ryuk | 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d
SSDEEP

6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WngZy.exe5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	WngZy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

WngZy.exe

pid process

2360 WngZy.exe
Executes dropped EXE 1 IoCs

Processes:

WngZy.exe

pid process

2360 WngZy.exe

pid	process
2360	WngZy.exe

pid	process
2360	WngZy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\WngZy.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\System\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.INF	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\InitializeWait.clr	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dtplugin\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ks_IN\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

sihost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WngZy.exe

pid process

2360 WngZy.exe
2360 WngZy.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WngZy.exe

description pid process

Token: SeDebugPrivilege 2360 WngZy.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

11752 StartMenuExperienceHost.exe

pid	process
2360	WngZy.exe
2360	WngZy.exe

description	pid	process
Token: SeDebugPrivilege	2360	WngZy.exe

pid	process
11752	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exeWngZy.execmd.exe

description	pid	process	target process
PID 2356 wrote to memory of 2360	2356	5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe	WngZy.exe
PID 2356 wrote to memory of 2360	2356	5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe	WngZy.exe
PID 2360 wrote to memory of 876	2360	WngZy.exe	cmd.exe
PID 2360 wrote to memory of 876	2360	WngZy.exe	cmd.exe
PID 2360 wrote to memory of 2408	2360	WngZy.exe	sihost.exe
PID 876 wrote to memory of 4824	876	cmd.exe	reg.exe
PID 876 wrote to memory of 4824	876	cmd.exe	reg.exe
PID 2360 wrote to memory of 2424	2360	WngZy.exe	svchost.exe
PID 2360 wrote to memory of 2512	2360	WngZy.exe	taskhostw.exe
PID 2360 wrote to memory of 3624	2360	WngZy.exe	svchost.exe
PID 2360 wrote to memory of 3844	2360	WngZy.exe	DllHost.exe
PID 2360 wrote to memory of 3952	2360	WngZy.exe	StartMenuExperienceHost.exe
PID 2360 wrote to memory of 4012	2360	WngZy.exe	RuntimeBroker.exe
PID 2360 wrote to memory of 3156	2360	WngZy.exe	SearchApp.exe
PID 2360 wrote to memory of 3756	2360	WngZy.exe	RuntimeBroker.exe
PID 2360 wrote to memory of 452	2360	WngZy.exe	TextInputHost.exe
PID 2360 wrote to memory of 2344	2360	WngZy.exe	RuntimeBroker.exe
PID 2360 wrote to memory of 2932	2360	WngZy.exe	backgroundTaskHost.exe
PID 2360 wrote to memory of 2396	2360	WngZy.exe	RuntimeBroker.exe
PID 2360 wrote to memory of 1864	2360	WngZy.exe	RuntimeBroker.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2424

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3844

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3952

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4012

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3156

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3756

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2344

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:2932

C:\Users\Admin\AppData\Local\Temp\5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356

C:\users\Public\WngZy.exe
"C:\users\Public\WngZy.exe" C:\Users\Admin\AppData\Local\Temp\5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WngZy.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WngZy.exe" /f
4⤵
- Adds Run key to start application
PID:4824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2396

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1864

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:11752

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:17512

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
PID:17944

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3140

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:12072

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:31332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm
Filesize
112KB

MD5
1072b8da984c577b831b727b9ca07eef

SHA1
24292f2109fdf60243271a7e108b30afeadc52a4

SHA256
17d298cab941cd33aff261df5133db5e70f868ac1c938a122a2adcc8fe679aed

SHA512
1d824c77dd2c4d0c8eccfa62765491702472c5edc894e5e115a23a14afba2358480bcb15802de17b9996aa01203845a1a6441c50df95f5b3ca5efad18d799baa

Download Submit
C:\Program Files\7-Zip\7z.sfx
Filesize
209KB

MD5
7d1f37ed019adcb31ba60d50a5907ab7

SHA1
b6855b1918c1856d49aec0434a99464159ee483d

SHA256
d6b088ebc536aef703384ab2d4c7a2ace5d5172ec70a7bf709feaa411deef2ed

SHA512
5944237d5c113346988b2e363ca4d8db28056c9417055e8cfe51199f310daa7ddcd446721dae2095f040457c4b2c929861a38b03007b235c343ca18d42b45212

Download Submit
C:\Program Files\7-Zip\7zCon.sfx
Filesize
188KB

MD5
1825e8cdefa1edf27cde5a116b5d546f

SHA1
73c4663067dd1d86f69aca98ebbb36243ad0d410

SHA256
e91e283c62ace3aad580a2624c0592519ae7c3bf6077f2024728ecd117fc4395

SHA512
ce61f646e8e8ae506d293c5ab40de0825ad17492ec202b440cf48acce9b8866a3d3884a42c9cffb86503e324d023e0c6d64845cbe5aefb4b0b0fed282cdc4bbc

