General Info

File name

23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip

Full analysis
https://app.any.run/tasks/db522d80-80a2-4b9c-925a-592fa38fbff4
Verdict
Malicious activity
Analysis date
1/11/2019, 04:56:31
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

Indicators:

MIME:
application/zip
File info:
Zip archive data, at least v2.0 to extract
MD5

95cd7ac6c12144dd7e3abb879344465e

SHA1

bd414274654229b6e94339673187630b9e8ff987

SHA256

d992871dd45a6302916f809eb54639a656c9e619451c10a03704735c424be0d9

SSDEEP

3072:4B4UA79CJyI52vw2AmSXBbCp+s89xPoI0f3uB+MFnSQINX1wCgCbwoEYqEmUukgu:+A8UIAR8/+eBRFSjQsEYdmUukgA+/Y6m

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Writes file to Word startup folder
  • dwm.exe (PID: 1996)
Actions looks like stealing of personal data
  • dwm.exe (PID: 1996)
Runs injected code in another process
  • Dpwel.exe (PID: 3076)
Application was injected by another process
  • windanr.exe (PID: 2196)
  • dwm.exe (PID: 1996)
Changes the autorun value in the registry
  • reg.exe (PID: 3204)
Application was dropped or rewritten from another process
  • Dpwel.exe (PID: 3076)
  • 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe (PID: 908)
Creates files like Ransomware instruction
  • dwm.exe (PID: 1996)
Creates files in the program directory
  • dwm.exe (PID: 1996)
Uses REG.EXE to modify Windows registry
  • cmd.exe (PID: 2672)
Starts CMD.EXE for commands execution
  • Dpwel.exe (PID: 3076)
Executable content was dropped or overwritten
  • 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe (PID: 908)
  • WinRAR.exe (PID: 2960)
Creates files in the user directory
  • dwm.exe (PID: 1996)
Dropped object may contain Bitcoin addresses
  • dwm.exe (PID: 1996)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.zip
|   ZIP compressed archive (100%)
EXIF
ZIP
ZipRequiredVersion:
788
ZipBitFlag:
0x0001
ZipCompression:
Deflated
ZipModifyDate:
2018:08:19 18:01:03
ZipCRC:
0x794678da
ZipCompressedSize:
195793
ZipUncompressedSize:
393216
ZipFileName:
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2

Screenshots

Processes

Total processes
40
Monitored processes
9
Malicious processes
3
Suspicious processes
0

Behavior graph

+
start drop and start inject inject winrar.exe rundll32.exe no specs 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe dpwel.exe no specs cmd.exe no specs dwm.exe reg.exe windanr.exe taskmgr.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1996
CMD
"C:\Windows\system32\Dwm.exe"
Path
C:\Windows\System32\dwm.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Desktop Window Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\dwm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\dwmredir.dll
c:\windows\system32\dwmcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\ole32.dll
c:\windows\system32\d3d10_1.dll
c:\windows\system32\d3d10_1core.dll
c:\windows\system32\dxgi.dll
c:\windows\system32\version.dll
c:\windows\system32\dwmapi.dll
c:\windows\system32\psapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\cryptbase.dll

PID
2196
CMD
"windanr.exe"
Path
C:\Windows\system32\windanr.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\windanr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winanr.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winsanr.dll
c:\windows\system32\psapi.dll
c:\windows\system32\version.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

PID
2960
CMD
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip"
Path
C:\Program Files\WinRAR\WinRAR.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Alexander Roshal
Description
WinRAR archiver
Version
5.60.0
Modules
Image
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\shlwapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shell32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\uxtheme.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\msimg32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\riched20.dll
c:\program files\common files\microsoft shared\ink\tiptsf.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\mpr.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netutils.dll
c:\windows\system32\wpdshext.dll
c:\windows\system32\winmm.dll
c:\windows\system32\portabledeviceapi.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\audiodev.dll
c:\windows\system32\wmvcore.dll
c:\windows\system32\wmasf.dll
c:\windows\system32\ehstorapi.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\samlib.dll
c:\windows\system32\profapi.dll
c:\windows\system32\explorerframe.dll
c:\windows\system32\duser.dll
c:\windows\system32\dui70.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll

