ryuk | 59a777daa0a5b26077c69c7cb26b7f72be6b38604b7caea7c6aef0e89991c748

Resubmissions

25-12-2024 03:42

241225-d9c21axjdn 10

25-12-2024 03:39

241225-d74ryawqfw 10

25-12-2024 03:37

241225-d6fzgswqbw 10

25-12-2024 03:21

241225-dwt4cswpdj 10

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 03:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
Size

143KB
MD5

b77cc8a1ede23a80a4a4c9d0a8b40735
SHA1

254c97abab837687c779b57c7ef1bec4c1e2351a
SHA256

4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581
SHA512

f94546161808210ada027d03465f88336de4f2d24581801566f7ff17a9641b389c43946a98275ed637759a0205b8d09f9028d26bb75ab44e3f7038c5b4667ffd
SSDEEP

3072:dgKsEF7Wf33SdvlRmhYHP+CPt1OOxkgQe:WBwK3SBDmhYfFQe

Score

10^/10

ryuk defense_evasion discovery execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk
Ryuk family
ryuk
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe"	reg.exe

Enumerates connected drives 3 TTPs 16 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\g:	vssadmin.exe
File opened (read-only)	\??\H:	vssadmin.exe
File opened (read-only)	\??\D:	vssadmin.exe
File opened (read-only)	\??\F:	vssadmin.exe
File opened (read-only)	\??\G:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\h:	vssadmin.exe
File opened (read-only)	\??\e:	vssadmin.exe
File opened (read-only)	\??\E:	vssadmin.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\soniccolorconverter.ax	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Denver	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\Simferopol	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Tasks.accdt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\La_Rioja	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01044_.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Push\NavigationLeft_SelectionSubpicture.png	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\whiteband.png	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-progress-ui_ja.jar	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\logging.properties	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Argentina\Rio_Gallegos	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Norfolk	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EURO\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\SaslPrepProfile_norm_bidi.spp	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00956_.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-options-api.jar	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01628_.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\DvdTransform.fx	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsTemplates\Status Report.fdt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01293_.GIF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0281904.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fonts\LucidaBrightItalic.ttf	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00352_.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\pop3.jar	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libbluray-awt-j2se-1.3.2.jar	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Australia\Lord_Howe	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153398.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGCAL.DPV	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ENGLISH.LNG	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\Resource.zip	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Americana.css	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\New_York	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-profiling.jar	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH01329_.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0075478.GIF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR39F.GIF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\NavigationRight_SelectionSubpicture.png	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\bin\NetworkServerControl.bat	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\METCONV.TXT	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01299_.GIF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\DISTLIST.CFG	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.config	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Google\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\it-IT\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\rollinghills.png	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00833_.WMF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\RyukReadMe.txt	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Premium.css	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD21304_.GIF	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
63628	vssadmin.exe
70904	vssadmin.exe
70296	vssadmin.exe
71008	vssadmin.exe
71044	vssadmin.exe
70520	vssadmin.exe
70548	vssadmin.exe
71120	vssadmin.exe
71136	vssadmin.exe
74816	vssadmin.exe
70620	vssadmin.exe
71176	vssadmin.exe
65640	vssadmin.exe
74528	vssadmin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
Token: SeBackupPrivilege	73424	vssvc.exe
Token: SeRestorePrivilege	73424	vssvc.exe
Token: SeAuditPrivilege	73424	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1720	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	28
PID 2204 wrote to memory of 1720	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	28
PID 2204 wrote to memory of 1720	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	28
PID 2204 wrote to memory of 1720	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	28
PID 2204 wrote to memory of 1116	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	19
PID 1720 wrote to memory of 1880	1720	cmd.exe	30
PID 1720 wrote to memory of 1880	1720	cmd.exe	30
PID 1720 wrote to memory of 1880	1720	cmd.exe	30
PID 1720 wrote to memory of 1880	1720	cmd.exe	30
PID 2204 wrote to memory of 1176	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	20
PID 2204 wrote to memory of 1728	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	23
PID 2204 wrote to memory of 73408	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	34
PID 2204 wrote to memory of 73408	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	34
PID 2204 wrote to memory of 73408	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	34
PID 2204 wrote to memory of 73408	2204	4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe	34
PID 73408 wrote to memory of 74816	73408	cmd.exe	36
PID 73408 wrote to memory of 74816	73408	cmd.exe	36
PID 73408 wrote to memory of 74816	73408	cmd.exe	36
PID 73408 wrote to memory of 74816	73408	cmd.exe	36
PID 73408 wrote to memory of 74528	73408	cmd.exe	38
PID 73408 wrote to memory of 74528	73408	cmd.exe	38
PID 73408 wrote to memory of 74528	73408	cmd.exe	38
PID 73408 wrote to memory of 74528	73408	cmd.exe	38
PID 73408 wrote to memory of 70296	73408	cmd.exe	39
PID 73408 wrote to memory of 70296	73408	cmd.exe	39
PID 73408 wrote to memory of 70296	73408	cmd.exe	39
PID 73408 wrote to memory of 70296	73408	cmd.exe	39
PID 73408 wrote to memory of 71008	73408	cmd.exe	40
PID 73408 wrote to memory of 71008	73408	cmd.exe	40
PID 73408 wrote to memory of 71008	73408	cmd.exe	40
PID 73408 wrote to memory of 71008	73408	cmd.exe	40
PID 73408 wrote to memory of 71044	73408	cmd.exe	41
PID 73408 wrote to memory of 71044	73408	cmd.exe	41
PID 73408 wrote to memory of 71044	73408	cmd.exe	41
PID 73408 wrote to memory of 71044	73408	cmd.exe	41
PID 73408 wrote to memory of 70520	73408	cmd.exe	42
PID 73408 wrote to memory of 70520	73408	cmd.exe	42
PID 73408 wrote to memory of 70520	73408	cmd.exe	42
PID 73408 wrote to memory of 70520	73408	cmd.exe	42
PID 73408 wrote to memory of 70548	73408	cmd.exe	43
PID 73408 wrote to memory of 70548	73408	cmd.exe	43
PID 73408 wrote to memory of 70548	73408	cmd.exe	43
PID 73408 wrote to memory of 70548	73408	cmd.exe	43
PID 73408 wrote to memory of 71120	73408	cmd.exe	44
PID 73408 wrote to memory of 71120	73408	cmd.exe	44
PID 73408 wrote to memory of 71120	73408	cmd.exe	44
PID 73408 wrote to memory of 71120	73408	cmd.exe	44
PID 73408 wrote to memory of 71136	73408	cmd.exe	45
PID 73408 wrote to memory of 71136	73408	cmd.exe	45
PID 73408 wrote to memory of 71136	73408	cmd.exe	45
PID 73408 wrote to memory of 71136	73408	cmd.exe	45
PID 73408 wrote to memory of 70620	73408	cmd.exe	46
PID 73408 wrote to memory of 70620	73408	cmd.exe	46
PID 73408 wrote to memory of 70620	73408	cmd.exe	46
PID 73408 wrote to memory of 70620	73408	cmd.exe	46
PID 73408 wrote to memory of 65640	73408	cmd.exe	47
PID 73408 wrote to memory of 65640	73408	cmd.exe	47
PID 73408 wrote to memory of 65640	73408	cmd.exe	47
PID 73408 wrote to memory of 65640	73408	cmd.exe	47
PID 73408 wrote to memory of 71176	73408	cmd.exe	48
PID 73408 wrote to memory of 71176	73408	cmd.exe	48
PID 73408 wrote to memory of 71176	73408	cmd.exe	48
PID 73408 wrote to memory of 71176	73408	cmd.exe	48
PID 73408 wrote to memory of 70904	73408	cmd.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe
"C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe" /f /reg:64
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4bb0d8eb6b93060941730c65ac5c11625b805f91616841cdfb887d8461aef581.exe" /f /reg:64
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\users\Public\window.bat"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:73408
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:74816
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=401MB
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:74528
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=c: /on=c: /maxsize=unbounded
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:70296
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71008
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=d: /on=d: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71044
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:70520
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=e: /on=e: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:70548
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71120
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=f: /on=f: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71136
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:70620
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=g: /on=g: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:65640
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=401MB
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:71176
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin resize shadowstorage /for=h: /on=h: /maxsize=unbounded
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:70904
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin Delete Shadows /all /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:63628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:73424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Acrobat\9.0\Replicate\Security\directories.acrodata

