General Info

File name

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip

Full analysis
https://app.any.run/tasks/c57d25f8-7a0f-4263-97c9-eab20bab46fc
Verdict
Malicious activity
Analysis date
1/11/2019, 05:35:57
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

95cd7ac6c12144dd7e3abb879344465e

SHA1

bd414274654229b6e94339673187630b9e8ff987

SHA256

d992871dd45a6302916f809eb54639a656c9e619451c10a03704735c424be0d9

SSDEEP

3072:4B4UA79CJyI52vw2AmSXBbCp+s89xPoI0f3uB+MFnSQINX1wCgCbwoEYqEmUukgu:+A8UIAR8/+eBRFSjQsEYdmUukgA+/Y6m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes file to Word startup folder
  • dwm.exe (PID: 1996)
Actions looks like stealing of personal data
  • dwm.exe (PID: 1996)
Runs injected code in another process
  • HvZVg.exe (PID: 2648)
Application was injected by another process
  • windanr.exe (PID: 2160)
  • dwm.exe (PID: 1996)
Changes the autorun value in the registry
  • reg.exe (PID: 2724)
Application was dropped or rewritten from another process
  • HvZVg.exe (PID: 2648)
  • 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe (PID: 3736)
Creates files like Ransomware instruction
  • dwm.exe (PID: 1996)
Creates files in the program directory
  • dwm.exe (PID: 1996)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 2216)
Starts CMD.EXE for commands execution
  • HvZVg.exe (PID: 2648)
Executable content was dropped or overwritten
  • 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe (PID: 3736)
  • WinRAR.exe (PID: 2808)
Creates files in the user directory
  • dwm.exe (PID: 1996)
Dropped object may contain Bitcoin addresses
  • dwm.exe (PID: 1996)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2018:08:19 18:01:03
ZipCRC:
0x794678da
ZipCompressedSize:
195793
ZipUncompressedSize:
393216
ZipFileName:
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Screenshots

Processes

Total processes
38
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start drop and start inject inject winrar.exe rundll32.exe no specs 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe hvzvg.exe no specs cmd.exe no specs dwm.exe reg.exe windanr.exe
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1996
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll

PID
2160
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

PID
2808
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll

PID
2536
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\propsys.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\version.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\ehome\ehshell.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\mspaint.exe
c:\windows\system32\notepad.exe
c:\progra~1\micros~1\office14\ois.exe
c:\program files\opera\opera.exe
c:\program files\windows photo viewer\photoviewer.dll
c:\program files\videolan\vlc\vlc.exe
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\wmploc.dll
c:\program files\windows media player\wmplayer.exe
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\netutils.dll

PID
3736
CMD
"C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
Path
C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\users\public\hvzvg.exe

PID
2648
CMD
"C:\users\Public\HvZVg.exe" C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Path
C:\users\Public\HvZVg.exe
Indicators
No indicators
Parent process
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\public\hvzvg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll

PID
2216
CMD
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HvZVg.exe" /f
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
HvZVg.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2724
CMD
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\HvZVg.exe" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

Registry activity

Total events
548
Read events
504
Write events
44
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2808
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Placement
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF42000000420000000204000037020000
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General
LastFolder
C:\Users\admin\AppData\Local\Temp
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
name
120
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
size
80
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
psize
80
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
type
120
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
mtime
100
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\ArcColumnWidths
crc
70
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_0
38000000730100000402000000000000D4D0C800000000000000000000000000320101000000000039000000B40200000000000001000000
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_1
38000000730100000500000000000000D4D0C8000000000000000000000000003401010000000000160000002A0000000000000002000000
2808
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\General\Toolbar\Layout
Band56_2
38000000730100000400000000000000D4D0C800000000000000000000000000160102000000000016000000640000000000000003000000
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Adobe Acrobat Reader DC
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\eHome\ehshell.exe
Windows Media Center
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\mspaint.exe
Paint
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\NOTEPAD.EXE
Notepad
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\PROGRA~1\MICROS~1\Office14\OIS.EXE
Microsoft Office 2010
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Opera\Opera.exe
Opera Internet Browser
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
Windows Photo Viewer
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\VideoLAN\VLC\vlc.exe
VLC media player
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Microsoft Word
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@wmploc.dll,-102
Windows Media Player
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows Media Player\wmplayer.exe
Windows Media Player
2536
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
WordPad
3736
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3736
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2648
HvZVg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2648
HvZVg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
2724
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
svchos
C:\users\Public\HvZVg.exe