Download Submit
C:\Program Files\7-Zip\History.txt
Filesize
57KB

MD5
678e8240b5301398ac12bb43be0cde75

SHA1
77517563a84f0b24ac5016862003078eb2cddf32

SHA256
d3560e284f8db0158e726c92e63a8d5a8cec246948c5fbae1f9b60313081bae8

SHA512
773059c58c91dfa1af4688f368d48d7be4499e0eac15a79a7f80512b744ed6492f789ff80035c4c41578fc7c359f13d774260866d1743d605aa0249d832514d4

Download Submit
C:\Program Files\7-Zip\Lang\af.txt
Filesize
5KB

MD5
c0f94c60ccf5288c9a8b56bdc37602c7

SHA1
7f9e86c68438a866a5811f9354fcf33787a590cb

SHA256
24d5bedb858f04c4d918d403c412f7a80d60450578783123a49f0d6ea6c2f7f0

SHA512
689c88e769b965f3a981e7e2147d2d79c55d99d9ede5a0c530b0f6bfa82f0cb3666274e975f14e994ef3ea7ac7439f47d52a9c377b825c12b624edccc97b19b0

Download Submit
C:\Program Files\7-Zip\Lang\an.txt
Filesize
7KB

MD5
7eb3896bb1f9f8e77276ebe86f1afc5d

SHA1
ce61b219f4770fbd434d1303f87bb27f64042aee

SHA256
ac3ff70dc2535a533279cdb6700267f14114d4236967655aa124ea146977a731

SHA512
515140a732c9c328d099d0316ccacedc50c3141ff4d26007fdbd545215f25fde25f16f2eed2b6460dceeb3367cdcb6378ac1afbb89d40f5f0594d4f3d40f7c5c

Download Submit
C:\Program Files\7-Zip\Lang\ar.txt
Filesize
12KB

MD5
fc132ccff4db9d7622a68c9da79d61ec

SHA1
10a6c62cb44a6ee732680f272664036bd78cf7fd

SHA256
37ac629f5de9334a46749710ea89ca9f2a16c8e84607c7eafcd352de9b14e443

SHA512
b3a80686d14d80d5bbd4036038bf4df8d1e9aa94a97bb6ecc5905a36778fb09067d368f6e6898d18b881b76dde0b15d7c67a04314f37e35adde33de5e08d78ab

Download Submit
C:\Program Files\7-Zip\Lang\ast.txt
Filesize
5KB

MD5
48588ed392437772d514173262dd8dfd

SHA1
e1c266ee8e18aff955d220b9380d221964d0897b

SHA256
205b3c1297b25a1bedba18ce8ab5f831d341613030e65a1ea98cb3ee982985c6

SHA512
74c909dd25696d548742669ee0b626f0dda0150a34f23e6fe2e1d095208e03002cc3618ca060f38e81c0a4acacc768f2fe4f1f856fe8041b7f45ff19e92a1b1e

Download Submit
C:\Program Files\7-Zip\Lang\az.txt
Filesize
9KB

MD5
ba9b806c9ae6f25a8b5e194a4d237e5b

SHA1
71609918654df7484bd3a74a22088f2ba1772f5f

SHA256
195e1fa6e94374f25d851af09ea09a56a5fe33414dd9fd6edaf0393115cc961b

SHA512
575cf0b5c4fc0f8ca995b8322e3b7f2df610277b02e2447a033bf57be4595d49befe7805a36218bbcd8fa089d9966a07c906cadccc29f1fd82e059ecc4502306

Download Submit
C:\Program Files\7-Zip\Lang\ba.txt
Filesize
11KB

MD5
9f95b7815f2227f6f3180783a8f7971b

SHA1
d3caf9461b7b81111a37cc9f22e2b3d7eb17a5bb

SHA256
605f9c340b8b3a39a1b6275d16d81e313acac50664bb0e32d8de3f9e4500c022

SHA512
22da3f0f8eda3210dc06462f96b486591e7e59a0d91f4d2afbabc0dd4af6fbff7dd455fe8651fa1b50bef1b87a625909811018762a7f2a9ffba8b3b664cf2c8f

Download Submit
C:\Program Files\7-Zip\Lang\be.txt
Filesize
11KB

MD5
bfd7b625daef321ed8a78de2ac93b228

SHA1
6d9ca29f2a9afcc78be26c671e9748d10871723e

SHA256
2cd2f36a78ccc4f0f13528ea6f4e5d57aa76615429520e6077f220afe447cf8d

SHA512
c5851a5a89a8c2ddc251f0e9bdf03c716bb741b1608b2169f991f800cc7b2635a4d4f58df102d508a0873a0e0ae380a3e1b0b37a91a0e5fa2894d1006e08a3c0