Filesize
754B

MD5
121885f5218a48400c1dc7d071733443

SHA1
8d4105689121ee7951c91f4da126d25f93582389

SHA256
799e3995297bce14bb672b91547f111e10a0abdccd3a44ffd09a1270994857a2

SHA512
b842d7e613457e6e63ec89e808b02f4346dc78935582d56a32dc6c4b88fa77520bb6419eeba371995025ac00fe814703b3dbaf00881dcea5185efee6c37e3c6a

Download Submit
C:\ProgramData\Adobe\Updater6\AdobeESDGlobalApps.xml

Filesize
562B

MD5
ea31b66557f56fb49d6c11ac87c51a9b

SHA1
14c50980a586c7d799cb56d88b9fce91ec0bf5bc

SHA256
7a75a83bec57030abb925dd2c62866ed259ef9017320ae74a9c6ac8c2d5f31c7

SHA512
641f07574eac96b5cefc982e44b922df30e5b5bee6301b9b6189b6f9f402280aac5c0def7f896a14a5b30e1d8282068ac3c0c66c4eabbd71b0a8440f80229db7

Download Submit
C:\ProgramData\Microsoft Help\Hx.hxn

Filesize
674B

MD5
fb09744180e1ecff05e6e367193d2e38

SHA1
02eca5e8ee66683bfc274dcb7fb3b1e844389e83

SHA256
066a63bf2b28d15822c3cc0889f0a9145adabe17547e9d52b6d4de8860e1e732

SHA512
de7a4d3362d6a1db01a8a9f14e18bf0bc8921fb9ec94b98c80451b444dffcac25fa39d37b10a1cf6cc2a2d50849b96d584b8dd47cc8a3dbb9fba268e00fa4533

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_K.HxW

Filesize
13KB

MD5
1fccea1810525c33f377fddf74fb5271

SHA1
ca8e1cbce9ca36062017fe50b6c0d2fcbe997579

SHA256
06a3b8a16125981cca82696475a55510f54a1b47aa04191da1818336877c0158

SHA512
ffeab44a4be3ec811fd6d810adbf27668f0cbafe0e55c42e25a3ef949805e92ff2e542b619bf812d13b35e1a2b3e7750df5c4ce5e22fb7e0222a6e1fcecd2c9e

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MKWD_NamedURL.HxW

Filesize
13KB

MD5
c5bb447c822a2a4df6c7021d12e831ca

SHA1
1d872eddf2099314c9dd51e314c7da77ec5837bc

SHA256
c2ab0c347b583c3d8468cadfee98197d4030804d5455a5d051836f48d8e34f4b

SHA512
fee0a326e7337b3202a09c74d1812ec06b80391b5b8640456f654f7d6d947be14469598853eb9d0006966afa40700c3b66d2731e814b78043765db9af9ca5326

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MTOC_Hx.HxH

Filesize
10KB

MD5
cd441b560289307a1656a3d53dddcbc3

SHA1
c3cb937a8e3b898a288ed8cf1f134b54ff3e022a

SHA256
26dc089900a728f533111de06da3536b179566947b722a3362669a0edfb1d5c0

SHA512
945ef2c0576ae42751c7e1c028450cd7ebbfa1d327697f26301f203dabeccf9f3bb8c847603e3b1e36d8346ea548ba8225c5e6fa06e2495e76c86e06c89f01a3

Download Submit
C:\ProgramData\Microsoft Help\Hx_1033_MValidator.HxD

Filesize
9KB

MD5
07ea07b26350bb75a95fcc8048230731

SHA1
f34146a301e71e40180229efa74a9191be5f348b

SHA256
31ba9d0a132126a28e55b3ce124c804df0e617847f89ec7a88ebbe68b61ea44d

SHA512
971a6a53213ee17495a6588bef2231936d95e454f30749938f147924dfac0ac27821b559b32165234f2e486b1fa04e4966f435f0d4899efe534fa2df08931ee8

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.14.1033.hxn

Filesize
626B

MD5
12ac52e3c72abdd9bdb6a32b03a5cfbc

SHA1
e92ddb1a1266cc47690bed714002dd4caf21aa04

SHA256
59505045ed7b4b45b9bb6e3c1409403652f220df3ad89b712e123ef5c19f3c22

SHA512
2f915c830114bbcd814d024c81d0a47382114173ca123d91b511efcb5232f72f11fdbd81030ececc8de6972d789315e62fd09c90f6d70f59d4d380e1932c1bbd

Download Submit
C:\ProgramData\Microsoft Help\MS.EXCEL.DEV.14.1033.hxn

Filesize
658B

MD5
fab98017418d4996fe154dd0606f34ef

SHA1
8e97ff62a2a512bc18d335e60f455541b6da7634

SHA256
e55e089a12b0606f988c3c3bb1df4ce13d4ebd54a4a4712bd227f1c501e7d419

SHA512
5323bdd5d4bf227ade1a3447d9db4f6817745b83abce7b223dbbeb4b65c8865b3f98bd8ec640602420d255095fa7fa5fb6587992e876d33f4041a0f99eb8c7ef

Download Submit
C:\ProgramData\Microsoft Help\MS.GRAPH.14.1033.hxn

Filesize
626B

MD5
b092a98eec8e1f992657a9f6b3c3de7d

SHA1
6cb6c47f293dfed81617933ee5fbbd8ff8ae541c

SHA256
d4e71a2896a409a271adb8da7f6636bd78aa188dadd1f5d961e88317953e97b8

SHA512
b036628c5a8761e697dc27619ed46e68fbd422ed192b0f6c5527b593205c1aff004fc2dcce7708b9a7e4d95e1f0593fe11fb10d4be4a16cf353b604b55e2093c

Download Submit
C:\ProgramData\Microsoft Help\MS.GROOVE.14.1033.hxn

Filesize
642B

MD5
60ca0b67f540b8e8906d78aeffda195d

SHA1
e521a53dbbdc48bee19eae58b1e243577ca5053c

SHA256
b4b5743c06c742a3c2a02721e2dcc36b51fa981103ae8e5a8015523697f68078

SHA512
98e58db9fb7c47377d7628c3d1cc149cccc33c3e56882886d04a4ed13fa308caaf08c9bc471f99cd10366c591185f6645f3bc9c7cb5e1750b1cd1c8793e8f11b

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATH.14.1033.hxn

Filesize
658B

MD5
664e5d40777105bfccb310705348fd36

SHA1
0fb9a1c15bb50fdfdc1764199707956970d1f8fb

SHA256
1781e88c2c2f320238ee43ed7e917609143967adadc6603654d2b2cfcba534d4

SHA512
25f67253fd326223c13803149f157da18d8da2756a57534cb8ce495a094fa9f7dd68039af42f386873de75a07a25bfc0360b78828493904ccfe1720b81c5ebf2

Download Submit
C:\ProgramData\Microsoft Help\MS.INFOPATHEDITOR.14.1033.hxn

Filesize
690B

MD5
bc2445bf192a912044fa3c6491a449e2

SHA1
b285e1d29a2347c3b77af9212dc597e73619047c

SHA256
2409894875fff34d38a10ca17389e6e30de1e776f5babbfc8dd492f7f0e46bd1

SHA512
1020ac4b31600fcd557c7979ffb9f8e0ecbc83a34ceae22633e703648220c370b1d9fbe4ed1de1db8b940a3d36d4406a49f39ae7d435750f939986ac857739f9

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.14.1033.hxn

Filesize
658B

MD5
308ee66366b1e111786df406629179a7

SHA1
0d9176d3b2a627ec0205d57b3c4a93bd354894a6

SHA256
913c84efe0e0a9ccd8ba67e29d5bcc4a0191d43c773661b5ee00e47b156b5b80

SHA512
7bf72f2db88ca9db56d7f85a8f47f9532c9b5d3ab8f8b4ce6b123adf1c21c6212e27aebfda8143985de6875dc33f6eb725f55132a8ff43e1920919f5a46fb50c

Download Submit
C:\ProgramData\Microsoft Help\MS.MSACCESS.DEV.14.1033.hxn

Filesize
674B

MD5
2c238991a7e0bd3caf20bd6855cc578a

SHA1
520e45dce5868a7eb87eb5812747460de2814614

SHA256
7cc7ab864fb614f705c835db66adc470b911bbfd10e71b0f81988166b75645fa

SHA512
390556892ace54de696e17bec828f136e7edeaff299b67f9e0e95ee17572a1205a6997cb418b6676350472646a1d371c6c6ce7e6ab281beb39e62783b599b58b

Download Submit
C:\ProgramData\Microsoft Help\MS.MSOUC.14.1033.hxn

Filesize
626B

MD5
8e6627b1ccbeb2ddbaf0e9820691d896

SHA1
e2ae5b1ef4b87b4e0117c54481d86404f07b2850

SHA256
b2188f77527a011167ab1606dcca3e638a0625965b6808185f46888f5473942b

SHA512
e7052e593f9161447aa6f35ada15d1bfb35f7f2b7a94aa4029d190ae4c8810890154228d857b9806c9abc20751f0ab4f6cd57d9a1149c6e5bb581104cb4f0bf2

