ryuk | d992871dd45a6302916f809eb54639a656c9e619451c10a03704735c424be0d9

Resubmissions

21-07-2024 15:03

240721-se4c2awdnp 10

21-07-2024 15:00

240721-sdg4eatfqg 10

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 15:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Size

384KB
MD5

5ac0f050f93f86e69026faea1fbb4450
SHA1

9709774fde9ec740ad6fed8ed79903296ca9d571
SHA256

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
SHA512

b554487c4e26a85ec5179cdcc1d25b5bc494e8821a8899fbbf868c3cf41f70cc72db107613b3f6655d3ab70f4db94cce2589066bb354b1ed955098d3911b844d
SSDEEP

6144:f5yaXtrA/WSo1rl3ALrlHQpn0BwK3SBDmhYfFQC:fTX6WSofcZ+KCIGD

Score

10^/10

ryuk persistence ransomware

Malware Config

Extracted

Path

F:\RyukReadMe.txt

Family

ryuk

Ransom Note

Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorithm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at [email protected] or [email protected] BTC wallet: 14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk Ryuk No system is safe

Emails

[email protected]

Wallets

14hVKm7Ft2rxDBFTNkkRC3kGstMGp2A4hk

Signatures

Ryuk
Ransomware distributed via existing botnets, often Trickbot or Emotet.
ransomware ryuk

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exekPnhF.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	kPnhF.exe

Deletes itself 1 IoCs

Processes:

kPnhF.exe

pid process

2224 kPnhF.exe
Executes dropped EXE 1 IoCs

Processes:

kPnhF.exe

pid process

2224 kPnhF.exe

pid	process
2224	kPnhF.exe

pid	process
2224	kPnhF.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\kPnhF.exe"	reg.exe

Drops file in Program Files directory 64 IoCs

Processes:

sihost.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProXC2RVL_KMS_ClientC2R-ul.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\orcl7.xsl	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ru-RU\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\sqloledb.rll	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ChronologicalLetter.dotx	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\vlc.mo	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-ul-oob.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\FUNCRES.XLAM	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\Office Word 2003 Look.dotx	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\spectrum_spinner.svg	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\apple-touch-icon-57x57-precomposed.png	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_hover_18.svg	sihost.exe
File opened for modification	C:\Program Files\7-Zip\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\messages_es.properties	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalDemoR_BypassTrial180-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\ind_prog.gif	sihost.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png	sihost.exe
File opened for modification	C:\Program Files\ReceiveWait.xltm	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prcr.x3d	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GOTHICB.TTF	sihost.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\SystemX86\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\rockbox_fm_presets.luac	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\EScript.api	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_ViewOnly_ZeroGrace-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription2-ppd.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\StandardR_Retail-pl.xrm-ms	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\flat_officeFontsPreview.ttf	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-TW\RyukReadMe.txt	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	sihost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\vlc.mo	sihost.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons.png	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightDemiBold.ttf	sihost.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml	sihost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\directshow.md	sihost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

StartMenuExperienceHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

kPnhF.exe

pid process

2224 kPnhF.exe
2224 kPnhF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

kPnhF.exe

description pid process

Token: SeDebugPrivilege 2224 kPnhF.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

StartMenuExperienceHost.exe

pid process

14440 StartMenuExperienceHost.exe

pid	process
2224	kPnhF.exe
2224	kPnhF.exe

description	pid	process
Token: SeDebugPrivilege	2224	kPnhF.exe

pid	process
14440	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exekPnhF.execmd.exe

description	pid	process	target process
PID 3792 wrote to memory of 2224	3792	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	kPnhF.exe
PID 3792 wrote to memory of 2224	3792	23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe	kPnhF.exe
PID 2224 wrote to memory of 1556	2224	kPnhF.exe	cmd.exe
PID 2224 wrote to memory of 1556	2224	kPnhF.exe	cmd.exe
PID 2224 wrote to memory of 2572	2224	kPnhF.exe	sihost.exe
PID 1556 wrote to memory of 4848	1556	cmd.exe	reg.exe
PID 1556 wrote to memory of 4848	1556	cmd.exe	reg.exe
PID 2224 wrote to memory of 2620	2224	kPnhF.exe	svchost.exe
PID 2224 wrote to memory of 2760	2224	kPnhF.exe	taskhostw.exe
PID 2224 wrote to memory of 3724	2224	kPnhF.exe	svchost.exe
PID 2224 wrote to memory of 3936	2224	kPnhF.exe	DllHost.exe
PID 2224 wrote to memory of 4028	2224	kPnhF.exe	StartMenuExperienceHost.exe
PID 2224 wrote to memory of 740	2224	kPnhF.exe	RuntimeBroker.exe
PID 2224 wrote to memory of 3144	2224	kPnhF.exe	SearchApp.exe
PID 2224 wrote to memory of 4224	2224	kPnhF.exe	RuntimeBroker.exe
PID 2224 wrote to memory of 1576	2224	kPnhF.exe	TextInputHost.exe
PID 2224 wrote to memory of 1772	2224	kPnhF.exe	RuntimeBroker.exe
PID 2224 wrote to memory of 1048	2224	kPnhF.exe	backgroundTaskHost.exe
PID 2224 wrote to memory of 4144	2224	kPnhF.exe	RuntimeBroker.exe
PID 2224 wrote to memory of 5100	2224	kPnhF.exe	RuntimeBroker.exe