Files activity

Executable files
2
Suspicious files
116
Text files
75
Unknown types
5

Dropped files

PID
Process
Filename
Type
2808
WinRAR.exe
C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
executable
MD5: 5ac0f050f93f86e69026faea1fbb4450
SHA256: 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
3736
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
C:\users\Public\HvZVg.exe
executable
MD5: 6cdcb9f86972efc4cfce4b06b6be053a
SHA256: 5d92914acdfb551c237866cc4cce6c80aeeeb695e52beecd2613694302c62271
1996
dwm.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
binary
MD5: 656553d0f37247f469ffe882af81f2c4
SHA256: f2531c98395c19a59bf4b40f13b6ad13bcf767df5e47554d08e77983056073ed
1996
dwm.exe
C:\Users\Public\Videos\Sample Videos\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
binary
MD5: 30d63610a3d23b05488220915d4dffc6
SHA256: d2a6a81ef9fe44fa1cee622904ae4e275da71fe1252d0d9793f11b77626c80db
1996
dwm.exe
C:\Users\Public\Recorded TV\Sample Media\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
binary
MD5: fd8e94167fac56571b1f504faf8a4ac9
SHA256: f8e842c1957ff695e507a01518dcfa16d71ba0fcb2323924cf26fb0f7cb709ea
1996
dwm.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
binary
MD5: 4f2f2da1f770224ebd04fc27f87ae833
SHA256: d98faf3d665961066377917bdf2e7c849b5cea007bbaf497702c23d1796d358f
1996
dwm.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
binary
MD5: dfb0a142a9543a9e3a1de8540269b3d5
SHA256: 6f4a7423d0338a8a1118c45d14572aa88d38968a882dbc1cddff659e31c4fd8e
1996
dwm.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
binary
MD5: 63a87f44d6657dacd27e01a0e4346f97
SHA256: 13b52dfcf6c19f4297ff80a66797062e31391f589ace1c9aad93038286d539d7
1996
dwm.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
binary
MD5: 4753f66a541fbf8d5641b616d05f6dec
SHA256: b244b056df06c8da09bb5d185f4d92a4502ccee0d79532e910130d18a4654626
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Document Building Blocks\1033\14\Built-In Building Blocks.dotx
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000002
binary
MD5: d4bf3ab7f0eae28ee284c42875dfc5a6
SHA256: 7d7ebdaf2a46090d32fa9567679991d03a7b73b5c6c911c9747a64fd3fcf601d
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_1
binary
MD5: 4bedc8c82704db8b4a2b44c5d2359dd0
SHA256: 374e7b519ce30a500ffa64d634f694cf44e19e025f9e06636aa0b786c78be3bc
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\f_000001
binary
MD5: 93b89e4f69bb0653c7757494076afab0
SHA256: f39c547bb70a505ab493450b3f1972b63f3023c99e7f2b4ae29abc6b8c7c6dad
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\data_0
binary
MD5: 944f878a30bdb96686013f2412f6c270
SHA256: 822baa3fccadfe23532b0865d63b2ab717552223a64e20d076655762a492b64a
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\Cache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Skype for Desktop\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Signatures\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher Building Blocks\ContentStore.xml
binary
MD5: ff7e4df3dc32f4dd9e3e589b178c38b1
SHA256: 7c030220a4c57771832a9094adf0022c9665f0e9c44b3b6af311a84a2f81d4ea
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\29fd2168-360f-422a-a685-e6961ea74ba8
binary
MD5: 5ad7c44ede85831233eeae5a59f7fa8e
SHA256: 402b040262e69a253962fb04744d6b480519ec4049e5c038bd532b47b4e000df
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Publisher\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\54ba308a-6a9a-4e0e-b137-b89d3579498b
binary
MD5: e99c5c12f6990756b74d9be5c5dd8c76
SHA256: 546cc17a33915940f8f3a46bf3ab3929847a23d0cdba03c4f92621e9e0fa1473