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.14.1033.hxn

Filesize
626B

MD5
ae47441eebd05bfba8db9c8a55053320

SHA1
e06293da6d85dd17d6192096fbddb40fca653284

SHA256
688a46d0a824994d2e41c5732e83a3d3d236ae1bb807eee06614c13c96ea200b

SHA512
f75eb198fbdafed4d376f422e4578671efdeadd268293d7cf4f88951edae26f61573d614bd5b37f1229b04aac0687c8a733cfe1d904a24b1226148ddc44c9592

Download Submit
C:\ProgramData\Microsoft Help\MS.MSPUB.DEV.14.1033.hxn

Filesize
658B

MD5
c686e98f9352f12d3f730e6901c28728

SHA1
aa1227d00f651be0c3cd1db78b4eaf1a5af6fd12

SHA256
d3a615fe48a43e32f32f0ab1590a5c14683baf5fe95aace79f126a366d756d1a

SHA512
2ea61b89f58ba01fec3b76ae534bbd7484319d2e95e68802a135affe572dd5d17f2f12c07cca788dc41d5d58b90de7e67bf944250a21276e4273e17e2ea153f8

Download Submit
C:\ProgramData\Microsoft Help\MS.MSTORE.14.1033.hxn

Filesize
642B

MD5
ff65c4fd2dd1ca6eab8c883a2c7af59e

SHA1
cb3a7491d6e5008e991f84364c3580e109211d96

SHA256
4d218462295d892bcfa2ce7f706928f8b5fff3b6f3da875b69d8c9144fec337d

SHA512
18c9e5a060a8efbdce865e08e9d1e29e2e74065b23eb245afe1efae4892254588d2b52d264537271360c3e880ff5b0c7171ef16b68a2bbb62ec1c31e53fb6abf

Download Submit
C:\ProgramData\Microsoft Help\MS.OIS.14.1033.hxn

Filesize
626B

MD5
e84d3044015e375e4d67e6b1994efa82

SHA1
d7936ac1c9eb7ad359af0e8a64e968a1fc1380a1

SHA256
726d1b0101e78d333770d8a647523dec4d57465942412780800e8197af57e085

SHA512
a37762f71f4f82df19f1106aab5b8e54f76a1467465aeffcc1b1d223775b8ccce32646c93647349c3e04ed3d32948d8f656bf4ae69530673758a2d6019d58216

Download Submit
C:\ProgramData\Microsoft Help\MS.ONENOTE.14.1033.hxn

Filesize
642B

MD5
8688235ff542efde52470a333db4ffb8

SHA1
2f9cbdd0f091c28a24664f0fb10b8671b27c7b5e

SHA256
f6a5069bd493b26419756e4de1f8ae4e1484ff8a876d6e96521009dc69e1147b

SHA512
dd36904709e317b26a8f34804fcf5a575377877db6c6b971f8832c40c2a0664b06a358eace0bcecbd8bad2f0e20b96589ccb132c9ab0ca2f33d8209033686ec4

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.14.1033.hxn

Filesize
642B

MD5
40474528eb76e85217040612b905c492

SHA1
001d1cb9b5b5558c1e55602788ce4bca09d8bc2f

SHA256
592d2be4a9ede7cffa8c8886f9009f1f5ad60406a4383ab24579771da533e0ab

SHA512
5e36b9f40c984206243c9add8400b39792d05737c3b4f2609d5a67dccd342536ee1d1d15c58c4c1d32ed27c1fd76317612e92788016c1868e629e5facd6c4b16

Download Submit
C:\ProgramData\Microsoft Help\MS.OUTLOOK.DEV.14.1033.hxn

Filesize
674B

MD5
3c99b7855f887b61e52d253ee6f98e96

SHA1
cb4985f1e676dab58d9aa92deea6de3c4a408b8c

SHA256
bb7e203db67ba8148295ce2fb84bf5b0043a9c98c3ca99ca829fa565bb5ffcff

SHA512
cfd4ff6dcfd2176db438a719c070920dcad779231cf452b4b10e47c4c1e7b45a7be77716dc21ec440f1a21a0b71f42ffb6c7393cdf0db4d99ac1ffb4d12dc275

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.14.1033.hxn

Filesize
658B

MD5
75980f2b805286da2ba309658a3977b8

SHA1
62cefd831958859cb6f288bffa23a8a283b10e1a

SHA256
0bdab76f14a52ff6638846e5f77ded76d4829e797f43601d843d50fc2b9555ce

SHA512
946cc76a11ceb3c54ed3f40dc180ed120b20a5b8962a2866298c9d76dc26763d1d5284ca6bfaf98b6d6eb0a19a692a09004278f33f047b09f689a9ec622cda50

Download Submit
C:\ProgramData\Microsoft Help\MS.POWERPNT.DEV.14.1033.hxn

Filesize
674B

MD5
b514b9bf39c4488c1024e113d63dc792

SHA1
deabf87f45345124cf9395e018c90ee0abd659eb

SHA256
c1c1345f0ccc711573ea7e3d121c72db77e3b4b98074b9d11d92dfb7f2373f96

SHA512
5eab9a41b5ce1f6b910a4581216c90087ace84071bbeae65e021004471fa8b567d889ac48bb01cb25b82cdd4b790c03d0340b485c0867f9444c33708ea859722

Download Submit
C:\ProgramData\Microsoft Help\MS.SETLANG.14.1033.hxn

Filesize
642B

MD5
45ba9d32c238deed190d8653f0e266d0

SHA1
95a41cee9c2b92c0eca8047b678d0d15ce352d66

SHA256
d5ff0a74a21f7313a58eaca06e033e79b4f40e427edf37393e9274cd773d0bd2

SHA512
0e30c76120679c75c78800d41d6d97ab375dd3a1a918ba12e831a77a998b339f5b30fa5135e4c4c57b3a6df7c25cfaab1dac6d0e602440d828eccf9471efd4dc

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.14.1033.hxn

Filesize
642B

MD5
50169460e63eb01ae2c6e774fd1695e1

SHA1
4d5a80b2d66c1462a1ab74736eb62cf64a920e3b

SHA256
a3b32581e700f7eb75b0fd924a31284bc60597e7e73bf07f5bc97e061e727734

SHA512
57d73b3d3fb4e4f257572114078cf3098dcf3f75cebbb8407d26d3c37c0d1fe07c652d6314cb463dd2715c07467f00f4c1aeae6a88e3ad34fa40d4812049a45a

Download Submit
C:\ProgramData\Microsoft Help\MS.WINWORD.DEV.14.1033.hxn

Filesize
674B

MD5
2cb06fe746052b73a568e51e20553eef

SHA1
fe524d8a564b0b8a728a06dd6e1c8785ec510e34

SHA256
3a33846d751660463726d64725c41539dd71fe59d33064a2958e6f2e78f7f76c

SHA512
25a1734e8b701d6437c869bffdc02091f9a67e8e68c0bc853c38d8c0a09d08cda97be6a7a1e61d9a3de31d3acba8f61c85d480c6879f6d58993b0d77fa6d15de

Download Submit
C:\ProgramData\Microsoft Help\nslist.hxl

Filesize
6KB

MD5
98890f802eb0d333623d2da69a29b95e

SHA1
0498851c975d21abea03d714dfd95d25a4128141

SHA256
d9ec6f6f57760a0c969587c73587a91ae12ac36371209cbc2ef9c3deb0edabcc

SHA512
43358cf9bb65f22c7e3b2dd8995cbcf467ce163bf6680911ee590b5c38eaaf70a6c5f2a93893dad479a900fdb954a581430c2dd0dec9707a1c48ec4151519ba2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_CValidator.H1D

Filesize
12KB

MD5
a5623b2519857f5936b62c0e970e9cf7

SHA1
09cde9a8422bdda36623bb96330fb5d0f3795a3e

SHA256
49028e46d68d37e02e204219bea4b1588cc7612224e30cb3a2344bd59243ab6f

SHA512
ffc1652b1c453a00431e53d4deb73cfcdcc8d2eccc22fa93b446702508bed1102a506c334c98bca1f4faf0fe1303a27db3ca05ee0ab76eae663379f273f9cacc

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
2f756acf5b8a760cdc0fd2533cfb17d9

