Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:19
Static task
static1
Behavioral task
behavioral1
Sample
5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe
-
Size
384KB
-
MD5
5ac0f050f93f86e69026faea1fbb4450
-
SHA1
9709774fde9ec740ad6fed8ed79903296ca9d571
-
SHA256
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
-
SHA512
b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d
-
SSDEEP
6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD
Malware Config
Extracted
F:\RyukReadMe.txt
ryuk
14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk
Signatures
-
Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WngZy.exe5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation WngZy.exe Key value queried \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation 5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
WngZy.exepid process 2360 WngZy.exe -
Executes dropped EXE 1 IoCs
Processes:
WngZy.exepid process 2360 WngZy.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\WngZy.exe" reg.exe -
Drops file in Program Files directory 64 IoCs
Processes:
sihost.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\webkit.md sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp3-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\wordmui.msi.16.en-us.boot.tree.dat sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\officemuiset.msi.16.en-us.boot.tree.dat sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\access-bridge-64.jar sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcR_OEM_Perp-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Grace-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\kor-kor.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial1-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\SONORA.INF sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp4-ppd.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription1-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\InitializeWait.clr sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\default.jfc sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\HeartbeatConfig.xml sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\assets\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\NamedUrls.HxK sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusVL_MAK-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019VL_KMS_Client_AE-ul.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTest-pl.xrm-ms sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Trial-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\icu_web.md sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\THMBNAIL.PNG sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Grace-ul-oob.xrm-ms sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\PREVIEW.GIF sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\vlc.mo sihost.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_K_COL.HXK sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD_COL.HXC sihost.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\RyukReadMe.txt sihost.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Retail3-ul-oob.xrm-ms sihost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
sihost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WngZy.exepid process 2360 WngZy.exe 2360 WngZy.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WngZy.exedescription pid process Token: SeDebugPrivilege 2360 WngZy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 11752 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exeWngZy.execmd.exedescription pid process target process PID 2356 wrote to memory of 2360 2356 5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe WngZy.exe PID 2356 wrote to memory of 2360 2356 5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe WngZy.exe PID 2360 wrote to memory of 876 2360 WngZy.exe cmd.exe PID 2360 wrote to memory of 876 2360 WngZy.exe cmd.exe PID 2360 wrote to memory of 2408 2360 WngZy.exe sihost.exe PID 876 wrote