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\S-1-5-21-1302019708-1500728564-335382590-1000\ef6ea81c-b50b-46b2-9cec-48117ab6ef05
binary
MD5: f639d539fcfeb10e3489e3924f5c7957
SHA256: 9b666b4cfe89fffad201a1703e9c4da3d56920dad32b85b546edca673a85655c
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\Preferences.dat
binary
MD5: 88d19ac6192746e4a965b1908b4f33f6
SHA256: a539ab9b0fcfb16c4d6f7fcaf3466cb68489bedca0391f1752d9c2c48c75a528
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.xml
binary
MD5: 2deb85ad611d2e5fed6a083bf6fa0499
SHA256: 9894e57226418734ce2d2521f5f434649a8f0e0f9fc7fb10f6adf1a19d609b64
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Protect\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.xml
binary
MD5: 052f19f4ea364182a5bce070e524380d
SHA256: 3028dd9e6fea6208f54c33a8b5ed8f817ea04d84e55913326c592fcf972b728f
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\NoMail.xml
binary
MD5: b804e257056782fcfce72067901cf9fb
SHA256: 753e623d5275c26de0d3eec178b4e70415457b365e3769b32f6881be9ca126a7
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\test.srs
binary
MD5: b0a841a1a54d0a1fe36310f52df553a4
SHA256: 5c8cb4a04e9ce24ba703ca8477763ff738fd4ce73c0fabbff41699b0dd16ac41
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Outlook\Outlook.srs
binary
MD5: f7fb1364ba0899ecaaa088dfa460cba4
SHA256: cfb821b0785aed92fe4ba1fd2072876434e6c9af28046e2443200b0a7a930b19
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\PowerPoint\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Proof\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\OneNote\14.0\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-latin.eot
binary
MD5: f8a11b4d43f82be248a2049f0d9d361d
SHA256: ca8b3aaaed516e20adf4722427542c901c3920903cc184724cf84b4bf1ecef6e
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-cyrillic.ttf
binary
MD5: 9d0e9e523b573beee44ed63edb520ba0
SHA256: 7339f1690506951cc8915c3d1dad84ba110327ec647994290aa82ed6a4f827fb
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-latin.woff
binary
MD5: b68e682afb8eecf9bf85cc2c72b0537d
SHA256: 22bb48bea1595c7f0e717ca50dca98eaab9c0ac14b71b71d2e688d32f26955b5
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-latin.woff
binary
MD5: 341e784da182fae817cdb0180ec27f08
SHA256: 6865df2e67320d82bebd0d8ff4a79f0d456e6aefe710c59d4461e3e0be4b63a0
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-cyrillic.ttf
binary
MD5: 59d29717938462d5c3e6212810deb296
SHA256: 157003942921b3c5f0d8632712ebb9c15be9324043bc985e74d8b05036cdc098
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-greek.ttf
bs
MD5: 65e9d90c3d6259732ade1977c97948e9
SHA256: 9e7c0d57cb6c061efd27f397078b20c90e54bfdc50267a2443d182e23187f187
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-latin.eot
binary
MD5: 0a6e9700d505eeb62d877de0fb149f6c
SHA256: 6f6ec6ec4ea19bd4aade1a76c610b643e7ccb7048aecf4fba01f669189e0a184
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-hebrew.eot
binary
MD5: 1b6103061b59dffc27782bbf4c7e2ddd
SHA256: ea160fc53bcd63b8e572d7b5b6a5ffddd58c78a552e134845b9fef92c8ff90bd
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-cyrillic.woff
binary
MD5: dca4dff33c0e299abcf519570102c721
SHA256: 39f11476e0ca5e1817ebd30b9989f3d3ab168b87711de2f52144b1d59db01f04
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-greek.eot
binary
MD5: 53503f7b963049728ab6666e716da2b4
SHA256: 20888306a9d849e7763f009c19320b4d39093b3cb566a8d974ae100e07c33e60
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-greek.woff
binary
MD5: ad24bc2b239fe2be999ea94bd7bed9b0
SHA256: 7fcab9e6293f5c23c5371423b5b2a5758dd43691028c112e20e0c8bf5d5f476c
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-greek.ttf