PID
2744
CMD
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\propsys.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ehstorshell.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cscui.dll
c:\windows\system32\cscdll.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\slc.dll
c:\windows\system32\imageres.dll
c:\windows\system32\version.dll
c:\program files\adobe\acrobat reader dc\reader\acrord32.exe
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\ehome\ehshell.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\mspaint.exe
c:\windows\system32\notepad.exe
c:\progra~1\micros~1\office14\ois.exe
c:\program files\opera\opera.exe
c:\program files\windows photo viewer\photoviewer.dll
c:\program files\videolan\vlc\vlc.exe
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\wmploc.dll
c:\program files\windows media player\wmplayer.exe
c:\program files\windows nt\accessories\wordpad.exe
c:\windows\system32\netutils.dll

PID
908
CMD
"C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe"
Path
C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\users\public\dpwel.exe

PID
3076
CMD
"C:\users\Public\Dpwel.exe" C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
Path
C:\users\Public\Dpwel.exe
Indicators
No indicators
Parent process
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\public\dpwel.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\system32\oleaut32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll

PID
2672
CMD
"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\Dpwel.exe" /f
Path
C:\Windows\System32\cmd.exe
Indicators
No indicators
Parent process
Dpwel.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3204
CMD
REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\Dpwel.exe" /f
Path
C:\Windows\system32\reg.exe
Indicators
Parent process
cmd.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
16288
CMD
"C:\Windows\system32\taskmgr.exe" /4
Path
C:\Windows\system32\taskmgr.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Windows Task Manager
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\taskmgr.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\pcwum.dll
c:\windows\system32\shell32.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\credui.dll
c:\windows\system32\vdmdbg.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\slc.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\winsta.dll
c:\windows\system32\utildll.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\version.dll
c:\windows\system32\windanr.exe
c:\windows\explorer.exe
c:\program files\winrar\winrar.exe
c:\windows\system32\dwm.exe
c:\windows\system32\propsys.dll
c:\windows\system32\dllhost.exe

Registry activity

Total events
556
Read events
523
Write events
33
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtBMP
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
ShellExtIcon
2960
WinRAR.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
0
C:\Users\admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
name
120
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
size
80
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
type
120
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
mtime
100
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
0
C:\Users\admin\Desktop
2960
WinRAR.exe
write
HKEY_CURRENT_USER\Software\WinRAR\Interface
ShowPassword
0
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
Adobe Acrobat Reader DC
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\eHome\ehshell.exe
Windows Media Center
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\mspaint.exe
Paint
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\system32\NOTEPAD.EXE
Notepad
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\PROGRA~1\MICROS~1\Office14\OIS.EXE
Microsoft Office 2010
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Opera\Opera.exe
Opera Internet Browser
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows Photo Viewer\PhotoViewer.dll
Windows Photo Viewer
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\VideoLAN\VLC\vlc.exe
VLC media player
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Microsoft Word
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
@wmploc.dll,-102
Windows Media Player
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows Media Player\wmplayer.exe
Windows Media Player
2744
rundll32.exe
write
HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
WordPad
908
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
908
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3076
Dpwel.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
3076
Dpwel.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3204
reg.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
svchos
C:\users\Public\Dpwel.exe