to memory of 4824 876 cmd.exe reg.exe PID 876 wrote to memory of 4824 876 cmd.exe reg.exe PID 2360 wrote to memory of 2424 2360 WngZy.exe svchost.exe PID 2360 wrote to memory of 2512 2360 WngZy.exe taskhostw.exe PID 2360 wrote to memory of 3624 2360 WngZy.exe svchost.exe PID 2360 wrote to memory of 3844 2360 WngZy.exe DllHost.exe PID 2360 wrote to memory of 3952 2360 WngZy.exe StartMenuExperienceHost.exe PID 2360 wrote to memory of 4012 2360 WngZy.exe RuntimeBroker.exe PID 2360 wrote to memory of 3156 2360 WngZy.exe SearchApp.exe PID 2360 wrote to memory of 3756 2360 WngZy.exe RuntimeBroker.exe PID 2360 wrote to memory of 452 2360 WngZy.exe TextInputHost.exe PID 2360 wrote to memory of 2344 2360 WngZy.exe RuntimeBroker.exe PID 2360 wrote to memory of 2932 2360 WngZy.exe backgroundTaskHost.exe PID 2360 wrote to memory of 2396 2360 WngZy.exe RuntimeBroker.exe PID 2360 wrote to memory of 1864 2360 WngZy.exe RuntimeBroker.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Drops file in Program Files directory
- Modifies registry class
PID:2408
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2424
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3844
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3156
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3756
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:452
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2344
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2932
-
C:\Users\Admin\AppData\Local\Temp\5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\users\Public\WngZy.exe"C:\users\Public\WngZy.exe" C:\Users\Admin\AppData\Local\Temp\5ac0f050f93f86e69026faea1fbb4450_JaffaCakes118.exe2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WngZy.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\WngZy.exe" /f4⤵
- Adds Run key to start application
PID:4824
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2396
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:11752
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:17512
-
C:\Windows\explorer.exeexplorer.exe /LOADSAVEDWINDOWS2⤵PID:17944
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3140
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:12072
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:31332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\7-Zip\7-zip.chmFilesize
112KB
MD51072b8da984c577b831b727b9ca07eef
SHA124292f2109fdf60243271a7e108b30afeadc52a4
SHA25617d298cab941cd33aff261df5133db5e70f868ac1c938a122a2adcc8fe679aed
SHA5121d824c77dd2c4d0c8eccfa62765491702472c5edc894e5e115a23a14afba2358480bcb15802de17b9996aa01203845a1a6441c50df95f5b3ca5efad18d799baa
-
C:\Program Files\7-Zip\7z.sfxFilesize
209KB
MD57d1f37ed019adcb31ba60d50a5907ab7
SHA1b6855b1918c1856d49aec0434a99464159ee483d
SHA256d6b088ebc536aef703384ab2d4c7a2ace5d5172ec70a7bf709feaa411deef2ed
SHA5125944237d5c113346988b2e363ca4d8db28056c9417055e8cfe51199f310daa7ddcd446721dae2095f040457c4b2c929861a38b03007b235c343ca18d42b45212
-
C:\Program Files\7-Zip\7zCon.sfxFilesize
188KB
MD51825e8cdefa1edf27cde5a116b5d546f
SHA173c4663067dd1d86f69aca98ebbb36243ad0d410
SHA256e91e283c62ace3aad580a2624c0592519ae7c3bf6077f2024728ecd117fc4395
SHA512ce61f646e8e8ae506d293c5ab40de0825ad17492ec202b440cf48acce9b8866a3d3884a42c9cffb86503e324d023e0c6d64845cbe5aefb4b0b0fed282cdc4bbc
-
C:\Program Files\7-Zip\History.txtFilesize
57KB
MD5678e8240b5301398ac12bb43be0cde75
SHA177517563a84f0b24ac5016862003078eb2cddf32
SHA256d3560e284f8db0158e726c92e63a8d5a8cec246948c5fbae1f9b60313081bae8
SHA512773059c58c91dfa1af4688f368d48d7be4499e0eac15a79a7f80512b744ed6492f789ff80035c4c41578fc7c359f13d774260866d1743d605aa0249d832514d4
-
C:\Program Files\7-Zip\Lang\af.txtFilesize
5KB
MD5c0f94c60ccf5288c9a8b56bdc37602c7
SHA17f9e86c68438a866a5811f9354fcf33787a590cb
SHA25624d5bedb858f04c4d918d403c412f7a80d60450578783123a49f0d6ea6c2f7f0
SHA512689c88e769b965f3a981e7e2147d2d79c55d99d9ede5a0c530b0f6bfa82f0cb3666274e975f14e994ef3ea7ac7439f47d52a9c377b825c12b624edccc97b19b0