SHA1
1a993135486ec722c9e0c48d5fd2d08ec76d5292

SHA256
fb0fdabb22f86cfdc4d02d51704bdfcbffa226de02b3e7a25e949b89e255a0fc

SHA512
9cfecc0d90f19376c7dbe4553c9c696ef78148be033b6eb3dc3a86a0a8ad82df8e62ff707ec7b669520517f300208ddd847b3c1267e185d36b7a7e8cca55d943

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MKWD_BestBet.H1W

Filesize
409KB

MD5
77035aca6b53429ef3bd09fd325f5c5d

SHA1
5fcd34948d709b523207d87c281199ac2a82670b

SHA256
ce23e1bef9ae01337a30f28d3dbc5f2330038ddd56cc758f57596a4e5c20f3ac

SHA512
72423bd5ff410b76b8a069547b594d8b725d57563c7d252f45aa0b021b920056d5042bf38b0d3bd3c2873e5bda1fa44e7c50f1a59590732b54527126d5805ecf

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MTOC_help.H1H

Filesize
531KB

MD5
53002e8678d720219bff7816f6803b91

SHA1
9df889e3b90251ddaa628c1192f325b5d12fca2c

SHA256
4274c5bbb79b4c6dfda7384dd50793ef5715fcb36a53b38e6677cac6a7889482

SHA512
be7abe6515dbc4690dfb3adf894ae39989d3687b94af82c34a373520d5c2495bb228363730f29a95d6eebb0af65726f96bd2d3617069a8cf27f0ab66b121a38a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help_MValidator.H1D

Filesize
14KB

MD5
8894c84b9e93da6c6a070a16cdde3047

SHA1
af6412236ef2ac84ac7f38375fe7d660ff234a3a

SHA256
35f69f955b036418d8c91e512ba2db9f57f56541877ffa9e66b90aacdeff0b68

SHA512
378ebd064b026a01499e9079438cfaa59b6cfc47404c14df557ac7995d9ee4f2ca144ea291a2b2f95e08e09affa661a7a44233fff68731fa7df26bca4bfbb97b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\de-DE\Help{45EACA36-DBE9-4E4A-A26D-5C201902346D}.H1Q

Filesize
1.2MB

MD5
4e58099b265856e95ff0929e153cbbc1

SHA1
35bfac8f07b6d55aad6ab57db5edcfaf0b6138a0

SHA256
a9cc846163ca6056fe143a0cdf88a843fdf7430e067160ab474995a8730945c4

SHA512
df3c12506b0a090bcb27755aa2ed81c478cd77a9ebc837f5847d57abb3ef9353e9a3824c6b67e65dcc86e01ad12fdeb7e7681dce02d4dffe744535fb9af29e0f

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_CValidator.H1D

Filesize
12KB

MD5
1b20970ee137a65d1ea7db56a7e93d55

SHA1
555904618c8d84be67ef2712855df3969b7d943b

SHA256
5f8f83c8dcbfe7b5247cb6539d822cecac0cf10cab46b9886b5871326e60d5bf

SHA512
bd1cfe0dccff8ad5c3bef4b401c2d629db822955264935b5b2ac80c93c7c9d726d53eb03ec069883087df705fd8764f811a46c865bdb151ce70032cbdbf0d17b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
7e0de64b0a42f0872534f0dbe9544bc1

SHA1
8b2590da865a5b2afbe139381da1e06ecb034597

SHA256
9f478d67595219c4e09f87e22ce72613f067695d123b819b87e8b5f15c38063f

SHA512
d206835ecb82afe28f5e6d97e1ebd160c4234e26a2ac6bd3be3ee71d973842e7ada9510641e6e9f2e37bedadf498dacf78783ffd407a34cbffa6118cd825c905

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MKWD_BestBet.H1W

Filesize
201KB

MD5
d3bbb262631319cfa13b7f16cab2469c

SHA1
3cb027fb7480a693049bfe5f62a84c60fb8e2401

SHA256
d82041751e0540417af9fb771384b82d4132640ec90fca31db881b9829146a95

SHA512
ab3cf8e38e22baa293fe1bdb400b1f4f5d1d2e456d7f70367032d83cd65cf8faa8ef76cba65a338d575c74366c76ea2d102ac5e676320ce44fd83704b76407c3

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MTOC_help.H1H

Filesize
491KB

MD5
ccac5ec97d5073086b5ab19be653ad93

SHA1
eb8e29c467686e49b128ed8fda0190a93d37ae10

SHA256
63a2dcb46169ad582b1fbc1fe45e28f810dd44ae74e9bed58ebf215326277698

SHA512
bc53d67f340f643f81ad7458f2e392943e0740e839b8ccdc640bfe738dc22f80c83bd1dbd856fb66ca0833f93a16f572de32b9d021a001c834c43ecb990dee2b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.H1D

Filesize
14KB

MD5
723f8e440460e249e30716c72ed51775

SHA1
be669678912315ecd35b1e7da9f2fb16c3e5b4b9

SHA256
b7b7e0d4ed0ed884a49c570414bd4e7e65c0dc511c148cb9f6e8476e8bf8bcdf

SHA512
bd1a39f014ee0267c88603922fa3f03c216e360bec56a0d50d57329edd9ef12d131d8f625e7b96597814314e91492ad0a58c3b3de9797220788028685eb12b4a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help{9DAA54E8-CD95-4107-8E7F-BA3F24732D95}.H1Q

Filesize
864KB

MD5
a532c485268b2f44531f35841f9b5799

SHA1
8891bb13547aacf274f4b569592c69b70c9e22f6

SHA256
c432a5fcc1ddeb1c501e9bbc3b410a9aebde59a6a0f7a2df7ecfa6c19bdb8644

SHA512
eb21310ab7fc614d4979d19394f670deaa028286ae82d438f60a95c5e6beb18e4a841973e3a79a4bff2108a6f8cdd9c7a93a971cea3ecfd41075950e6fcc6f3a

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_CValidator.H1D

Filesize
12KB

MD5
f434aaafde615a4882c2aabdff8ed08e

SHA1
dca3a1084fff9756fdb97a08fdef8aa2e8d2174c

SHA256
85e0bdb65d9bebfceb46e59fc4ea916e23b7d46cd570fe7144195ab31f9fb1df

SHA512
6f6438b728e3098cb55614b6ac2627a2470ca2d4396a4b787a84e5e30cb8604730a23ac1c1e9db300f44ba737ca205982f6684b5a95e3533c95f3d67eeff35c2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
4a6631efdf3bdd7d92a124f47375924e

SHA1
a187893fa65a77608673890264ad085b850a1b6e

SHA256
acae12de70d7f94a4cbabc4595c9c6f9d4610473e3ff667adc36930213ecb73b

SHA512
03a423933da453550616fc9abf1257e2c1ed7f5069bb680be09d400ccef7c9bcb24211960de29c63d36e01ebf5149b7d70d5bdfd504179ff7ce8312f38180e64

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MKWD_BestBet.H1W

Filesize
425KB

MD5
2cd075bd7f275eff50022485a0ea78a9

SHA1
0328543da5d90a9b31aa19dd44e2f1248f239e92

SHA256
9d1f8751775787dd31e7ed92d594a3262e5244d814b545ece7930c33503f5be8

SHA512
c9d49247dc9b0ae2612796b4f23dddd2913925f9491fd25f81f16facf87078716e78b7737d7d3fd9c8c58d010751bf645e8a05e2b4667e8e1350cc4a53fc0b79

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MTOC_help.H1H

Filesize
531KB

MD5
1c59bb467aabb9577a57d1add77f697b

SHA1
7842c13df343c183c24c0454675b3406899e0b15

SHA256
859e45259e8eeb7b41010c20e822e4ab2f08fb39697fc24712f43ebd73119ee3

SHA512
9e68f2bcb4dff6d39ed615101c2edab07e24dce2b0cadc592d79bd02055516f455d337f6b11a5ae03a3dbdbafe6c0f96b2783fbcf3661388e0c0964fb16c735d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help_MValidator.H1D

Filesize
14KB

MD5
1c58de9619f7df607a38397e986064e5

SHA1
c63522c9092b0eeb650be97ed2dfad2cf5fd7f3c

SHA256
93c7e950009cd1942ab4fb11f5539bcbbfaf502f34c9a57a29eaebccc400f6da

SHA512
9a07997fb196c71d9bbd74366a5a8763fa145819116cac7a9e9c0b484bcda838514b4ff3e19c96393d86d848b9618ce0d3aa34eaf2485b31901644a691d3b86c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\es-ES\Help{68DC71DC-2327-4040-8F03-50D6A9805049}.H1Q