Files activity

Executable files
2
Suspicious files
158
Text files
84
Unknown types
2

Dropped files

PID
Process
Filename
Type
2960
WinRAR.exe
C:\Users\admin\Desktop\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
executable
MD5: 5ac0f050f93f86e69026faea1fbb4450
SHA256: 23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2
908
23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.exe
C:\users\Public\Dpwel.exe
executable
MD5: 6cdcb9f86972efc4cfce4b06b6be053a
SHA256: 5d92914acdfb551c237866cc4cce6c80aeeeb695e52beecd2613694302c62271
1996
dwm.exe
C:\Users\Public\Music\Sample Music\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\Libraries\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Music\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Downloads\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\Pictures\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\Videos\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Searches\Everywhere.search-ms
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Saved Games\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Pictures\visualcomplex.jpg
binary
MD5: 80abb5a5cfbfe5ce2a224326896b2044
SHA256: 67e395dbd4efecc7d2492faebc457b4507e1fde8f2cd68ca9e7d00ca6e8c658c
1996
dwm.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Pictures\iceplace.jpg
binary
MD5: 93c55445dbbe2ff3ecaca3f4add12a55
SHA256: 3dce97ed795f87fb866af95adaaeb28a9ae9cf2afcb650ccfa286a44c24d5192
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Pictures\likelysignificant.jpg
binary
MD5: c9938bb42594e9c2727960abf5e1ebbb
SHA256: 1b7618020ec10280141fdb95a10b820fc978e448203b34cd3b1ef1f703399fce
1996
dwm.exe
C:\Users\admin\Pictures\canadianreviews.png
binary
MD5: bae71cd8ddbbf2406d5748698bbb4440
SHA256: 84e520a7bc1550dcdbf030d66100002b1964a281f430212d07d8a91e39821032
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\SendTo\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\Pictures\fairedge.jpg
binary
MD5: d1b94bfda2c9c5d7a10e4cd83ed14e0c
SHA256: 6a664e1f6a04af5dacb22e2da8bd57aba98b3a060c0bca2b9a45134212f4e6a7
1996
dwm.exe
C:\Users\admin\Pictures\wastefor.jpg
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Searches\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Printer Shortcuts\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\Microsoft Websites\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Links\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
binary
MD5: e4cc2417f7d773cece9ec266436ee223
SHA256: d418e9040b3b15d2f5dfdf5df1438814783b87b2b01d7fa96960af63a8c01f5f
1996
dwm.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\Outlook Logging\honeypotcom-Outgoing-09_09_2018-17_29_56_681.log
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\VirtualStore\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\q0fctjyz.f1a
binary
MD5: 130b64dd377b7d25e07b64977b921dd2
SHA256: e046a7776abe714149aa700717b5c37fadaa3b628abf8b0ac76914800df1a13d
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\ritlysox.k21
binary
MD5: 1edc231ab101c499b20f98caa524bc32
SHA256: 833cafa1040e56bb98bac627df63a17d6abc49b2df419da59d2455720ac20d29
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\Setup Log 2018-08-30 #001.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\LocalLow\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\pyaihe5n.q4n
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\u5bgdfrb.vkf
binary
MD5: 17ea5d73886261d71bc20c05edbc7a30