-
C:\Program Files\7-Zip\Lang\an.txtFilesize
7KB
MD57eb3896bb1f9f8e77276ebe86f1afc5d
SHA1ce61b219f4770fbd434d1303f87bb27f64042aee
SHA256ac3ff70dc2535a533279cdb6700267f14114d4236967655aa124ea146977a731
SHA512515140a732c9c328d099d0316ccacedc50c3141ff4d26007fdbd545215f25fde25f16f2eed2b6460dceeb3367cdcb6378ac1afbb89d40f5f0594d4f3d40f7c5c
-
C:\Program Files\7-Zip\Lang\ar.txtFilesize
12KB
MD5fc132ccff4db9d7622a68c9da79d61ec
SHA110a6c62cb44a6ee732680f272664036bd78cf7fd
SHA25637ac629f5de9334a46749710ea89ca9f2a16c8e84607c7eafcd352de9b14e443
SHA512b3a80686d14d80d5bbd4036038bf4df8d1e9aa94a97bb6ecc5905a36778fb09067d368f6e6898d18b881b76dde0b15d7c67a04314f37e35adde33de5e08d78ab
-
C:\Program Files\7-Zip\Lang\ast.txtFilesize
5KB
MD548588ed392437772d514173262dd8dfd
SHA1e1c266ee8e18aff955d220b9380d221964d0897b
SHA256205b3c1297b25a1bedba18ce8ab5f831d341613030e65a1ea98cb3ee982985c6
SHA51274c909dd25696d548742669ee0b626f0dda0150a34f23e6fe2e1d095208e03002cc3618ca060f38e81c0a4acacc768f2fe4f1f856fe8041b7f45ff19e92a1b1e
-
C:\Program Files\7-Zip\Lang\az.txtFilesize
9KB
MD5ba9b806c9ae6f25a8b5e194a4d237e5b
SHA171609918654df7484bd3a74a22088f2ba1772f5f
SHA256195e1fa6e94374f25d851af09ea09a56a5fe33414dd9fd6edaf0393115cc961b
SHA512575cf0b5c4fc0f8ca995b8322e3b7f2df610277b02e2447a033bf57be4595d49befe7805a36218bbcd8fa089d9966a07c906cadccc29f1fd82e059ecc4502306
-
C:\Program Files\7-Zip\Lang\ba.txtFilesize
11KB
MD59f95b7815f2227f6f3180783a8f7971b
SHA1d3caf9461b7b81111a37cc9f22e2b3d7eb17a5bb
SHA256605f9c340b8b3a39a1b6275d16d81e313acac50664bb0e32d8de3f9e4500c022
SHA51222da3f0f8eda3210dc06462f96b486591e7e59a0d91f4d2afbabc0dd4af6fbff7dd455fe8651fa1b50bef1b87a625909811018762a7f2a9ffba8b3b664cf2c8f
-
C:\Program Files\7-Zip\Lang\be.txtFilesize
11KB
MD5bfd7b625daef321ed8a78de2ac93b228
SHA16d9ca29f2a9afcc78be26c671e9748d10871723e
SHA2562cd2f36a78ccc4f0f13528ea6f4e5d57aa76615429520e6077f220afe447cf8d
SHA512c5851a5a89a8c2ddc251f0e9bdf03c716bb741b1608b2169f991f800cc7b2635a4d4f58df102d508a0873a0e0ae380a3e1b0b37a91a0e5fa2894d1006e08a3c0
-
C:\Program Files\7-Zip\Lang\bg.txtFilesize
13KB
MD5fddd177a80fe0c7fd8818c3eaa8ba759
SHA1858a8048bebb3895bbd2eed2cb95d1ecc3240919
SHA2565955983bb7d2c79a8d43dad0d2ec955131ade9dbdb7d93996c9ce503d77e696e
SHA5128a588eeb8e0def94a5adb90bccf7ebd85c2a7b6ee8ae26f509c10ccc22bb3d6e6c27c00281c77e6c3544b58957d03bac6a7db95409944aac921193e24e171268
-
C:\Program Files\7-Zip\Lang\bn.txtFilesize
14KB
MD5109448375c56bdb9f5759334dd2e46e7
SHA1ce87357aa2c23731e79987d731cd2bc411e72835
SHA256dcbab6114f1388317e07b2800f6cce6bb8625cea4a6b6a2964bc32afdc340fae
SHA5124ec3afd661a11137228721ca2c2c7f9188a342ff67c764475eac1ef52e8a45cbaba71cc48e11c2339ab859b99c12439273ea2ca361c4237011a95131bc3621fa
-
C:\Program Files\7-Zip\Lang\br.txtFilesize
5KB
MD5b3b12bb5a8b93a9140a798f4a54b0fc7
SHA13bde8fcf87d181e1cef0a781dffddca4e0a487b8
SHA2568c456bd0ab03658134093932e74323bbcbcef5403c3b27112e9945b94e3ddd83
SHA51232b4197eb2a0b53eafc43a3d9601b0b2d58be5918c9fdfdf87a2231dcf0647dfe1e5528ba2076d823fbc9649e03e3ba394b88e3617875ae35afa155f37f7035a
-
C:\Program Files\7-Zip\Lang\ca.txtFilesize
9KB
MD5c6a65c6fdb1cc961b7eb031bcbf27758
SHA18fb05fbb58030432c707c87eee6bafbcaa10fbd9
SHA2569a28da0962176c2ba3a52a76c19e4d0f204b1256dc921e6bf00249968eceff58
SHA5121d020284c00481fd93200fe3c971ca9ff0cb5c1c9bf86ffab3cf2d00d79b5829c94d8e27d7ebcb464d10970b54ec0f4780a345452da828bc16b7c57d2c3d81c9
-
C:\Program Files\7-Zip\Lang\co.txtFilesize
10KB
MD59655d0aa860a4ab11235e0e04cd83539
SHA1fa3ebdc7edc35e34589d7db6d117ad8af3fe51eb
SHA256e915457a7ae20e7a0d16f520a9d624a9d74a03c307c1014706eba65f4504f13b
SHA512878310a6d993cb4b7972fe80cc335c1887b69a6849cb12645d7675c7b80074f941521c0dc962489d0a887809fd8bb617c7922e41bc04c33b5a89f3f3f770403b
-
C:\Program Files\7-Zip\Lang\cs.txtFilesize
9KB
MD5615ddef60a7467836908a805550ba180
SHA17791b4c6b9e471a681b4e969cd961b701ab2fb18
SHA25600765bf46f3a4cc4321daf27511f1347b007af3d298ec93817a6efe0e48df8a2
SHA512e73490e98fa3df713cb468b707a4362508dc9e0718ff5d6aad21afa69e9519d3b9522ce8fbee71d6a5725f344b9fa19baf3608f9d5d4630e8178fee503e96867