Filesize
1.0MB

MD5
b6da5d5ae4258b858184830200710640

SHA1
3b77dc6a8639b9d6c1306391ead2862b7a6f6bbf

SHA256
2bf8817648e16114257856e1b7d7e2aabdfe0db69dcb5266072dd339b48b7588

SHA512
6cf34aafd348d4ab2e23b66291781c2a4b243de048a04fbd86464cddec8008f7807d4fb8862453de63ad247459c5d16a2dae8eff602b51c1d86717afd381e081

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_CValidator.H1D

Filesize
12KB

MD5
65ff6495f3c39ceb28ed5ec175615e2d

SHA1
b387e19981b7310c577acb884fa271afe0f97dcb

SHA256
8b6ba1a12a72ce6f041e9b2315015d5eac3e5921a89935a51e165cdae8fc5cad

SHA512
3f8503b426530a4303800bc7a2ad7479d8bec624741dbe9861537d5eb9585612d1063034b27a5527a8a440d964dce2541ae3b898ac5bdbc1cfb84d3886a987fe

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
4a1ffb6cd309e24f6a527c5e0e50d505

SHA1
483ebaeb9a2c33e51debdcc345987a37d980b860

SHA256
27d8de3a511f60af5760495a0dc1500e91de8ea411fc9da8c7f34433a3107f4d

SHA512
1f731c797946c265fbe5ef6124da5fd99ef931284cf8804c0b4ff7a6d15f7d348d9f2352866ff5339f4f7bf25a159aa350bb4c0785aca2ae7bc349e412191fc7

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
9b6efeb1351f821fa0e858dd67efed29

SHA1
7d51678514b18d73b7c5f1365bec0e4f4903b6e7

SHA256
efcc6f720b45bd090dda2783744bf76df955242825c7ccaeb8cd60177cf70b69

SHA512
1e13a550be72e11925f5dda910b6356f7117bf73f7df61b32fd7d1acb15435b401a8d9e35844ff06af0af0e74050173a94922fb65270be5a8334bf5fb1b245e2

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MTOC_help.H1H

Filesize
546KB

MD5
19407399195440412ccd5b10a39c4b7e

SHA1
35c4e24a8ad88e3f47e571413a3b9071b77484b6

SHA256
fb2036391f9aebc8709dad7aabce1c6103744f1c1daa04f3a648d3083ced4391

SHA512
5f9d3f949c87618d8ab154767479a6192cdeca147b2dc1d4c4147b2590c1af397ae4f4067415c3943acd58e4cc14ed793906a8becc53eb5deb656b5d0901fa1b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help_MValidator.H1D

Filesize
14KB

MD5
6de05c6cf6b9daf94319fb4ffd21d6bf

SHA1
a01ea4e88e1cadc90d89a52331c542ed1e2b157d

SHA256
99b9935201274a4adb7a246bf280dde56a4886956e32a07a3d8b1cc3513efbb1

SHA512
1bb9c403822649fbc175554c51fead74a1909fc6b404cb4c7fff9af0a76729856cea2f5396097e6cef9c266f40fbaa0e31c024246f8a36c57965b7586206171d

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\fr-FR\Help{92F2118A-E813-4A4D-9DE2-F96A9DC02C53}.H1Q

Filesize
1.1MB

MD5
45c6dd86676d01cbccd18899fa3c075c

SHA1
79fd36ecec330952bd2ecc881d34034740944ab0

SHA256
4140889645cd9c506db85d36a90aad56e3cf8adcfb7040df851b80eefa81e9f4

SHA512
5daa1aead4e3b562c23cd6bde59a8751da9e96000faf69b47b9565b1a78f67cbfc425f9781e58d88af7228dc4df8716234137179492e2fa1c95f7bba72e7cdc8

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_CValidator.H1D

Filesize
12KB

MD5
85e86fc0b2aeea6bec60f567ec33c1ac

SHA1
295f1ca5f48a871c834392d7be68405a76023c3a

SHA256
99d4e4e49f53443dac910fa8856f96803a32b72149ba38b2755509faa7c8a6bc

SHA512
4c311935e2c87af08cc03d222a6931a4b3c87560dbb5a067d60aa0d445e27eec174ca07ee9e69382c53678ab6192aec5ee61be5fda5f1250f15b3ae5ed5e15d4

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
1ca5b105bbbac5968f2a73182ebfe365

SHA1
7729dff3c0d7d85ef933c190e9a3e44c8b7083b9

SHA256
e273951d5f304064ec90c8d1a90d020a29b6d9ccc07a34ed3353efb56dd7b080

SHA512
a25da0ce4cb5113f583586ad3b998c862d16af8820dd9f281bebabbba41f8f0932b81dacdda664b2a11a3512f46097916f4682dfaf4f13b3b922e2a2de0547e1

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MKWD_BestBet.H1W

Filesize
421KB

MD5
37c5dd4bb68ba4bca36db86c352f58ea

SHA1
45b57be761712be651eb442978270fd052d3d480

SHA256
aab58373f9929fb30a514e5318079ccfa7ce6eb67d15fccca2e2e51a068c71fc

SHA512
bc6eb21660f7b0c84f3f76f4307f01c8294985c6da2f6cf1e952cb5f1a318b1072d3c9c38f310012f41a52d1a855ffef75b575df5ff046e796bc62d800109e1e

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MTOC_help.H1H

Filesize
530KB

MD5
84f0c6601802f5ceecacea0857afde4c

SHA1
4f2079787ff729c4d93b70bb3d353cdd2a979b7e

SHA256
dce3369fc05a4737a0b63d4c64869cccffc2404edaf946bec06c48de8fd2e95b

SHA512
c9ac7477eab4c2169ed9cd6f6c1aa59abf4e18da395a96e89a16adc8e75db9c35beafb09bad73fbc3f0042bfefc660c9d2e2286df4fb9cc018980274d0eb67ec

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help_MValidator.H1D

Filesize
14KB

MD5
0dcf69ef4215203a8d94f156e2b66d08

SHA1
c2a0a214d9fde8c95ceced6b31e9ab9618eef649

SHA256
05cc98a6da8ab71983e362dbd3f05b7e5c5382426b660340ac4ecba74cd75060

SHA512
64864b47a75349d63b2a9de075cdbf26151a566e8be065a5e3e4abfeed472d1c23c7198d9a23f1d4462506158763c7b350b75b60f12cef68a65edb52773a0235

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\it-IT\Help{7E352021-69D6-4553-86AC-430B0D8FF913}.H1Q

Filesize
1.0MB

MD5
3cd86967e32f35d8164ce24564812c84

SHA1
41fd5d8d44ca1dafdf2a2132a9371e9569cf60a7

SHA256
eb924009e568861d7e7baabc7760cb292a01a3d40b502b6a427e3d6a145059ff

SHA512
5e889f4c90cf5f1f9970db0620164107ce75d47a77e5e1f77d777b893c2fc5afbed72bf7881ef614eacfd3973f0b7baa512a19fee73289e6dbff3454201932b9

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_CValidator.H1D

Filesize
12KB

MD5
6ba883309ad4a8b43d00b8b7013d7fa7

SHA1
51a3c4eede41f8b467679f8e34dcfa424a5ea6c8

SHA256
c33f9d34ab3d94b84dc3e0ecc13659b00b4fea64ebaeeb06dd8f5d064e1010ea

SHA512
925fc568652d3186c7014653fc393c3d498e1172806a9515875e894288165c8d2317ee0e08111446b793b52226b4ad6a22adf8f72654d488fd221c38c3aff465

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
c1882c2a57fce7d426d59f9d094dac41

SHA1
1897a47b10c9a84094810e86c9f01c0d73e44be8

SHA256
077b6283f0866834407a4aade4d1f1e3809ce963610219fc85ec6265b3c17064

SHA512
a92b4035976f5557e3dba0c495fb9393df285b2761392a4d9cf048654ee0aeeedd7ea795a6fd0b7775742f3ed44d73e55f9a0c50fd60ea4a5ecdc047b51e26c8

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MKWD_BestBet.H1W

Filesize
357KB

MD5
41cc7c08ceb6ba84ed78c91711918649

SHA1
2351acc86dcec38304b212a2613b9f7f1af7fc41

SHA256
1a45bad05ed0cbaa9aad3cad7ac2ba47b41825ff7378c9071bd396585ddee187

SHA512
75e6f84327b280b0ddeb062e39646e15d77bc728b265c82ebbec6d64223c977f5373c96088233f981e075159dd31dda53b22d6e19de6d95b5e4783f6dbed0175