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Drops file in Program Files directory
PID:2572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2620

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3724

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3936

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4028

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:740

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4224

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1576

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1772

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
"C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3792

C:\users\Public\kPnhF.exe
"C:\users\Public\kPnhF.exe" C:\Users\Admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\kPnhF.exe" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\system32\reg.exe
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\kPnhF.exe" /f
4⤵
- Adds Run key to start application
PID:4848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4144

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5100

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\4fe1ebd5c53c4ead84193b0af7a6475d /t 2188 /p 1576
1⤵
PID:9568

C:\Windows\system32\werfault.exe
werfault.exe /hc /shared Global\6c30a20c82bf4031b8040f5d0b86ed73 /t 4056 /p 4028
1⤵
PID:9360

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:14440

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:24224

C:\Windows\explorer.exe
explorer.exe /LOADSAVEDWINDOWS
2⤵
PID:24764

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:17744

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:19496

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:20544

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:20836

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:13252

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:13912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7-zip.chm

Filesize
112KB

MD5
5ca24063a29b89ad291c35048900b28f

SHA1
97878178f2a41975eb69e3dee1725e5c610cb55e

SHA256
bff85aaf9481bf4f690509a0fb6d87f29046b3ed24a15349c2a3db29ce1f4028

SHA512
75269c5f3d8f7ce827788ffc848745a25ae8f97753094b21b22b23103ec0c163b0e570e1cb48e7aee953e876fd9f1d0c398380647f972811c1d852dcfccfb44f

Download Submit
C:\Program Files\7-Zip\7z.sfx

Filesize
209KB

MD5
b21a3d2bd0c017eaa4e36c666da0638f

SHA1
d98faa074d2fa44e5d8fe71519d2e2177f676cff

SHA256
c22c971f25041949712119f474e58486f44d3cc9ad1f42ab71abbee044db5215

SHA512
968a42a23f9659a4e2988c5b9b6258fecb538727f580d7eb84f1b8db1de85aadaeffbe1d2bcc2b567f16d0897d0d3d547f3bb8306c7f8ea0c694b6198876f27f

Download Submit
C:\Program Files\7-Zip\7zCon.sfx

Filesize
188KB

MD5
d4e4a32ed632211a7a5fa531cd53ac15

SHA1
a21fc89062993c7f19e68c45393ce97f0be4e1d4

SHA256
33347f4fd76a3f43a2cd5d0740925d5cd67ae7298fa61de4c324f7aeea1a0d92

SHA512
9d35e7083b84dcdde66fc9f786263e7796f83951107d6a2a47c3ac76292f7920d281f2e886282acacd00b729d674a97d5d22a43b77af2e14535ea2a3e7bcf846

Download Submit
C:\Program Files\7-Zip\History.txt

Filesize
57KB

MD5
10d3e5fd6e5583530d06823475ab038a

SHA1
e93eb2787349ea79c4077a7ac7aa2edfc82ab70a

SHA256
cb6e7823d1bb85ba50a3647e5768a8553c325bedceaa125e8a67ad06aac3e34e

SHA512
ebd8a42d36a03de4aea3205df65ffc22212dd8ee0783b308ad25ffa34b25f127de9becef4270f3d53d016038a7bd2463d32bbd7578601fd2cab2d52949a03618

Download Submit
C:\Program Files\7-Zip\Lang\af.txt

Filesize
5KB

MD5
9a09a672b7f71442db86c981b9cbfda9

SHA1
d25686e62ed0976ac7294f2241cdf1150fd7ade9

SHA256
6af55bb035b3201f7e875721f2fff006691ffc4440f55d4bba4cc6eb28c515a7

SHA512
f0830ace70e2dcc3e91aaba86bed572802bb7cddf7e5f97705acd5c0fc4a47c35ea62ce8334e98bc182488156cbf1220171f8f6e6b445daa786a76ffa0749f32