binary
MD5: d5a62f15a95eed75e98237c3c2b83eeb
SHA256: 25b42dfdb6868093e58b745ee4d2f9bd9d32383e84841eb2fd7dc10b38ae6729
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-latin.ttf
binary
MD5: 5ca914ed6568682dd2098561a063ce3c
SHA256: 189f1a4571402ff5bfb94f7e9550e3bfb4766d03246b57dd79064fe60acac20b
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-hebrew.ttf
binary
MD5: bc706868603aaed2ef894f8ec8bd1750
SHA256: 69ec40e7b25c3e742f1a00d06ded56ae02aebd4e99a0a7ee2cf053eecb755c94
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-greek.eot
binary
MD5: 102d9d013daa6d2fee9233f7cf1c1c21
SHA256: 21ccee56d45d27750091dfe7532a092333b886052820fb84716ca86b46a993ea
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-cyrillic.ttf
binary
MD5: 450289ff021770d1fd4e45d1154f6a30
SHA256: 18bde24df5efe900e2626517ac34ad6421c67effa7cb6e655c5d47910333f544
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-hebrew.ttf
binary
MD5: 15f58ca4255473b8afbeb14c757981b1
SHA256: 7e93ca238bd19b0ddd625a8dca7a2a6b88e3db9398c715262348f74e091ef03f
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-hebrew.woff
binary
MD5: 49b60b5f3e79009462e0ed918012a6e9
SHA256: c6d272038b62cd979041b7226e8b3375170d70665dc2b795b4e9c410682be812
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-hebrew.woff
binary
MD5: cd5a8ea6dce74f68ac20500202848041
SHA256: 15fde482c6512020cb49cfa229e39b6ca27e90945d2201aba7ca1655e5c38eaa
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-hebrew.woff
binary
MD5: e968b8ace06bcb9cd873e0fee0255385
SHA256: cd8bfe9b38792878f1b39b9f2b4952bdbd5ad6ba1715d54774b2629c8013dfea
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-cyrillic.eot
binary
MD5: 211e7eb3dad1ebbe19995926d5c3fb99
SHA256: 1e17bb201f097aa1c4d6d85be4f49138f839c1df1b698414a37f22596e3153ec
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-semibold-greek.woff
binary
MD5: ac74235f240bb36ce6195954e6f54677
SHA256: 9fb428f758c458e3731ec800fc68098f08af4e759a0a35b5766aa86851a55fab
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-arabic.woff
binary
MD5: f0678bfcb2ea5d26b1b5326c8e252f81
SHA256: b514590cda51f233fc0bd96d37dbef9021b3e0b1373a0c413e8a9ce0b9e6767e
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-hebrew.eot
binary
MD5: 7677dead6030b805ed97ca725150fcac
SHA256: ab93a365959670ecdcb2ed3bf74c570d1fa17732ad8d99e4690bab2fd6d58743
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-latin.woff
binary
MD5: d0afd2463fc4a35943cac8b665d5e8b3
SHA256: f543ef81bce595bdeba0f747315f08c09f0598c71d79c9d5681be87429e26cce
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-greek.woff
binary
MD5: 8367da0d583358e829d52f1173301b06
SHA256: 1252e5a029c5f0d05db29a09cfe99d04fdc5457f321e35d8f0df3b9ec24847bf
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-cyrillic.eot
binary
MD5: 98e795afefd3c7018321f9bdda00054c
SHA256: 786b995277d0d3bda27e4ee6082b99da826f7b1b58dbea967e73fcdc93d672bc
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-hebrew.eot
binary
MD5: 243b76408673298f82b9ff4d5b18c1c6
SHA256: c760eea37da0478425d010152457697ee5cd3c0b1242e3bc969c055b25364e0f
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-arabic.woff
binary
MD5: 46dbcedb036f95c04758b2ce7796a642
SHA256: 52d0c0a2e3562782c2c51c4dcd4782cea20611391a0212db45c5b7cefe3e124e
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-hebrew.ttf
binary
MD5: 595633cde9b76bf6aaa58e8c0b23b92b
SHA256: 0fab0ff7296ce9513d6e5c22a351475f3be2d57ea1d992a22133aeb34ac31985
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-regular-arabic.eot
binary
MD5: 35dadb53ff86e26ff9a0b541b187f8ac
SHA256: dbb97e6bf0c465a7c4fab6ad4f3dab74c06373bb517a7fbe88315dddf64ba428
