

SHA1
b3f5898489602f89f643af4559d124309efbf73c

SHA256
c244bfc0c15accb33a93a3333a71a77a013fa67df1dff307ca38e4d3f5d5df6f

SHA512
df9e23e10758257bded2235e454cc4d9bc3791885f154b74ddd1f9ac22e8855fe8d3f8dfb2ad29c3f43c7aaea309867ba2d3c269b1bd10c7b6768605a43de0f3

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
f64c0742882f7e4b8083e10e297b32ef

SHA1
00fc5327b2657c2211c890c58f103a7aaa4fb428

SHA256
b358cd1e914883378c7f5dee28378339c3ae540aa986aad1b7e5f9be0c6bbb7e

SHA512
8f36d6b0cced70a7a883784a4e80f7564fb47d7f21de454de87974586c64f43d90646629eb00034df2bc045cea3998537e039fcc92b3cb744469ac2ec38de916

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W

Filesize
357KB

MD5
8ba765404b1616594d93615aca0ee349

SHA1
4cf701810d313670be314a045c4253375276c8f0

SHA256
05f86332e837747d26bd7ae1598f04bd6152c00387c86fdba0f790e8df3d581b

SHA512
03dedcb2a8c23c459b7f2d5337cff55e3dd7781d0a0557bf40cf32602e751c630fa2c2aa01c00ce6369cd85448e7a9a9cfde6f57f33ac4934b1bb7739f58f079

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H

Filesize
352KB

MD5
ad903e821f52d12f691bc3565d42f251

SHA1
5f1661ab1ae90f601a0e720947fe3158d3f9d4d8

SHA256
5135025eef979b726a60dd1a0ca927bb9e82539286ba82a1dcd061af5556637d

SHA512
05ce22633b32205ee7b7aa881002c90395dd85a177349dfa9789c091f0e60dd8661b3092faad10fae2b6224f64324bf70ace85fe3e133060f18430c901e70471

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.H1D

Filesize
14KB

MD5
0ef60bc1e6727b88ded4494f1db3e202

SHA1
6066046fe2e5b7fc9e9a3328f93e1850cffd6377

SHA256
7f7ee2252c277ed965f1ab28fbef53e7cde475260e87cf5b4ddcaeb0afa5e831

SHA512
abcfab0958e68df978139e9521505d90af276fd532404bbef9982ae19888a4bb75d89c0106294508464141b37cd6df86d93ad652b573e9b5f5aa2e9a050ec0f9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help{E1E8F15E-8BEC-45DF-83BF-50FF84D0CAB5}.H1Q

Filesize
1.2MB

MD5
a4781a6e9f5038734a32262e1a357fe0

SHA1
c7e775b7976be22aa5fa29f76e1fab4e6d4373b1

SHA256
ac6b6d6d48d363be5407e9af3556c9b381479558cfa4a0377b3042371b1f0e10

SHA512
c9c7329b83568348e1c086d6cb9eb298ef7e9336f170e2a34083add644118a07056d189e2ccf6505096e577f53351f90e4b87b257b7b1a4c3021d23ed6332baf

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
338B

MD5
e7b7f2c150a3a5c2aa8690c662f11c6b

SHA1
b7d1de656e3b1ee6197ad215a7e838f64fc9192e

SHA256
11d41e15cf9b0579bbac0cce2f99d684e51a8a3c758c79dd20f309b45d6a0d10

SHA512
a2d5a71723db771c5ca2193a32cf12a9c4de60b2d2b06f899ab01a591d50e3cd1f3cb8d3c085645240746c905f77c615d30a1a49c1b243d5921b3ee4dd7a83df

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
322B

MD5
4dd8a35a58833eba93caed49c48f1b5b

SHA1
a3ec4903580b264eabb55b82e69995e23c592fb8

SHA256
6c675009cdeb66a2ec1eb6ceb86eadbcc52ac5f05a843cc8d4c43d2a72129e2d

SHA512
9a7c87e791ce609d445a36e7bf9336cff38070e9fcb5d38fd417400f9944978c7d0828bd349149e1477c41668cc605f3404f316427109e201f2a4086e08fa28b

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
99277b54f6534643fc942b9132def142

SHA1
86c17b99a6d735be029133af3f44c877289da984

SHA256
75208e8d83671a3a092a5efbeb817f2f28414c68fec9f8daa620bf3ac27dc061

SHA512
323e2ce3ecd924cb162f84af8990046c61b9d962766ebd62cf0103a06201a0785b5e06ed7d19247e12123838d631bc82c932f85093c9511eaed89844f0a31476