SHA256: 61ae7bd3eb745fa437ab1f1de3c09b95a29d75a62ef4b3bea4996599963e3ba2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\qmbra1pm.vko
binary
MD5: 55353b932888b533ab192eaf2598c109
SHA256: 5dc066bc24f040aa79e03eb922362b6f3383aa3dca3e8d2bdbe4b14363a0c3ba
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\uredjclk.2xv
binary
MD5: 585f9acb3a4c45a88c665379506046c0
SHA256: 39d41919a32b771ee0fd8b4bf1ae149a58ba84068f6335cd5ce138fc08017e4d
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\ws2faywb.vfo
binary
MD5: 116be71a86d84ec27b1baab42f395032
SHA256: 8a317bf4219725dfc70bf794fa572c08fd4dd10912acea80c1c748f60a72fb5e
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\s4wj4ou2.xnp
binary
MD5: 929e18228a4a74ff0b490bb378c07d9d
SHA256: d904245353a2840d9036c10fb35aef4958b2f32f9ff51a4336af364196d05287
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\uibswgtl.2zb
binary
MD5: b616901d7896287d9085a11ac7e54dfb
SHA256: e9a160702bd7ba75ab6067f216f2df449bd84452e50a93e7fa59d10c389586f1
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\WPDNSE\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\Outlook Logging\honeypotcom-Incoming-09_09_2018-17_29_56_681.log
binary
MD5: d8097e36644359920685fbef6ae72421
SHA256: 4ba1d60eb8e6da883f4f3cf77746dda17813ab4dd9294d561f6ffb8ed388d6a1
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\x23vy1sc.1vg
binary
MD5: 1f91c0096bc799b2d76db21a4a410521
SHA256: 2ee913b162286e852edec600b916c1e3052fa0307aaa88162611133ccb9f2a56
1996
dwm.exe
C:\Users\admin\AppData\LocalLow\Adobe\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\skype-preview Crashes\operation_log.txt
binary
MD5: 30638fef805071cc7ec807718cd3d183
SHA256: dff1e0f56ea3f2e92ec9e053dd901c68791382df4f6443a61472112ec66df148
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\v55btscy.ca1
binary
MD5: 0b29b8e11e554a7d904e3258684e7b90
SHA256: 3183c560733e3a5995592dd76581b8910dcc46b926f9d22a3f8975fcd7d60124
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\qi3fpmku.0jy
binary
MD5: 050c11ba77229e79f6216ecd24713532
SHA256: c99d80f99d7e70e1df8e3a61c6557f503076e5d54ef537325c8e52194f525f20
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\StructuredQuery.log
binary
MD5: cca9591fde49bd4af05a865e34feaf5d
SHA256: 0907baf3495246279a6e8f00a6cb7b94e7a5437b0afe5672f10bcc866865573c
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\srwm4svh.1sd
binary
MD5: 63875ea2535e8f9899b8f47187e023e4
SHA256: d9fec3be456a5a2f849618fd38fee80ddceb0c831d6cd5bfee3e23f8a563c562
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\AdobeARM.log
binary
MD5: 32b4c3c0908dbaac9fa84ae9d41fb448
SHA256: cdd8af7f76f481d67e91d9f3f7f26f1e9cac88be0d1ab3da285b8693bbf0eb7b
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\mjtlak2p.tzf
binary
MD5: 755badabbfbb7138907d5c208f3fda4b
SHA256: 70b3c5e75a9ba21051526121712a28f11addd62d024eeaee5846ebed1fd93ac3
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\Low\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log
binary
MD5: 09e04085416445e6dbfb6e5558b4c6a2
SHA256: 9b1ddf24f3fc55063fa1f1ff35f62a86f5ceaa6592d0933736c713e2e457bba5
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\diaypwhu.oh3
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\ad8633da-d0ac-45bc-b008-644545661546.tmp.ico
binary
MD5: a373963b6155ec8d1bc83dfbdb767fbd
SHA256: 4ae0b85228fd0622a4a1e0158350dfc608e9c939ab93da471073aca4b6ba082a
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\f1082751-89f8-42d7-b5bb-1e88ef66d1ac.tmp.ico
binary
MD5: db248c08f82eca951e8fbe4cb7c92f1c