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-cyrillic.woff
binary
MD5: 4a6a9cbe330b9fa5a8bc0ccb8458ad5f
SHA256: eef2fa7634950318dd55ce4b5d78564d807875f899db49b2180d9448762affc7
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-greek.eot
binary
MD5: 8a8b3f278f05a94faa4eed5eb3769626
SHA256: 5e03a1d5e6db76b4bc9e854f86678a51afd58b3e8743b415ae3fad46e8d639a1
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-arabic.eot
binary
MD5: 4b4e69f6a60f95bb23be12b49d569cbd
SHA256: a7ba2831340f95b55c8e933cef12c74c28c26f0af93f1d6b3de4e295e1ca6568
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\fonts\segoe-ui-light-arabic.ttf
binary
MD5: bd7305e21a2aad311d52f5964a0a8a93
SHA256: cf83e0a1c3b6350ecff17f1cacd9bf12e8d1c1303e1af857c0687ba50afff247
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\css\retina\login.css
binary
MD5: 5b89008590f59aa543a0da499c3a21b3
SHA256: 59f6f749d1a29c12a8581a06e57088162d6609609436bfae96692631004b52b6
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\css\platform\unix.css
binary
MD5: cc5156f0650b53f2925edaa49d4b9193
SHA256: f57c640c9b43aacb6f1ec27ea61c6ae3e7d95fe7813eb697214f650ca1bbdb37
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\css\retina\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\css\platform\win.css
binary
MD5: 8b345937d590c87ec1d19c1dbc08da64
SHA256: 286dbf77f294f42ef6a5877744ca01a774e4e177a05f9ebdcc6537648d783b14
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\css\platform\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Skype\Apps\login\css\platform\mac.css
binary
MD5: 836da53e06c0565466da5718081f39ba
SHA256: d86eb38728dc4eede615688322271982016c4e1d586df6bf425419deaf545fcf
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms
binary
MD5: f0ca9a359816543bf96a21af3d8fa705
SHA256: 56cc4c4cec5428663011597150bebdf7be8b8888e2268abefcdabe5cad762a0f
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\MSNBC News~.feed-ms
binary
MD5: 228fee14c5c93470ca9c399a0776b9c6
SHA256: f3686c0320b5c01547b9236ab411b4cd6579be8d10bbe51bc25a6e185dc76159
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\FeedsStore.feedsdb-ms
binary
MD5: c544b41db085115318934bd1107bf8eb
SHA256: efb6c00c39e6675641b847261338fbbd7bf7a12ca0d629c11472afc9c04784b2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms
binary
MD5: 01603b23f1666ba8609ecad19afc9bc5
SHA256: 87ca83dae4165ae01581b2150a4dcc530c2df43a81f684000f1935438d3c5db2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Credentials\CF843E73A6F6A0495AE1CE9B416455AD
binary
MD5: 0ae1f41e367aa9dea5447da925afc290
SHA256: 8c63bca179ce072359ddc14c511c85808c302169525a759f1ee3f594f9689b1a
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
binary
MD5: 98b2a5f3835ef22d0a5032e4fe321c58
SHA256: 8394e43bfa8beb102109c32d0c6427bffae5d8f615168433f39af655d07d075a
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Event Viewer\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Credentials\6D1A87920349DD4D3283E3AD94EF4076
binary
MD5: f40b8b6de7aed28a40c244f584dc2c5c
SHA256: d01b7a07f9a3042ec6e319a9f040ab38e03ad17b572fb2b053aee6bca562a9d7
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms
binary
MD5: f37705daa8ec847174c3d1f49b7e9c7d
SHA256: 8c529d65f10a32f38d0113a4fd9843c96415103bfcd908df7eacc4e3b1c22cad
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Credentials\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\reports\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-crashpad.log
binary
MD5: 88ad109a9defabb43670a381adea4122
SHA256: 20aa194f9ce2fd9ebead4eaaf99ac1a68a75d7ad0d53024fb1d686160073249f
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