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
92ad5133d9065bbf17d3778fda10e8e8

SHA1
5b7befcaade4e924b8bb0906867f71859c7914df

SHA256
c314c7485625120e50b6fe79cb820c87c3dcc71a36706f3c983aaa2b5540aefc

SHA512
37c2d7197b50921cc4315d3f84b29a1ec1ebc2eb79bbd1c6ba630fbd42338dfd9f29ee0a1f53cacd0aeff84f53acb42fe7c881ab8394289ec30d9f21a2528304

Download Submit
C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico

Filesize
5KB

MD5
91424e297824a9ac0ac0b376b23b8c90

SHA1
061f77e80daf4b3efb8ecf257c11818074313c12

SHA256
a28cf6d226bbdc228d46d3607d44173a53b11df05abd5c43fcbb71a39493ce58

SHA512
66eec1e7873e5959d06f59052d65f00f9c31d6bdbeecaaeb3008e21ba8de40dcbffe864a7921b1a01f16658fa8125d447646e9adc06e8eea21c184fb501c869b

Download Submit
C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico

Filesize
24KB

MD5
4443d84a9b67decb87141cac2b61c271

SHA1
c8c9dc00cc86288ba8af5e373fc207b956d3b5b6

SHA256
6dd7b8bc09f5c78f21edf9ef5216a157eb8422f17c3bddfd00035aab5fe84b32

SHA512
3a30d3c84c8513ed50eee1e5e6de19509fbb9549b631ecac6b24f7a3932af94d4350d6a939dd861197e4e767988e7dca0c874e38eb36c91fd30e2966fd659656

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico

Filesize
341KB

MD5
6c511de6d614a7c5550d6751284a6950

SHA1
f70c2868a08883a68e78bccf2261e632497a9c0a

SHA256
169f182adffa8a27ad7ececa13c8bf3a66e5872ae73a546b38adeb5b2d3b076b

SHA512
0658e6712f5bfe7103ed1cf5c0926f841d3d0a9e3708fb88826195def09075c6a93b15ee61c7256533fe927fae366360df427a5a094b1a0cb441a4a28c243ede

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySite.ico

Filesize
24KB

MD5
d4178c9e98e5893fbfb843d165a7cbcb

SHA1
fcaf58b716b39a2d92841b4339f38b57aa101b02

SHA256
596b53fcd6f49ee53a5ea9981d512a9a5c42e267712d1de30fa7fdffcb7d740c

SHA512
b7e7c3195cb3ce4a9f61fce7cc8434ed80220c3f0666c2a3a82bdf4d048f940c9d3aff6e9126fcd60d71d31aab8bdf104b323fd5d62be5a9b4ea77e065a1561d

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico

Filesize
24KB

MD5
c5e5d155959034df3e7729ee07f278f5

SHA1
d8fddcef5f54dadd882647665eb79607baefbd66

SHA256
2f3e0ccf6a6434b0656a4570f0141a0727ff5b8485c717cc86ba4e897ec694c2

SHA512
b831f601ae97251f9a23fa1a3ff4621603a9730d35803d7ab8a7a70e251922e848938ad1094f45a4561a44e369f13a5d04c7081a2139e23c28fa4b4713ca0a8c

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico

Filesize
24KB

MD5
3225491d5a397d0f2e41b2ac228a440e

SHA1
24574051fae44474a74ce118ef206593edb7e6ae

SHA256
6e23cb6c95a8b1c87d095b36b3a25044f557e9553cf0b91f41196d09ded4f582

SHA512
f35267bc8390828b098c8ffb41fc81fda7bb73dd6414857cb290b08cc673c7661080e09a845163b95ab51cf5bebd00b681d9fd7f321849bf58f94c7ec0d74d5a

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

Filesize
31KB

MD5
a8454cb84420638cd4ea4b8f21fcb80c

SHA1
7b0d2720ee137b90d9fecbc261f9318d95acb7dc

SHA256
25198203210518489d0a31b8020caa456d1a7da3cab3383d47c9f8eac062cba4

SHA512
baedac17fbf194aa2c0989344b44dafb118e83a34643ba2d59441c9d5279d54b4d7e0e2dd33e101daaba5effcb89f4a800a5f18266213272930a7a15782c6456

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
48KB

MD5
961c6e179a4bbe76fcc29d378a9b0bbb

SHA1
12803ba03f0ea61d434dba054293d6cf53a4f5fe

SHA256
fed12bb87b73aa22b4bdc7310752a39627be1ca6367db9b93cee5f8482b17bf2

SHA512
1c9216c3d49764f2e8a3a64e660ecb86a597171eec11c74be20cb35f85e4550ca91e01d69e89705eac2efd7068b03675099620cf2a94a6ae5965f6edea901906