SHA256: 02f8ca836cb7050c32e7d185849942c46a79b865fd7dc89788785d4a53cd61a9
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\mhxxx0jc.4qg
binary
MD5: 97c6554b8812197c06959f78d60c9822
SHA256: feca4e701dc9ca500bdd0993d6ee5f7506b2ddb820348a33ac3cdb644fc294ca
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\d3odubo1.al1
binary
MD5: 867838f14eeb4b7e673984f886979cb1
SHA256: ddbb9fa79fa7ea3edb09e68209f362b152bd3b0aeb75787eff9622b9b1f4f756
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\Outlook Logging\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\fcsusyoa.m1j
binary
MD5: 0be5797e2e5ec43a44e8dc33b2f5098b
SHA256: e180e23ab710c7578f4bf6cf1f32b6842175ddc8b73e27f6af4d4ae9bf78b44b
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\c98e5214-1496-4911-91b1-d6265bf87e7a.tmp.ico
binary
MD5: dacd5f6a39d75cc52bcaa077e95887c7
SHA256: 213bb81f2b1c063ff5ed351a1f31da99bbee253463e59ad50e4ddde591e53c7f
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\mhoygajt.zq5
binary
MD5: 8298530971151d2c1897681a97aed1ae
SHA256: a6eaa147412cf128b3164a424e0d2dc0809729ed16b87708cc1358af0edb4b5b
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\j1ljkscq.ezy
binary
MD5: 1960307e0f441f236acbf63bf52257df
SHA256: 6568b3b03c243f4a0dc53c2fe43ba091be689c2932df701c4761cb973022a42f
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\f2879bd0-4943-42e3-aefb-b1eed71f1693.tmp.ico
binary
MD5: d44868cb574ab97353dc17c133d0f3d6
SHA256: 2d6ee174a93fe7cc7d60cdc3fe706b075bbaafb02403c43280b4399eca859c19
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\opijhvp0.v2i
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\DbTemp\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\c7beb18a-4d0a-409c-9eee-8ee35df9610d.tmp.ico
binary
MD5: 5c44f0953181ccc1918825eb5e00e3a9
SHA256: 1afc7260fabad1cb65d7ef77bac9310e25772be76abbcec67806fab0c4407d6d
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\aw05z3gl.wtj
binary
MD5: aaa5b1df95a38a43961d3f8344aaa2b9
SHA256: 0e70c89377b6c326203bceb71d0a7c848992162053698d7e10f865336f186f00
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\AdobeARM_NotLocked.log
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\ijqbflu1.kuo
binary
MD5: b03380df6abd9371bf6348c4513f8780
SHA256: a8814115f1bdc022e25617d43bc593ff8db0d2acdc1f6b1641eade6720185686
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\ba2uocjv.e4o
binary
MD5: 75a8570e232663c7762de78242ef4ba0
SHA256: c1d0d66a2146ca06a1fe6ed82fe38ef20cd4c4f8e80be32e7a5d3ade31ef941d
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\ai1gpvo3.oed
binary
MD5: 7d287fb7c66761c7d06b6187ae6d9d55
SHA256: 1f75a1804d1e251cae30feb82479717462f34a2591c43f3ab7eae418d6992054
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\cg4nof20.j5j
binary
MD5: dda964e708906bd071cda86eb2ea47aa
SHA256: 2cb4725013fb6ea0a8165815c7c1d754a8bf5645e1a050506f34ed2a71cad322
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\Temporary Internet Files\Content.IE5\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\Temporary Internet Files\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\lilo.716\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\5qdmjkgj.mxa
binary
MD5: f734cc2e47e47e4a4d6b078ec9735d1b
SHA256: 81330cbd5ec512a510763cdbe569dcb7cfba94416fd10c111310cc18d8174856
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\1d32c33c-f394-4624-81da-f1b9ee07d017.tmp.ico
binary
MD5: de024ace2f1532851b27a27f4dcc34f2
SHA256: 78eb9b76132e2d161a59fdd3cff924d233aa367e4c27c98e35af5b008abcc570
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\32gizitf.v0b