binary
MD5: e0ea1b3b9339833b765153796f43cbac
SHA256: c57adf86a21b785210ef7d125bb8c7cc5e51cd59b9f7739104389a55267527ac
1996
dwm.exe
C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
bs
MD5: 31a13c71d43a695a2eef20b3d293b800
SHA256: b5cdb968d97f94206c516731fd4d05a2fed10bb9db228edf848c419ed89329d2
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\settings.dat
binary
MD5: 653eee7acb7e389f5d1358f1ab0bc4e2
SHA256: 3221041c0abc8ea3d12b8a53bd13baa5c9c55b520f82362ee037831d7418d2b8
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool.log
binary
MD5: 6650e33ac5b99cd2a88d403418f31a0c
SHA256: 82d61d668cf9379b0c9e1f1a057fd20c2c5828797fc1ad70185e68f6a3d141a9
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_server16x16.png
binary
MD5: 085f152dc91b7051f9ea0cbdcaa34237
SHA256: 4ea099056f81ea03e37635ca5b38f6230cf8112c7a6d001b277685fec3d95713
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\CrashpadMetrics.pma
binary
MD5: 56db2dbe0544fac0d76b7a02c0a472af
SHA256: af646f47edc446285627766ea752765b222d3ce46d8914fc6f20f21445a1395d
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\CrashpadMetrics-active.pma
binary
MD5: e8546e3746e127faafc2a878ba413a30
SHA256: 61e8b3a9083bd4e293ae32c1cd72e4d6290516fb6c67767fe6ebff48c3147dcc
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_cancel20x20.png
binary
MD5: 5b46762dfe3af666548c1218f964b5c6
SHA256: 0db6048e93a4acea3117976a2b62c3f6e70a16a4e4eef15f8780d4e42f53859d
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_refresh20x20.png
binary
MD5: a37c9c3473d7ec9eee450c2ac5e60bc9
SHA256: 2f3e3f78dfa35b122026efe5772dca8ebc01bb42ad3dfc1c2deb1cf21854555a
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_folder16x16.png
binary
MD5: 86d595ccc6cf79909bb72abf821a1074
SHA256: 5cba431d41bce140ff693b8e32b9560eaaefc5ca6f5abe6fc07612697005117f
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_close12x12.png
binary
MD5: dd2742c5aac188ab63799e6478a529b4
SHA256: c26733dd6948177a07b66fdc42458a64a390860a8e1bf68ec77de8691c0d3e0d
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_processqueue20x20.png
binary
MD5: d8bced9339dc5232661ba57a3962ada4
SHA256: ed42b434fbe144db48c4d1848b871b7f52745c157b9a16429048463c4550ba9e
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_synchronize20x20.png
binary
MD5: c206d444883204d0a4a874dc87a46a23
SHA256: c7f1d662dc9131406fa2174a7ca9574771f00c6ba98a571e711265f0ed1c9de2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_sitemanager20x20.png
binary
MD5: cbf6e6efd0338e760b1ca2226ed4c52f
SHA256: 0832d8c533efdf894d2165e0c0dd2ed3ec0f7b2f42cdf492300da4a5ebfbff72
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_logview20x20.png
binary
MD5: 06001fbdc7b90143a658d103d2b3083d
SHA256: bba37ecb897e0d6dfe3742cf1e5118cfa0c7278e57ed0a8b406c1cf9d8bf9f14
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_localtreeview20x20.png
binary
MD5: c65e1d74e2c9fb9bcffbb7918d053b6c
SHA256: 3a74f062a3f15056155b041b8abf543229b8a5998400e5f571290275a4a04230
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_compare20x20.png
binary
MD5: b3df873a2cdbe18f65983fdc44da5abc
SHA256: 7a3c71245dec24137fe90d29c25996b660092d3c1f69004fc66bbbdf2d6e47d7
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_dropdown12x12.png
binary
MD5: 9928bdfdc8e97e0f0075be91c82c03c3
SHA256: 1a2ade2e0811132dffd4b22320c2f9e983defaaa942f747044729265e92b76bb
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_leds24x24.png
binary
MD5: ff56aff1f4f7e88380188857f3bc3f0c
SHA256: 66a977c1071bdb79bbbdef3087b0077c789cf957ae9e28b09e104f827fc3ed02
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_cancel24x24.png
binary