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
b14eac7749c48ad80b14b10e9fedaa17

SHA1
76f435e538b0304859fd75188447516631bea6eb

SHA256
110ac334b8a51c8ea58c86ccf3f070832920cda7dce770c3e9f9aaf23c613a29

SHA512
6b0e94408dbdc2314dfc6ae5208251b5998e75f43010c51d0d6643336291dc98ece35870546a0d542f707b735810c34eaf15382d3a5cbc79300833417e502c10

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
bc3b8d21c6ed02c7595945552ddf7aa6

SHA1
00696bcb7a69dc130062521934d3ed874040d226

SHA256
68b88c25fabaf56e25c2e846b00678d4014ab8dab68bc307b4956e0b2c803690

SHA512
3b71e7667b275d02e6d6809f69d99c36e0fcfa66370753814ace445f78ca0f137bece49abef96b34c7505319766de5661b754b35471537c5cf2db088ad577e57

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
85753b2e144937411aa7ccd09a2998df

SHA1
19abc3a53cb56822d3049c893f75ba35c703b037

SHA256
58c668584e14cd7f6bd62b600a67d50323b357f4620f2207b7ffcfa7082551cb

SHA512
75708cba0227a00df2975a7950cc1aee1d52fc080eee7302d94f0abd2d20ba8a8665529c4055e4101d85b644938d162a0cf98b56dfabcdb0806cdca408755ec2

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
50c480eee04661661cce6735caf974ed

SHA1
854ca20de5c2b818171e1b688b56621b7f2ff577

SHA256
1bf3aca582dba9176743f54fd6abaf3cfbb0cabbef4685c2bd34ca1186dd16d5

SHA512
46391b0f99f4434784e288a0bf8bf502561d0fded2941ce604ec7e28690d28dc22adc179e3398bdd6a81bf110974d8089116805aff6e4383899c2677beedd450

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
002f5e5323fd1b8b07b7c1f9a8259c84

SHA1
db3369cf0d4e148fed5bdec226103b376cb3133e

SHA256
92f411505ef0ff877888620139635514f6fc3081dbea3576a79831095f90d071

SHA512
02559becc67100d1f1cab5d193c402a9e68f89d74439ec1b891c291ca420ef41ae2d372f3e36e187c0c4486bd48cb7a45595f0826d457b60ce50a15cbf23b270

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
1f33dcd2985a97779311364c3f5c858f

SHA1
180aa9a4dbb460c79aff94c56edb18e905ccbdb4

SHA256
cd6017088d5ba06b0addfc46db60d0c3acad5d121b976f2861faa8af55647457

SHA512
a45de58418dff6406a7c9a9aeebc8c3380565eed3199d6755fdd31debafb8edc326748970646f707e68bb470050f37be577039a4a5075e20b0bfcd0c4cace077

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
ef2a0916da72ab4540b5647d23b3bf5d

SHA1
677c31e2aebff43893a1b1eacf87fbb3e0e8095b

SHA256
cce6d1a2b1de174dd38311030a431311f74728e892cf4b0825fa22e34da82810

SHA512
082a4c4cc60c1a119badc7c5addc96ea5df85d3e3c0f4bc755c2db97fffc6812c9059b8e83305a5fda5e4acfff30624c50760547ce10e8868688060779eaa1e3

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
d6a95fca20f299b4f4a5c5d4a0b1eec3

SHA1
624e1a9b9c8dc2bbd40d08881d9ca12be88bc4e3

SHA256
32adb9187e86ffed787bf307ac3a891a0931ae47e42ea0cb10e38eae258fd102

SHA512
3d632fc85369d98603845feecc6c61fbb29782cb60d3f72c2b4764767a7cb63ca21a512c53d282b9b43fb63c1ec126bdfc6542ca680d749f4da465f9e93f811b

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
66931e0bf0ed38a70e061dfe94feff2e

SHA1
bab35c8efb16721d44b0146f7c13067ccf7a80d9

SHA256
bdab9a771b72377b1d6ebaab209fbf8459e30e82f014263a9e5403221fca498b

SHA512
807a198a9c143cd0e01c53687fe9ff81066ea5f35e47e50a4045e1ca2f1fb161a0753849345097ec7846883b42aa85b1c810c4930ba0b75ce57b2359ef7e428b

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
76413cbca5f74d0730c25edee9476315