binary
MD5: 29f6d1e857eb3c301ca3a1256cac22d7
SHA256: 001667e6b72b4a9ef4a4199b50ab71419701c423c7e96774c6ac393d51e97af4
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\widevine\win-ia32\manifest.json
binary
MD5: 825f6c5ac6b37cb2f6232cb923b83622
SHA256: 21c75fca8ec58528a691d2f74e3be478cceefd79903678bec7435bcd3a456cd1
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\widevine\win-ia32\LICENSE.txt
binary
MD5: 5eff596e9fad42eb567616f4b498be13
SHA256: 7d7af48a0be3de87cd3b764577847664915a6c916df5d0f2febb06b600f26bbc
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\23f8aa94ffb3c08a62735fe7fee5799880a8f322ce1d55ec49a13a3f85312db2.zip
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Temp\acrord32_sbx\lilo.2604\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\htmlcache\UserPrefs.json
binary
MD5: 35295db68bf99850bb34caf45baa4e1d
SHA256: f02f39c27457de74aa5ed2c7c7a33ea06baf5bf106e25e482edf2f883695fe21
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\htmlcache\Visited Links
binary
MD5: dda1f6478850443c15259ede4b4ae784
SHA256: 096b20b28e7a95b48b1acd920452b85b768896809cd793dffadf2c6a1e2b71ce
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\widevine\win-ia32\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\widevine\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\htmlcache\LOG.old
binary
MD5: 5b08059005768bc5e926577857e55254
SHA256: 7bac55467b58137b22737ec675c8dc5ac602f8953fcbc5109731c36390a31f34
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\htmlcache\LOG
binary
MD5: 8febd060aba343947e4b87811f33bade
SHA256: 959db7f40cb3c085fc526870f4afd7f9d7c42f9e85322b7ca9b7fb39e31ae7c6
1996
dwm.exe
C:\Users\admin\AppData\Local\Steam\htmlcache\MANIFEST-000001
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\e7a7c0d5-0e34-4323-9576-f37e394faa8a.png
binary
MD5: 208adbb97501c3cbe391c97b416ad6e4
SHA256: 32a6083c852402b84427e816b5b1852ece3ef5556496da87f1a103bc4dddf1d8
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\bf4e96cf-9460-4049-8172-cfb4bec57f8e.png
binary
MD5: 04799a783c2dff5b365cade5613ab29b
SHA256: f56958e547ab0f8f7f56d440b44a6e21d1c01e8d28a62e560c0006edd1b29609
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\c129b038-2a0f-4994-b354-64ed233a0973.png
binary
MD5: 3f87932db2726ca034171b37ff8f9a2b
SHA256: de04a06069a165e82f3c5f81599f3966decb8d3226c5dc60d93a900a852823ec
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\d2a0e881-e736-4694-b4e5-62a677ac17bf.png
binary
MD5: 530a079eb2a254c7bc1a66426a12761b
SHA256: bcc900cc2ed5aca0684380abb18f82275d5dce4307b3ac492509a69bf8334fc5
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\a4fbc2bf-8cc2-4a6d-b3c7-0ef749399e7f.png
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\62e3dfa2-4350-445b-8693-d1d04a74543c.png
binary
MD5: e1a4744c653895133d2f4a8fa2c50dd1
SHA256: 1eed2f04ea5fa433892ffb18be19efe0759e8ade40461fa125a05ed71f5869b9
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\bb4e150b-7e2a-4556-81dd-590d7ab07dda.png
binary
MD5: c637ac1b3fd233362d19aa06a3676d27
SHA256: 858e3e49e40d5b99ecfb554ff1e5dd12afa33835bda9a9ac5d479cf6cb9335a8
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\d137f4ab-4b3d-439e-836f-ffbbc700bef1.png
binary
MD5: 5c96e044e5d3e1f408da48ad9d2441fa
SHA256: 023dd4703095940008b11c1acec570e0bf75a12ed43edc27df9f6ff6c7074a11
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\be1e893c-ed6d-4ac9-933e-dd5340e7c76f.png
binary
MD5: cf0d39d883ad2e3d2c697bd4f781734f
SHA256: b6d7c0e1566980883c7a057fe5f80d442709f320379e97f0390681d25f8ff542