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MTOC_help.H1H

Filesize
352KB

MD5
81ef32ab190edcd04408ba90c4320898

SHA1
b1929cc03eb07854fa168bb5fda35ba96b009dcb

SHA256
b034f32ad5b7bc2b5695841a7b47226347afda11dfd5dfc2112d6b0a336759bd

SHA512
0f15c7a9531e13b5eaae7181746f65824eb82b106e265afde07f997614245108563f4080524e4a22175df98ecfe5b83574b7a6a8d2c52fc261b697d4d76a4e7b

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help_MValidator.H1D

Filesize
14KB

MD5
86ce9b3efc145c0254bd55befc1326a3

SHA1
92a237bd3a4c52a4fd42af631968a1326500693f

SHA256
8a734883ca046d3ad7f33ab14e9ff87a7c9d07395c6de8771bef1d07c3993c64

SHA512
62e3dc9f55d387a694eec2b169d113ac616cc66bfb032c57f9700af8fc57bbe97aa91f02eda119c52fa062838775cfe113ade8085e5d251d4cde9ad67d0aec7c

Download Submit
C:\ProgramData\Microsoft\Assistance\Client\1.0\ja-JP\Help{E1E8F15E-8BEC-45DF-83BF-50FF84D0CAB5}.H1Q

Filesize
1.2MB

MD5
bad4dcccca30bd5d3f27feaf5ebe8714

SHA1
c00bb9a5195df41fd6ff26d416668d9fc3449b74

SHA256
8da3bf48e9c83b95c837760fe83fae0819a7a1f8479a9134ccfd481a9b14afd7

SHA512
8aba472e48253e01246760e8f8d87979830037a98992f0da5f95c962b45681df29b5bed794c1c74efb4cf3ce0c6cf7466e4dfcfd9f3c51c1bfa4723cade4e931

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
338B

MD5
aec13e493cd75eb2ad6f5fab58f97ffb

SHA1
3e2bb6a16141e755dbbb38098c51f4452b955df0

SHA256
2ba3082b9081f58b524ce3c2eebf8d59090e39ed0ece1b1ec24dc9939d74bc78

SHA512
31d89c29346b63f5cbd12544910c449faeb04a335749cf2c896a20a54cdf7269499edc62b559978d5e8f5390ddcd2e807acfb681603754fc3329ad2fe88cd7f5

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
322B

MD5
0edd979dc02fb34354bd6c9a7b043254

SHA1
d5669b5ac010feef861212bdfd5cb4228b3a06cd

SHA256
2b9152f8e96805fa2ba31eef6cc0a09b72ed7272969d90fd554d70f98f3fe5cd

SHA512
f9ddf93f4e83f3ba471e04c09a42e8faac4e4adf1c6f1901387089d7ca6b9704e2234276ee82dceecd2092f3b2972d1097abf1bff55534428b29cfd3d72dc5c9

Download Submit
C:\ProgramData\Microsoft\MF\Active.GRL

Filesize
14KB

MD5
d84a616f1623448c4bb942795cfc5030

SHA1
9e1b3402c7d30448ed7dee949a011e2d4db22e5d

SHA256
65d7b42e07cb768c819e4fb8bfc2c2533f3d8b4a736b3cba265c11b717b4095d

SHA512
efd2fd8ef68cc2dfd23c0ee5000a11acf19b0a2bcf752e62b55a2dc69b5f7fe66d2a42ea8b07835e07df0de6db7622425bff65aecef482c909014682cb5679e6

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
f6bbedcdaff186005a687806a28207a2

SHA1
f89478a23f4064bc35c60fdb8c0cb2934b2a4731

SHA256
d2f3bc3dadf7cbbc776178cdab750d373b05d8c12bd30be616244278fa11c1a1

SHA512
dc938e84f6fa11cd2ed83ade85687763deb02269f2c5f255e682ce000c63f672c6eb24d5cab39d8f2040d92a582166278d25874f7e4c21555b8050e49542162a

Download Submit
C:\ProgramData\Microsoft\OFFICE\AssetLibrary.ico

Filesize
5KB

MD5
001e9812156926e2a29b8b1223dd2d70

SHA1
53cb846840eece9d77effb738033a22822bc3eb8

SHA256
9673537d7ddc2c2f51a71db62573ef90ed1dd30f2944e6e9271555eb55a40bc8

SHA512
906e66cae4687b86da9f966563535d8b860c91ad2c04d8325f9f4403f68d052182590fd785cec5d031be6991fa6b379c61594d52b749d21d3f942e498b7cce4d

Download Submit
C:\ProgramData\Microsoft\OFFICE\DocumentRepository.ico

Filesize
24KB

MD5
5e8415bdf7aa1ccfe4b66bcc0cee0035

SHA1
5d4230119df4a221895958142caeec40b757cb57

SHA256
74ca6d242999f70ed5cd1f3f759d9c0cbdb5d1d03282efb0b815e91051cab224

SHA512
771e75d3d2beec36cafcb9e650cff0b0de34b117bfa216bdf245506126a41fde59d94fd118f235d29f5a122e0fa0a4e07b007b434c13ae6638b4f61675c8390c

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySharePoints.ico

Filesize
341KB

MD5
306778987445f48051f0fbae7e7234fc

SHA1
92e98b756a90882095aee146bfe434dc0a8983be

SHA256
92df57f6a85715dd2911709adcf6e00755e8051826fd744250ab8fca887d2671

SHA512
6ad1b575edda9bfb9f4575bde5ea2f36a9e5305280792b8e9a3ede4dce0397bbc1fa43962807d77f98fa26f2fd531e62967dcf6b73f8bcc4b1fb461f3a9db212

Download Submit
C:\ProgramData\Microsoft\OFFICE\MySite.ico

Filesize
24KB

MD5
8ecd7b000f694af00c78026282d96858

SHA1
c3c34ebd4de76294c9943735a791bb0b2a45b88e

SHA256
9d12adc8bba031aef1abfbadd0ff2a822aa445a9332708acc74d220940052668

SHA512
0c7d5f051d2e9e584d277b59e74152b982db51a573b407732a330aed8aff4419ee48124d6f37172501d27f4d20f95fd8d4d1d06d2166e3a439311af717425665

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointPortalSite.ico

Filesize
24KB

MD5
488f6168bf84f826e9c8a446736b0de2

SHA1
dd1d24ee3f1b8c3c581edbaa71432783f88e37a0

SHA256
81a72a2be14eb64de1297ada329edef4962bd668be1b4731f90d48ee28b2283e

SHA512
67ac390d605f5fc4006616d3a46a91b3a86768d7aeb6c8f31c9cc6c3c63d2de8324822d6ef1f5a0aa0a9bc0a3e599bd9753aa36a4064f4c0475f37657487a100

Download Submit
C:\ProgramData\Microsoft\OFFICE\SharePointTeamSite.ico

Filesize
24KB

MD5
6be733e5179d3a40d6c5c903aaf13767

SHA1
648013e5c0484cbc74628d07d99e251cf6be2c9d

SHA256
a8ff5797463ef6fb93f77a3e4ad6479adb2ff3dbd22c168b4e6db3c5dab0a74e

SHA512
1b88230dcd8119245931f01e81e3aae07962bc54c413d86e2c9e6270a068a4824f7c069102f39d06b8deebc863b362c2d7fda27a82358bd63bdb2ced14f41978

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat

Filesize
29KB

MD5
79f15d17391cdf4de9da1c3046eb30f5

SHA1
9670bc40b9e100003a3ec57e42ce44b93060fcea

SHA256
3dc7e6135e2049b338c2bc508a221c1079b7cb7d83cb715e3c3f599312dd1dfc

SHA512
1519021c5ec2ba5d038593ff68e1ff551fc9e5466165fa96646297846c957a7c576f30d3af0f2e2f90663f3a91c58c1f03ab02a96add6cda6f3a6993be996bde

Download Submit
C:\ProgramData\Microsoft\OfficeSoftwareProtectionPlatform\tokens.dat

Filesize
2.3MB

MD5
bed1197f1a1248bbf4d4b6f66b058c16

SHA1
6786f0001471b0d6e6b59f77932748ed93ab1d38

SHA256
0e154b778db91be38369f0adf89afaf878bb2f9ba41af68a7f5f584b96f532de

SHA512
942d97b8e8a3001217ab2beac651e82e3837830f2fe9f3086e2c17929f7a180c6a7d169b7c36f9864bf774cd32bbc3b30a43d96ff886f1e1641dc6068495262a

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\guest.bmp

Filesize
48KB

MD5
4512e058e96ea19f32baa993e39742a8

SHA1
7239dd5a9e29701a9d8e54a08e7b0b09716e4a6c

SHA256
909b4e1ab8a01456bddaca97099b28e6dcbc2680c7b6458a3a642ddb0af06fe1

SHA512
6d0af035829b0528a66d4e0f2f10615e9db93600eb55fd8169467206e3f053272d18247495bc24d3fc0cf318b799ac0be7e1087baaee2da5899173251c8c4f1f