SHA1
4cdf0fd9d2671262214576708b398cbb667401aa

SHA256
3a61419bb1ad535fce813ace24e6cacff224e9c2dbedc38a97c26277c409e9d3

SHA512
5ca1aa0c550089457d46a045030348dd546317a3d039b5ce4ff704a0c82e0399056ce091a956a30ab97a3588ac20fdc2936ad9409c8d378af9a72cd8ff942ff4

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
a13b5ce87e73c956281f0fd2683f626c

SHA1
d8dd3fcf85798a7ecb7aba2b050017c91bfb46ca

SHA256
0d925f0193f30272741ba0ad42bef7c2d98a3ddef3bf84d905fbd6d52e5a8443

SHA512
b91eb2356a13aad02ccf470d7d34718bd3ad14c85c4140c67432406549373497f27eeede168606da7c0f2c180092c34cbd455d116669363b9f950950626e390c

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
68e2ec95c45714c4b7c505014a75dd70

SHA1
7a859a8ed441747326921b9b2838aefbfb52ce8a

SHA256
a08b268803cfe4141a651fac8d6f651bfaa4c2d4e8b9398e3bd2e1dcaa9079d3

SHA512
2f7b36e1b572f86ee1147243ad5180b9b149061eae791f2f98766f56df126d7b56c64054fead28038ba6cd2a9b52f6001d481ffd190a315e2fec30b21880e5f8

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
7e2400dfcfb25f7cbc87427b3c0b4bfa

SHA1
3e10198490cab16189b9a5366fe12f0e07012aea

SHA256
86fb7defa86a9461060d0aafc8e3764d6e8b5408b05a772a26f8f11fcf3647fe

SHA512
f2d50d3a27228fe7fa6e8545cf21ab0731b2763fa54b0119557a2963d978336a81119cf9eb015aa5c1242cb9b6a2a65faaf21192012a5002c0051b24b2a75f51

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
73603ac4c9a50ecc0dfac5ae616f5d05

SHA1
1671ee4651f5f20b534266e2ba510dec9ba143e7

SHA256
d5299c9326cc382a7b9b3be1a4fa580fe0c5e853598f538b5e777a8cc3cb6588

SHA512
f170cf6695c7f88912382c2f5beacc77c3f13dbbf3430fe553b4cdc686ee3f5981bb78d9e4fa616f93ed600b78ea98c22d25de27a898826ff09b82ce982ee580

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
fc25615de64065c45d82352b7506314a

SHA1
e8e75b27260055f7e0dc48c487745afb11eff938

SHA256
f97c32a29101913720e601cc968353f6251bf1cb9820fc3b5e338e834c93b433

SHA512
e81f2e1d56aa7ab06e31888780eca27ba7a3f119c4dc790232ac9e25be199027b93aa5083188346fafbad4a0f12a864bfc0ec1e0bb2c95dcbbaf947fa20abe3a

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
0082311d744e098d3fb0f177de513e34

SHA1
5221c2b612f35352d8ffe2d97b990746b1a890f0

SHA256
4142af38b2a658b9555a8c2952b4c41fd9d3000ffa974e15a7e38b6aa8e45f1a

SHA512
ce479fdbdf0309271193aaca6af2d8fdc8c026d4453dcad171806029a0ab6ea4502c9e6e2e08e7c0d6b8ac32bd7a0e5f5f97486896edbfd2e26f336e5307bd4a

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
680e6b907c1ad29105531c3cda16bdf9

SHA1
18fa2321b00ede642f62eb51db110da9514e8551

SHA256
63aa53a8d5c46cd4d25f871b3dbe5a8371180895d7a3c398b37377e2113b5c5f

SHA512
6458afbd75e65e227801fd851d27540c4dd1a659f8a5cf2fb658dca7e46b2bd371bc0d0a3de98af78a26c69df9f6f711411fe189b8b7bd66adda02eae8c71895

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
2453ce1f4291b550855fe73a06800fb8

SHA1
dbe1cac362479d2d5207ddd43547343aae4e12ec

SHA256
23e5c615b39b552f0b51fd7e2f79355ad7c88644f410742a734e7771c3bff50f

SHA512
2c18d72ac9151cdaf31c5edf5767867eb4fbf3a56e08851c17a373a3fb8e8f9498b532bb482d1c126afe46a811e517388700c87f6823baa1597d2b4a2d174e6e

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
6472f4f3b9b8b5b8febd3c3342278511