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\d024a53a-b32a-417d-8f75-e1998be423af.png
binary
MD5: c008c2118dcfe0a39eb400f22130f1b8
SHA256: 0c015e659ac047bf8a8ac83d8b39ca97c368d327052b220ff4f7e6685f5a04d5
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\6a8b0e06-e9a5-4761-afda-29391149e64d.png
binary
MD5: 756c3b521656b3c05c812faea5fc1409
SHA256: 7c13595ac1faf85882c9d82742d7f799e3f03976bb1a26f64768d387c3b6350c
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\e29a7eaf-32ad-400c-9927-05c358358ffc.png
binary
MD5: 987d3feb758605fddb569261275b2660
SHA256: 90a157bceae36cd8513a71f0000ae1e0a630db0613366af379c34963b0d66e03
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\e51cf594-e321-4d1c-88e7-df9cde80904c.png
binary
MD5: e07140c6e138f97367b29e0d7553f4a3
SHA256: 68907361d908dd06512ed55c1770394df823bb157f1cd35e79e8332191717a1a
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\7b168dd1-e39e-4b39-918c-53b9e78365e9.png
binary
MD5: 3e809d9cbb4c80e18a5dc980a4bdacf5
SHA256: 55cbf90e0c2ad2cb2b0c1faab999623b39635edc00f098d57a7f54f50e0248d9
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\d32a2c63-e181-4374-a527-d8ec3791e0cc.png
binary
MD5: 028fb9ecba9a11f969f77827c7555a52
SHA256: a16c202a1c03bbf0c5d95dc89b4285b1589652ee47e4836f2ca0bf9fdb2be9d0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\d13b95bf-2bb1-4c3d-a85c-9ac5e1cb3884.png
binary
MD5: 81dd500150e2e7c6056d4854d4e7b91a
SHA256: 00e613ab88b7e09870d9cd38eed6aee78e44766e99fd1f8ac7b03f6675fe9e4d
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\d6f82e07-6756-4003-877a-af43e54f9781.png
binary
MD5: c3ae3ed75e1d295d69bda9e51f6bd658
SHA256: 94626a70e5a8ef95330392757de6744c9e3dc44c4efbce57220be96582afe82e
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\b1503304-9b12-4d90-89e7-df30e304e6c2.png
binary
MD5: 50ec96b5c7a434659c4ae691b2a145f8
SHA256: 152cb15c98317c0eb8baa85bfc9255104fc838e300dff32b4d10604933e8499e
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache.onecache
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\a4f6c176-53e1-47b9-8fe4-8bb920684ff3.png
binary
MD5: 800057027137ed67bb7d628669e2f78c
SHA256: cee690e62734faa7550ce8540ea15e51395a470881b6fecf2d21bca2757a906f
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\0d984a6a-e70e-4747-bded-b92173e85c21.png
binary
MD5: b050499d1c153a870f6021b424d11ed4
SHA256: 3535477d5e6695d11bad35c4d22003d8c0d423b610eae32d05049e7247ba369c
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\3c6a9801-329c-4eba-9524-2165ac426bef.png
binary
MD5: d83efd3149fdd11f0b4b38bcf4ead228
SHA256: a2b184b26d43b9e8e7d9fff134c6e53348f3d51c37eb33c7edf74a7f7b3db757
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\79a073b8-0713-4166-af23-3272c394a92a.png
binary
MD5: 7bd53178b3519426837867fb5d51e1a4
SHA256: 17701974ce67d51ad275ff6f3d9abc8856b43ff3f2b5fc3c9d8cdfa1a3a97e94
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\bdde27ea-6a12-4825-bfac-f600b0f142fa.png
binary
MD5: ce952aaca27017d041c151f282444c1c
SHA256: 07e97136d8b737f535dc1b153a503a97a3e0bfd3d8cf90cb828d8c1ccc2da022
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\8339d228-5ca6-486f-8793-633aa6af18d8.png
binary
MD5: a8d1fa12d1c9945634d9f150c728b7a1
SHA256: bfe2a46d9d8fd5debf3dd0ebe3c7c92e251e5fb6c44b9052a8af5ba8e5cd79fe
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\5318eba9-773d-4fec-9366-6e84f8dfbbc5.png
binary
MD5: ff05f1aae97cc6b5b5726c43872efd38
SHA256: d46f73cdc078d9f90c5abc25f6cf74941b9106629b5297175d38e0ec66ba440d