MD5: 6bf5fabbc88ae13ff977ab08beec15c8
SHA256: 601e0dbf4964d6053c71f58195726ce3392898eb675d78d4b037c28f3ef507b3
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_remotetreeview20x20.png
binary
MD5: ad5e249d5191bf3f50872d2202eb50ad
SHA256: 43264063b41ef0b46c959f659646e4183b86f7b353c8bc853acc1aa4c71fe895
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_filter20x20.png
binary
MD5: 2747700dc8ba5d9e235a8d8b86a761c6
SHA256: 09e82f2303f4c6d1b13e37b853fc06e416a32447b13519617af298d4f04eddc3
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_speedlimits16x16.png
binary
MD5: 485b142e00b49e1fc608da9d9c651dc8
SHA256: 2f60feb2183a90793bfc715f1dd44d53cf63cb18886d28697ffea74cb41e9b9f
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_reconnect20x20.png
binary
MD5: 33e81b213d06b3e2edea1c14638aeee8
SHA256: 2b010eaeb392832cd483aaee856be73596d063495a942bbec788bfb04f38f7aa
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_queueview20x20.png
binary
MD5: 9763154581766dd4c39639d4a028fcf7
SHA256: 37d995201706b7b59b8e44debaa8708ba420eeefced3d01f47989f7d1fe25678
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_find20x20.png
binary
MD5: e6885026524a732bb25664226fedf1a3
SHA256: 35d870e11b6dd521fc0817db38447b6baf6b7c667b54d25a5234c42a6f202af0
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_file16x16.png
binary
MD5: 0e7da9544c3f98a0e7ff4b37335f8a1e
SHA256: 8b4923bfcbfdd7c1fb83a7681f4ff36ba90357a76bdc2b81fccb7711c7394101
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_disconnect20x20.png
binary
MD5: 37ad63a4f97b563662b000e921d0a62b
SHA256: 5d31ba5161a9c380a9c13dd49703f5192d9323fb73eaf1297972959b19c31335
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_auto16x16.png
binary
MD5: 209bcd2f06d5dc50c9b7f531577a4bcb
SHA256: 24a21afb15e98688cb47f2a9a4d90a45d7e5eddffc989eac425db137fed56850
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\ACECache11.lst
binary
MD5: c05718ed5f32d3a67132ed28d0ecea61
SHA256: 4d4d41474733c7ac24446aa15efe213d2b712c9e8ecfff2742635e2697711da4
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\index
binary
MD5: f296377676f9f12733926cf46b0cc378
SHA256: 84333c39ce11127e76df774461bb2ed0798b4e90705002677032a988fad2504f
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_1
binary
MD5: 0fc77c45d0f54b611ad096ef2186127c
SHA256: 3e3d98be3afa6a77b6ee177d910a4b8fb10af73f9dd302b573ad06476c719b2a
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Crashpad\settings.dat
binary
MD5: 6627f9858f4f1e4d78fe8b125ff53819
SHA256: 3e529750f5f40a3e4809f98ac04dbc51236dc59e496dd84be56cacf9b4c4794f
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
binary
MD5: 1dab9a343b26a164f2afdd370cac0fb0
SHA256: 3a63608d36cfef438bf37cdd104a0e1d24b3bd3fc1991b1fe8200c97bf0dd3d5
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Crashpad\reports\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Crashpad\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Dictionaries\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies
binary
MD5: faafcf5a5755d18c3dda6692ece712e8
SHA256: dcde58b641197054523f6f956a52aa10a09955701faec0634eb1dd5c946a9ae9
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
binary
MD5: a39165acbb4f4432bf5f67e596da2bca
SHA256: 0457d947c9b99523e69ac3ae35051eba783bcc8fc14d7aa61635ce04829c770a
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst
binary
MD5: dc215c32742b22d2cc3ffe08c918a249
SHA256: 6e23ee9ed1219725ee685cf16b8d575ef5ae6e4dea5834b8a8f41fdce059d6cb
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst
binary
MD5: 67e410281e258f9fa08076be5f0e6e3d
SHA256: aa1235d75240a330a7eb1712132c3c4d5952e103f447f9d55fbb80a8bcf25f98