SHA1
54bc962ba5a88aae14f1cdb5e7e27c48c43b8820

SHA256
a91e9989352e7349f4fb1fb203fdbe29d35c51289c1f766dd878bbb9019d4524

SHA512
3098f536e0baf47532d9a7048ff026577a7b6c673788b30029759274290a563a9c9cb6511ccf5a3754e911d5b71f87be03a8d4b3c9467f93d0fb2d8495b96d00

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
110532d10c55382b79f772ada371f2f1

SHA1
9c304019e9a4a0433bf9b253b755c7e86821da75

SHA256
f3c547bee40ec8edc07ac846598260be7adb4a2824c319e107878890df49fac8

SHA512
ca690acb7dafaf4fe3724e661e2bfbe9bec9d2a5e8169c9866685b0ebb8703898903a75167eca957877f6d4de66035a8fa592618e9e708a59f5d6f4f5852dddb

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
4d4f585a6237c7cf3f5990860ccb52cd

SHA1
acce75f34bc00029a94b91b36ea94bf3cf76ba3f

SHA256
672354d75d086ec76c698f9cb0a2c8593a26547d7caf1b71dff4924be330a3d3

SHA512
f324a108fadc85e671d63d74e53f80d4aa4f12310febf964ec0ceb0c4a203bc4b51eba4338703c09fe9b7f7df8f3462c5ec020c65e599c25cf01dec2aa9fe8df

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
c699ab02bc600e1fd76ddb5f5252dccf

SHA1
f3862ef12a0a3db1c8020bda26e8f7cf29d078c4

SHA256
4fc3dc80776fc7207ae58bd08fef296b1f5b6d1058e22cb686d871de2b2290d7

SHA512
7c0b1c563bd17fae3a3acd44050b9133a58daf4a3dafae1c41ef3d81883b09e858d5303288a18de76f5f93ec72d04cf63686fed4cb50a551772c8ec151da955c

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
d5762b96049e791d67bac8c11b205864

SHA1
71bc353b3f8c97c9cca600aa7d3ce199d0458f67

SHA256
62a30f5a883708aec323ee8e4d620fa44acc4822dc8e222f3563d46a45bef63c

SHA512
799d09c05b7f6916a94f5f3a93aafb3e8c3c5d806cbc153cec5653b85332fada2e8382dc960dae4cdd042702c8788289ad4af3e0c150dfff83f1f5386f250d6f

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
77d564b498ce814f375625b1497e7489

SHA1
e2ab655a3056499633416aaadfc6f8cea8614978

SHA256
8123a4d40d327171b415dac4e8dc822d1449b2b795c2d11c13ea8ae1186f038f

SHA512
47121091ee23ffd2b1af2c460d49ba8170f2428e57f4dc719eee04252dbcd84edf9b71972d3f6b7319ae528802df4c618fc777195286448874e5dfab1def53f0

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
e6a31b3476387804778b4c7c3ed8a434

SHA1
929d93c581093398b38daeef6b3cdcf692f5f7a6

SHA256
33e0d655e0e13b5e2ca6762a91e024879038a712e0ce940ba198d88e5932f7f9

SHA512
041dc7a634ea56259b6150c83af674d06c4899d25aacb109faea2ffe516c21b9e2ea65eab1828baf8af2279072c90d545f6c98032cf676890684df52815ed99b

Download Submit
C:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
12KB

MD5
87a32b93cdef19a35086691ddad8259c

SHA1
6c91ab0d4698c3f2a330a7ef054400c2b443ddc2

SHA256
ff46da6db3df0d3ddaa117420912205a379913ab0090bb131a5e6913343f08e8

SHA512
ab06ca5b5ed9b2e653950136a30092a2f31568bc7f26d478b3e8cc876f4b7cbfc49ba79ef20873a97daed6fe431753e9b60ab89a79c723ca96da2f7e7e1e9be3

Download Submit
\??\c:\Users\Admin\AppData\Roaming\BackupUninstall.vb

Filesize
171KB

MD5
1e581ef3e235f6a538a61ef813f5665e

SHA1
247fb454643ab86f5e77372ea4a2c504fe1169d9

SHA256
9113daecc57efe05f74e41946dba34262f02d516375b94a112f7c2ee72ff0937

SHA512
9268a68f7b0261079a0ecfb7c7e6c79fa303f4e95a3ff245ee2f42a948d92636a010bd9d45ea99925a6fce64c9dfd1b64ac5f0b8ad83e4bcc411c24e7339b433

Download Submit
memory/1088-4-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/2320-31008-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/2320-1-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/2320-9-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download
memory/2320-2-0x0000000030000000-0x00000000303DF000-memory.dmp

Filesize
3.9MB

Download