Download Submit
C:\Program Files\7-Zip\Lang\bg.txt
Filesize
13KB

MD5
fddd177a80fe0c7fd8818c3eaa8ba759

SHA1
858a8048bebb3895bbd2eed2cb95d1ecc3240919

SHA256
5955983bb7d2c79a8d43dad0d2ec955131ade9dbdb7d93996c9ce503d77e696e

SHA512
8a588eeb8e0def94a5adb90bccf7ebd85c2a7b6ee8ae26f509c10ccc22bb3d6e6c27c00281c77e6c3544b58957d03bac6a7db95409944aac921193e24e171268

Download Submit
C:\Program Files\7-Zip\Lang\bn.txt
Filesize
14KB

MD5
109448375c56bdb9f5759334dd2e46e7

SHA1
ce87357aa2c23731e79987d731cd2bc411e72835

SHA256
dcbab6114f1388317e07b2800f6cce6bb8625cea4a6b6a2964bc32afdc340fae

SHA512
4ec3afd661a11137228721ca2c2c7f9188a342ff67c764475eac1ef52e8a45cbaba71cc48e11c2339ab859b99c12439273ea2ca361c4237011a95131bc3621fa

Download Submit
C:\Program Files\7-Zip\Lang\br.txt
Filesize
5KB

MD5
b3b12bb5a8b93a9140a798f4a54b0fc7

SHA1
3bde8fcf87d181e1cef0a781dffddca4e0a487b8

SHA256
8c456bd0ab03658134093932e74323bbcbcef5403c3b27112e9945b94e3ddd83

SHA512
32b4197eb2a0b53eafc43a3d9601b0b2d58be5918c9fdfdf87a2231dcf0647dfe1e5528ba2076d823fbc9649e03e3ba394b88e3617875ae35afa155f37f7035a

Download Submit
C:\Program Files\7-Zip\Lang\ca.txt
Filesize
9KB

MD5
c6a65c6fdb1cc961b7eb031bcbf27758

SHA1
8fb05fbb58030432c707c87eee6bafbcaa10fbd9

SHA256
9a28da0962176c2ba3a52a76c19e4d0f204b1256dc921e6bf00249968eceff58

SHA512
1d020284c00481fd93200fe3c971ca9ff0cb5c1c9bf86ffab3cf2d00d79b5829c94d8e27d7ebcb464d10970b54ec0f4780a345452da828bc16b7c57d2c3d81c9

Download Submit
C:\Program Files\7-Zip\Lang\co.txt
Filesize
10KB

MD5
9655d0aa860a4ab11235e0e04cd83539

SHA1
fa3ebdc7edc35e34589d7db6d117ad8af3fe51eb

SHA256
e915457a7ae20e7a0d16f520a9d624a9d74a03c307c1014706eba65f4504f13b

SHA512
878310a6d993cb4b7972fe80cc335c1887b69a6849cb12645d7675c7b80074f941521c0dc962489d0a887809fd8bb617c7922e41bc04c33b5a89f3f3f770403b

Download Submit
C:\Program Files\7-Zip\Lang\cs.txt
Filesize
9KB

MD5
615ddef60a7467836908a805550ba180

SHA1
7791b4c6b9e471a681b4e969cd961b701ab2fb18

SHA256
00765bf46f3a4cc4321daf27511f1347b007af3d298ec93817a6efe0e48df8a2

SHA512
e73490e98fa3df713cb468b707a4362508dc9e0718ff5d6aad21afa69e9519d3b9522ce8fbee71d6a5725f344b9fa19baf3608f9d5d4630e8178fee503e96867

Download Submit
C:\Program Files\7-Zip\descript.ion
Filesize
642B

MD5
921ccf2e9b074b036667647ec2b908a7

SHA1
8e20402f5465308ffc9f3b1a8c7a49d18bbf850e

SHA256
14f552066b364ec1042d7f4c5541c7d3a90fc48896bcc9e3373e3661e81cc51b

SHA512
a8611a67d642f0e8c2ccb728023592a86c70550d628a89363bd245dadcf61fcb9199587f3666d882e69649cc55b75e24b26b3a13cba66449817e6d0f1833547d

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_41e50f4a-4a76-42e1-a3df-51306e426307
Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Public\WngZy.exe
Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
F:\RyukReadMe.txt
Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
memory/2408-88-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-38-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-80-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-76-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-75-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-52-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-74-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-72-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-68-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-66-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-62-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-60-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-58-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-54-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-84-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-79-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-51-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-49-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-70-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-47-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-46-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-41-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-40-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-56-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-39-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-81-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-48-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-32-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-44-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-37-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-11247-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-82-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-83-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-102-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-90-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-92-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-94-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-96-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-98-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-100-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-104-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-86-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-105-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-107-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-85-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-64-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-43-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-29-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-9-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2408-8-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download
memory/2424-31290-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmp

Filesize
3.6MB

Download