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat
binary
MD5: 1e737dc8dd0adb2d465c6a54f3f45d1a
SHA256: 6d75826ee2b74a019fa9e2863f3b4ae940f61633be97a7492088671a7ce5530b
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin
binary
MD5: e71a3bc6f96881042e1814889fdbac49
SHA256: 1aced05bb3a4a1c7ec8ee610c12da50cb4bb4a4794063e7c9e0896e2019d4143
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
binary
MD5: 6e2c488803da86b2e9df7785eae01b41
SHA256: fd17afc67102ecb16a3db3402aa4a19b96cec5689cb069a156e57f53787bda83
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_0
binary
MD5: ffc9a5ea6e40b4bb8fe5a55d1cb6fc9c
SHA256: b39b0812cc79b410fbc7eb413ae369243a9f36965fadac807e2ab59898505eba
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat
binary
MD5: 310cf4a14eb597aaa8dc59a50c8586d4
SHA256: d03f927c096a09d87cfe445174620831245a57a66ef0cf1f111124c9f0c5f6d2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_3
bs
MD5: 3cad70b72b8e39a7004f4ed4d2a30e14
SHA256: 8ac82a9585919b804f7e9802fb40983f6cbf6d2fafb89240f2d8791594987edd
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_2
binary
MD5: e7a9087c0e94760748b5ac85250a5b96
SHA256: b767f50ec462d0ee9b77ad3165bbff8af0af3d35cca7334806ec7184bc0c0dd2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst
binary
MD5: 3e55280a5283c102ffb3916dd397c43f
SHA256: 05a1eec4f3b9f241c47632ce891025bc69fdc02c91b3e860216060507752d7e8
1996
dwm.exe
C:\Users\admin\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Skype\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
binary
MD5: a6128bc79e398b5586e48a5b921b8bbf
SHA256: 19c339764c793db095669996f44d07d61218463c9edee96befd5859bbd0f4c03
1996
dwm.exe
C:\Users\admin\AppData\Local\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Skype\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\.oracle_jre_usage\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\qemu-ga\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Oracle\Java\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Oracle\Java\installcache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Oracle\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
binary
MD5: a1fdc102c888161947c77a7564a9e905
SHA256: 8ced0d59ec3f02f483f0ad9223696a680556918cc6732cd1f7659a60ff802327
1996
dwm.exe
C:\ProgramData\Microsoft\User Account Pictures\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\RAC\PublishedData\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\RAC\Temp\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\MF\Active.GRL
binary
MD5: 0baeaeb4fa6d3d70c4080b5a8361bc5a
SHA256: 0f184ce193893ab855a8ac90516c2eb97fa22fe3960a5a74f7a2041cdee117e6
1996
dwm.exe
C:\ProgramData\Microsoft\MF\Pending.GRL
binary
MD5: 25f072e822f35a45b559d01daaf810ba
SHA256: 53ad06ad8adc5ab04df8a5d2fd56fd81470e39348f90da76bb49448521b14dab
1996
dwm.exe
C:\ProgramData\Microsoft\eHome\logs\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\eHome\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\DeviceSync\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Favorites\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Documents\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_90059c37-1320-41a4-b58d-2b75a9850d2f
gpg
MD5: 193bb00ab933023b5b5e2fded90fa509
SHA256: 684b96bb29a323ca8cf21d4e51510daa8ad59abb7bb8be3919d5ceaf7c35c634
1996
dwm.exe
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\Setup\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\ARM\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Program Files\Google\CrashReports\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
1996
dwm.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.