Download Submit
C:\Program Files\7-Zip\Lang\an.txt

Filesize
7KB

MD5
17b490d4154407973618e9a976d2f417

SHA1
90c1ce478a5806554e317c32f298cc6df5be64ab

SHA256
54aed57f07135733726d61158991ec58db75efc9936bf5e1df8954fc478ed841

SHA512
8af20eb89897ae598f8dda12fc6faba4506c1d385a2de2cbd6365eb770bb4991e21a9c14223038c3bbf6e314c586515f84f88a33a5707cd5df54313c3f81678e

Download Submit
C:\Program Files\7-Zip\descript.ion

Filesize
642B

MD5
eb1f7d50351a79d976f6ecc80876cdac

SHA1
41b2bcdfaf697a387e36d104a562289e3e31d171

SHA256
8b40be38f9e64f0326a73adbddac97d6475e813a2726167dcb3f59631eff170f

SHA512
795dda603832722aae4679a8d394bae6ec965570ddb9fb41d767e09ca1ee706997b6fe66f02ef8cedf28a9508cd46f26a75f88b0da347d27c9e1a900e93c77fc

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_89cda556-130e-4f17-88ab-af18fe5b92e6

Filesize
52B

MD5
93a5aadeec082ffc1bca5aa27af70f52

SHA1
47a92aee3ea4d1c1954ed4da9f86dd79d9277d31

SHA256
a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294

SHA512
df388c8d83e779e006d6311b2046fcf9259ec33d379fc0e2c6a4b6b90418f587a12c5c23acd488413a02568ca2d3effe04608ec7c791925c7ed53dc71093ca45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
471B

MD5
c3e44e7f8586c3c5853a38e77387226e

SHA1
ac04a83b9a56b25767ee167290b7557a43fd62a2

SHA256
9fd1c8886204b3b75c24ed131ce0ae03a66fac8ef627b23e80ad7380db8ad270

SHA512
389cd8f15b4163bc77f065598ce74cafb3291ee6979e024ef7709c4dee5ae09ad672c816a535b4cf85b7c8a9b1ca574768899bed319268d2f1a608ee081b756b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9

Filesize
420B

MD5
7d3f80223748f8db0e5b5c40bbcebb0f

SHA1
f4728308275f2b4fa670d9bbe21618aa1999069b

SHA256
f07cfbc6434b6a009d24e27f83400724931e03317b9221581c8c2f7a9cf78b94

SHA512
1e10484c00024b82c60e4c6c03a267e1397e8c10a5bf8df6f0edf47d13e108418f7bdbef3424be7a518221ca7a5a5f34f578b8693c829bdbac77b6b43d2f595b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133660478725333158.txt

Filesize
75KB

MD5
fcd9ca06e096d0d02e4d3a23735c5aa2

SHA1
a8aaf5653662ce74839d2eaa8dada3806fc5027a

SHA256
d1cf0be5bbd43d8e7b50c2372b8d5b01dcb00cdc4ab901c4dcfe6e8a3ec85e8b

SHA512
1809a278c84967a36f8d0de0bf5aff164e04ff8527f5c460becacf15ab72f2fa55c54577d6f155862cfa8e89394b53a9cb7bdaa6aeff4e5278d7a6c96b2bac19

Download Submit
C:\Users\Public\kPnhF.exe

Filesize
170KB

MD5
31bd0f224e7e74eee2847f43aae23974

SHA1
92e331e1e8ad30538f38dd7ba31386afafa14a58

SHA256
8b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d

SHA512
a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249

Download Submit
F:\RyukReadMe.txt

Filesize
804B

MD5
cd99cba6153cbc0b14b7a849e4d0180f

SHA1
375961866404a705916cbc6cd4915de7d9778923

SHA256
74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2

SHA512
0c9f250c0e2ec9736b072a9807b6c3bec4b670ab2f511e65cf5d79e9a8c9a209eb91736ce2765b52b6d94a57c6aa1c16bb08e16727660699b70608439c8b7cda

Download Submit
memory/2572-66-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-80-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-99-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-97-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-95-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-93-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-88-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-87-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-85-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-84-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-83-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-82-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-78-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-76-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-74-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-72-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-70-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-103-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-64-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-62-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-90-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-60-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-86-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-58-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-55-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-101-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-54-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-52-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-51-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-50-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-48-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-44-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-43-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-41-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-40-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-35-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-106-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-107-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-91-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-89-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-68-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-47-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-42-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-32-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-8-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-49-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2572-13474-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/2620-10-0x00007FF6914D0000-0x00007FF69185E000-memory.dmp

Filesize
3.6MB

Download
memory/3936-16-0x0000026BFEB90000-0x0000026BFEB98000-memory.dmp

Filesize
32KB

Download
memory/3936-17-0x0000026BFEB80000-0x0000026BFEB81000-memory.dmp

Filesize
4KB

Download