-
C:\Program Files\7-Zip\descript.ionFilesize
642B
MD5921ccf2e9b074b036667647ec2b908a7
SHA18e20402f5465308ffc9f3b1a8c7a49d18bbf850e
SHA25614f552066b364ec1042d7f4c5541c7d3a90fc48896bcc9e3373e3661e81cc51b
SHA512a8611a67d642f0e8c2ccb728023592a86c70550d628a89363bd245dadcf61fcb9199587f3666d882e69649cc55b75e24b26b3a13cba66449817e6d0f1833547d
-
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_41e50f4a-4a76-42e1-a3df-51306e426307Filesize
52B
MD593a5aadeec082ffc1bca5aa27af70f52
SHA147a92aee3ea4d1c1954ed4da9f86dd79d9277d31
SHA256a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
SHA512df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45
-
C:\Users\Public\WngZy.exeFilesize
170KB
MD531bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
F:\RyukReadMe.txtFilesize
804B
MD5cd99cba6153cbc0b14b7a849e4d0180f
SHA1375961866404a705916cbc6cd4915de7d9778923
SHA25674c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
SHA5120c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda
-
memory/2408-88-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-38-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-80-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-76-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-75-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-52-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-74-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-72-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-68-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-66-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-62-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-60-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-58-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-54-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-84-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-79-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-51-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-49-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-70-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-47-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-46-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-41-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-40-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-56-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-39-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-81-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-48-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-32-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-44-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-37-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-11247-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-82-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-83-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-102-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-90-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-92-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-94-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-96-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-98-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-100-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-104-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-86-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-105-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-107-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-85-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-64-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-43-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-29-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-9-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2408-8-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB
-
memory/2424-31290-0x00007FF688BF0000-0x00007FF688F7E000-memory.dmpFilesize
3.6MB