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
65547e3bf81a0b1c0132eff322d50ee4

SHA1
942c71689ad3affb360907bae1308a260c9666ad

SHA256
5abf9597b5fe9a8e7dd028d201cafab813ec6549d64be3442bcce8d582a493f2

SHA512
bc5bf57b54fda587a5a63ebed4666e3ed8067fefed4db7bd774973362fa74f5e6d51fee5a63bc25613c90d9573c0620bf174d4bc79ce7e39fb8086890eedd57c

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm

Filesize
914B

MD5
4e3544bf35f2fca169ebd876ea47b72c

SHA1
edba860ddd335cf707673e116cfeb647cb196a97

SHA256
5ce437bf46f8f70a2bfffeb1928844738119554503cd379fa6e9eae9122cccab

SHA512
5822bc13a43a97eee7214d16256bc31bd014badea468f96160d1a9e76261182de5db5cba1bb807409b709574755152966022c647fc47244721f9d78365a5e2eb

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.5MB

MD5
a092d1b8043e11fedd1eaac0b723857b

SHA1
209b9d9926fdebe9577f807c0f12cc4cea531c86

SHA256
108f5b685f783ed38ac05703ad5496d4d647edff20f01beee2e66e83f7600e17

SHA512
3fbf954f267fe4af7b224c2edf44fa238e4f54edfe8648d8ff6ce7664a4181c3e1a4b0f3e2982e389195026ecc6913ddee869f2228254ea2d40f2c117bcc6f67

Download Submit
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
148KB

MD5
d8b9135d2faa6bb2f1e601272ca65779

SHA1
feaaba329ada2d92228e48bc41dd1f4ed417d6b0

SHA256
50e58f8267716ddf78cc5058ea7a6c3ce697cb9c08c5a115320639bf5facee6f

SHA512
c182e5691860350c97c1e35b15d0ec2c8056dae7a72df7c5b1f3a0f19d87d469b1bebde8c9aa90e99455b7a739c2957bab9d42a7453cdff7374b83af67785c98

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm

Filesize
1KB

MD5
c7facf0d232e34d0ae3287d8ba56a987

SHA1
ece62f524b22106e67f49868c5418288816cca1b

SHA256
1188e0f629bbaa6eeb942dbcd20629d4e3db1013a2fa9cb8b3c02b51785a38b3

SHA512
0dde0aa87e999262672acb11e436d7adadbccc5c55ba89067d14eedb5c69fbaf18a36c37db0616fd3d8980f2cb8b34e67714df227f5f533453e9439e3af5e10e

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.3MB

MD5
1d19ed6fea408077938b899591a88dd9

SHA1
cdadc555776805e32f4ab9979927c4791a0fe976

SHA256
46cb62da1900ea2f7c98e362d45cb189b5d440a001294bcf76b2cc0b9b1eeb51

SHA512
25cf971fbad2f5680442471d8119942b50110de3a147a79df205836ae12a12a4ae7d82f57dc39339f9ab72c88585c9e83bdeb3ae8bfb8b053b7a32b885617608

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
06e5413d8797f7836d3df0cbbbdf4fc9

SHA1
7a2ac2f65e1a8b15af86eedd2817d74162a32d27

SHA256
b9d4f57851ae888e62bdc8bb41f9dfb3d667b5dd6b5801bfcd3456b05514c811

SHA512
de25eabb23dccf3d4b69da9b8d4981f843b200da25e77d26833c7839b21d9a3d19d3f9fbe26c7c61bd699dcf526858d9d121c5c6a7b928a7401df7d3159b8bd4

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm

Filesize
1KB

MD5
23550037fdc233417839ac199ff9c3bf

SHA1
5c5a885afa979d29da0bb416b306a2243fc3c260

SHA256
fd791ee997400408a0725f327715675e9fc7dcf9bcc4246f2e7b6965e2413641

SHA512
0a725fc109c8db9b38adc2ead47a4bf6e29e39182e9e655992b2a1c03aabce3afddd58c20e4bf3fc8df4b28b064eda268e044b5c37780b543443482b0ccbd17d

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm

Filesize
930B

MD5
72fa648e09062969d8c5784d408ebb11

SHA1
bff3dffeab97261eb604ef353bc43e2ec5864770

SHA256
fe7da365e71eb75e9b17869ed44bfed2c6231fd795654106e88b1012c5b4d6cc

SHA512
72c72fae0f14ee6aafe92572433f93f5514b32a44db3840d47c1001dd79e3eb2876f1629c7fb6e1fd551d212e7edf028bf976a896bd7d5ec0b8ac0cbcb50ca96

Download Submit
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
870KB

MD5
667f3da7c201305bf6a335fadf20c69b

SHA1
cce3c3e0b82111386b0d6a2a719e2d6b0ed2a913

SHA256
c9b096511f737e8faace54988b258f759a4f080fddf4da00bf63673031a046ec

SHA512
2fc76bc90b6952b6e3e44ed128760d7b2a528b94e02dbfc915d9098266d7585708edd48d76d8839ee1d7969239eeb9c021b4b4a6c46cdbd4a89fac7ff53c52e4

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab

Filesize
5.4MB

MD5
2b69de9cae413bb2521201812454f02b

SHA1
f38d4e5227a1c2f04b455e270d8279713274dde4

SHA256
b1a41ff28f1cad0a9e5b700dd4bd86c38a48738647c03683096ddf77be91dbc9

SHA512
e788453758ce42d408f2af08da10316a57413c27f0876e780beff8154870245a4827d3fb5ecd4362113157e1c377b42e12668bdae73670d6be355c70f26476c0

Download Submit
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
180KB

MD5
4e2d4cd76a82cbacdda8057b5d8f55d7

SHA1
de2856a39fd11ef5711c915b61da526b1ef34edb

SHA256
70e1e297a95785ea1863e2d7288a3e9faef79029a9bbef84c40105adcaa8aa3f

SHA512
dfcef32616835b06aae2bd02f3386609fa617ca88374f5b4c5364e175a06a1953db6d70b82758a61a89884ae52d8c0d54c4fb3759a942473beee361db6ba841a

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.7MB

MD5
9c870e92a68169f29a97fdb1e915a19f

SHA1
47f3b9e361859fdd37b3cb02fcf658e1e3f6fc7a

SHA256
88610fa9ed890d73db0f7da056f996defdee323b6a35151f6c2b170386e3d9dd

SHA512
7ecdf74dccd2eb2839705310d98e7ba2bff69a138788639caf6f0101441540fee523811c20cea284fe88a591aef18e7bc2d992dac764b6a7455837c86a341a89

Download Submit
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
140KB

MD5
f0e7f4c0d9346c760aec452c12dafb71

SHA1
413ea601359c13e304f853f40a2df45e27a5b8ec

SHA256
8b9f0d54873cb5706ee97fe591f8a89101899b72b26cf76476a34fef0825d12e

SHA512
b4f946077834d0cfd3030bf11cbcde16ae6db0681b06ad5ebaf4d9d689fcf97cb687fcfdbdb6d9fb92acf5d3a6c4d4203b229d8b555b7d15272cb689ff55ff48

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
b5d13a9e3bdc0f74a8f99e8d20dc351f

SHA1
40ead2b07f9d59b929d0fb22335f1e55b8db366e

SHA256
a2a5caf146412a7e092c25e8981c24336e2b5a1d2e94945397e80b64eafd2853

SHA512
7602a719bed38eb6f476aa644a99892846de53757471e6acf1223fb1ce2f726b23fcd4827d266b483bcc45bbfc4ceeeaa06708f6dfa8acca6d4aab74b67f7422

Download Submit
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
148KB

MD5
7018c35095cb3324c33b387ac5f5d857

SHA1
92f95decb28964aff13db54f412bf7d43c7e8e1c

SHA256
52f2fee765cd28c24f6bec273a83c59e46590609ee026a7077921c46ea51334b

SHA512
c5b4dcc85d90a00aaf014ba3e22310a343171a9a544c6059edd00d3f56024f1d6473b93d2b0aebfb1db2acd7bd2421dbec223482ebd042c16c91c1ed38a93818

Download Submit
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
802KB

MD5
0eaa9cb6654b1354539f2de7877ed140

SHA1
0a7690782687228e55ad8402ad9e9a237bd1ce3a

SHA256
10543ee1220578d998e17b26f87864c060f7478f40bd823a6b9a359e34ea5a8c

SHA512
a837149b5a1fdeb0cb29de8e7e5fc0bfc1603963f4ab1950ebfc5cca90a52f75ece2bbb37c42cb4b1cdf4b5aea0eea8d573f947ef583e315a91a931475ffc8f3

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab

Filesize
4.9MB

MD5
64b611e583d0926e620a699ccc429553

SHA1
7bc1e529c1e490489315147fe50134757c3b4e98

SHA256
232f164c546e91359c176d75e99d04935575967daa7c797dae23e002a1eeedfe

SHA512
ac6bfdd9f35db5ae533fdd8088209c578a933a4acc88b4e63eb1c1036524ff111554834bf868553f3b31a55a5025127669ca6b9a97cddd4b7a1f338cd042ffba

Download Submit
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\vc_runtimeAdditional_x86.msi

Filesize
180KB

MD5
3353302f991d2d33b9c8a86fd937139e

SHA1
7525dbf44d34a492fbe28ab6c2b352cf5eb219f5

SHA256
22c3191c6805a2bd6871b674e309aa091333fa66c1b996c6e51d5ecf73f8734c

SHA512
df5c0db5fa789f368c4315223213964ff023bfe75c1f8687498694b451b4803cbc2ff3c59f742cd25ccaca0b1b271cf8465e0a04c125d0d9d92f7827b5b942d3

Download Submit
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
1010KB

MD5
491add4c19abc1cf593ab85fbac87c0c

SHA1
63ae9de0784346a0e47d550138a48c80ebaf2b34

SHA256
02bfd5a8096f669518af352f196fb661e0443eb524872fcfaef793a7ede01e3a

SHA512
3c7deac8c50576e40be73790ee4347d0f415b6af821d881d83af0588905e6e9e8ab4b61d7f9eff942cb28d237b3cd9db5b8ed93874f4d3b418cd01dbac12bd6c

Download Submit
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab

Filesize
791KB

MD5
77110b563b41817754f06e62bd0922aa

SHA1
f9108c6aa2e9cd224c5f7fc555b731f06f8d3d3c

SHA256
e13cfa8c102227974e4597fde7567ef00163d99f3d5c3fba55bdd3675e3076f2

SHA512
beb0c9dd656928a4814e8517048147bd7db8b5bb0cfaf15dc486068127bb52cba5148037a0a6fb9e3d539434f8f478717e78d51429ae439696656c587b861785

Download Submit
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
974KB

MD5
48d315a2d1c5dc3e7b30f27f2bea3c45

SHA1
35d0fa41752356607257bb2450186e4b33494f14

SHA256
ad40411a54dd9a92e6ede6019e5f786b870aedd58d1262e1a6f3de485e4574c4

SHA512
2692efcabedc12d6a55d28840dd04f238a2eb1251538a018e3cd8593d7e48605ea064c26bd3e72f6fb7635b50df8e2a03991b82b11499d5a63669067354ac777

Download Submit
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab

Filesize
742KB

MD5
62fcc6a6033db43e3063c294ee6082ea

SHA1
014d49e125089a911065f59d90f2dbe31a249cdd

SHA256
440a3702a1245ecb7252f78f392c80f2ee5e40e54eaa9798fde9fdd87669b7cb

SHA512
b1c3c752422f71f0aa000b4bbe1a042a5fe7ed1923387ff41751c2f2bd07ef509df8168a7155a4afb96eaba10ba00e88f9a41ffedf69f3faa708986936755298

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm

Filesize
914B

MD5
1a2da8ee1d09767e93c1d35f135a0094

SHA1
efa9f158d5819c57f88826f115f6a9a7c0f275f5

SHA256
a51d4fe0b550d783ccf69983e6fe9cb9be6489ba251ce60502982c5e565b5282

SHA512
7d743b67d8ca03a55c9d839f3d9e9d46b49ea172a5f3fec235d568322682f4ed8eeeaa4b23f89d7b897f39acbbbbe59bf7a4691de758618e6c638f401fb461dd

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm

Filesize
930B

MD5
5610506529f9d1d2b800fd339ac3ca99

SHA1
b291a9c4bd291a3845e876339eaeca62bb6ac0c0

SHA256
e7dc7537ab74700e78edfc1ccdad87963fa4da6c248b247535e28c1646c44426

SHA512
d49d6789d17c11460b8141c847956ae5a91cad2eafe17d4f31671e4d11a407ff44c40656cf5df045c1d1a28cd643c15ccbe80f9adb0b286d020b5d3c84657141

Download Submit
C:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
C:\users\Public\window.bat

Filesize
1KB

MD5
d2aba3e1af80edd77e206cd43cfd3129

SHA1
3116da65d097708fad63a3b73d1c39bffa94cb01

SHA256
8940135a58d28338ce4ea9b9933e6780507c56ab37a2f2e3a1a98c6564548a12

SHA512
0059bd4cc02c52a219a0a2e1836bf04c11e2693446648dd4d92a2f38ed060ecd6c0f835e542ff8cfef8903873c01b8de2b38ed6ed2131a131bdd17887c11d0ec

Download Submit
\??\c:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.bak

Filesize
12KB

MD5
478dd0295323f30569271b2dce8aebc0

SHA1
6f74166ce31740cb7c40414a449a91254e48d6bd

SHA256
2ea67565ade48a3a90d11ed94e12ab8f394364c218d1de142be1708b95e6a607

SHA512
adebe4c766ae927c0e0d0d26c92b4b2281a9322e3ad0e081060662972a08641313288830d2ef2d83fc28de1094aa86ac6577c8a4d9c8409bc136ff0f59dbbe3a

Download Submit
\??\c:\Users\Admin\AppData\Roaming\BackupDisconnect.m4v

Filesize
182KB

MD5
e5df471f7d154411894274d87be20317

SHA1
85921f8f5a5840e3448c6d36c8a38be450fef15c

SHA256
b5a6dd490c84234fb33ee6331210a7225b5b77027801c52a963e4403c349ade0

SHA512
0d6e8bb0edc44d145bc50069030a8134380c9379d3ada24ea97bda77f8b8bb71c17b07e7f165b726b3546377bb7d00b5ab93f318cf15798e4695e2e6a8a0b61b

Download Submit
\??\c:\Users\Admin\AppData\Roaming\BackupHide.wav

Filesize
521KB

MD5
6eef3c10727a917976a591549b3a5155

SHA1
1ffcccdee8801e3953e32ec37c797699954efc0c

SHA256
bdf85dc98ddc1eaf0a82b7db07791f213bc2b55c4b59940a784e9a4978ac2451

SHA512
3e4561a135681b6ecc504af2005ee427c827e9c25c955e56dfd09e5cef99cd1b47e0024ab471c8876e93427e996a525d8865846235f69b545684a4f19d62b20b

Download Submit
\??\c:\Users\Admin\Documents\BackupBlock.vstx

Filesize
228KB

MD5
884ffee7558450cba2532225c8353bde

SHA1
3f09249d602746ec1290966b6dfd7061a761c49d

SHA256
33aed1ec561b60710db7820d10dbcda92cd2abb044292608233fbe293ee7b9be

SHA512
7d72c12edc30cf9d8ec8278dc8a5c8ee286123278329d8831a918cd614055b88eb89d7d98ada0f6c0d3810ac2cba0a55f044b7b0ba29967d401ddc16478d4396

Download Submit
\??\c:\Users\Admin\Pictures\BackupFind.tiff

Filesize
217KB

MD5
ba06a5605046c1a0edae38d95278be17

SHA1
ced845ccf412cc570814437cf8b34e65dd8577ed

SHA256
4384d5bfec7ef22f8d3ff296ebc3fec242058b5e7ad4e2bb34c3dc29e05c53b8

SHA512
4ae500fb0b5008bc0714e2dcc68076db109661ed229859de59404fc88a2e411373cb0dc2be0dd3b6079d12797952fd3d3ffb09a6ab3faaf2bda816f4fd6f1444

Download Submit
\??\c:\Users\Admin\Pictures\BackupInvoke.gif

Filesize
309KB

MD5
bd487dbe6212660645eff6962fc15ed2

SHA1
678513f122a93713a6b1a2ce1e76a0a3649316fd

SHA256
fd2f07b8742b86ae027a69d2c83baa7c6f632ff9b4cd1c1f64a06c629ccfcc5f

SHA512
3824ca90163758b8471761c99eace6330849698af0ce1dfbde7b348411177c2b8f4275da39f45ee42c9f0ea14253dd4ee22ef8fa517fcbeae2f11735caa60aba

Download Submit
memory/1116-0-0x0000000030000000-0x0000000030382000-memory.dmp

Filesize
3.5MB

Download