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\072143f8-573f-45cb-b0b1-04f7bf2da18e.png
binary
MD5: 8c59eed606b380df4349b672b863cff5
SHA256: bed0d996dd9b33fc03cc792e8705d49bcc0221d04139e45ec322e68d6ae55584
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\07a5080e-becd-4719-9a79-fe50b59eb55b.png
binary
MD5: 131c47e97f116a331d2dcc52f76a3c72
SHA256: bd3b5299a3821316c74f6a9f573a23cd07a755611980c5237572f26528e96f24
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\115556d6-ba8b-4b18-8439-8e9c81ff63a4.png
binary
MD5: f29041dbb4892d2d5b3dd6e07f5543aa
SHA256: b7917ef6f576a595749dfd6da80f463638d3c33a7a5c23e61c2569bee19c9ac0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\5394c05d-dc33-4d24-bd45-2d8954648f28.png
binary
MD5: a8cbf608929bc524b746ecba670a3d34
SHA256: fc46ab66597c6a041d7541236b2e12cb4cca4b02826c5ce9f34b901097bc71ad
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\0ec91619-5478-4e5c-aa1b-8da00a066091.png
binary
MD5: e0198dae09e5309708fd721532d9052d
SHA256: 657d005f1eb7ecb83d81c531008130771e0389b50881315165006ee86275c6c5
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\70d1f452-966e-4e28-8da5-8b2eeadbe078.png
binary
MD5: b39043762eff4d5f06ccae67b9e3a889
SHA256: 899c506d2b74742b218d4677b059806b33d780dd0f8017e68d18fdcdfc3bc3b3
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\42a4aea1-ab77-4cf7-a3cb-14953248ceea.png
binary
MD5: 5100fd53936100ef3c3ea91ee55d0508
SHA256: f5da53b280dbdd2061d907622f9f43f4dcea515744cacde64e9118901e1e3cfd
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\52c39d7c-6d6b-4ad3-b5e5-c417949d335d.png
binary
MD5: 7061f91319acebad1ed4817610aa6c64
SHA256: 8050d7d85454426170e99b0aab4adbaddb3d0d574c4e392685dcb561dbf620c8
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\70c3a864-35fa-4245-802a-dbda1e3f4c00.png
binary
MD5: d06aa4101e2c107e652f6a738b8241ea
SHA256: 1c75e0cbac06b8a18bcbb6591f59dd0352c1b35cd1959ed1ca1657d3b6902748
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\a6f0f9a9-e50d-4612-9e8e-f5640793680c.png
binary
MD5: c2a54607651161fa4429ed8cddfd58b5
SHA256: 0fc1b2fd25862e29d7de83ef1251745c2dd3fb24495b21d520f576cd2c577de0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\a9e6bb3f-0b62-4410-86f7-68bb36989df7.png
binary
MD5: 6a2383ca9443ec011a399d56028e18ce
SHA256: f60d87ea9af2ed3162011075fafbfbc4d7291d9d154529807914a543b916ff20
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\3506c6f4-6090-46ec-9fb3-0e2963361ba0.png
binary
MD5: 61590606dd71e5c2d9284c961308d9f4
SHA256: 5d2260cb083c16034c9e3749578e676f102959e52040e0d292d5955763e81063
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\6d6e34b9-0e90-470c-ada3-2b00b4b8ffac.png
binary
MD5: 77cd0254624d9b9181d133da2a81e814
SHA256: cacca9565bed03c58e2493c0149006281ff5f6ea2d383ead0ec6120b4c516d0b
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\1e81fb27-0aa3-4b11-a764-0d9e7e3272ea.png
binary
MD5: 83c091ad07604e8c8edb45d2b2054e2c
SHA256: a7ba3d91fbd25d24ea5aa7ce858a4658da9ff1925d18811ccb6ea704daa38af0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\03809a07-348b-48cc-b08d-f7b8472c133c.png
binary
MD5: 6d6fae0c2c49da30fd1c758e8e764f7b
SHA256: c84bae2dafac4d2e4cf72e39fbe70dd5f5a6eed8c132016d36cd65f3fe4521b0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\0ff838eb-89b4-4a2f-881a-6e583195d26c.png
binary
MD5: 96c210ab44adea3c4b194f9e502f0ca4
SHA256: 9fec48a55964f172dadb6f8372720c92bfcb249e90af0a2c46018ee8636b85b8
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\1a16981c-377d-4a10-9522-787f93302c18.png
binary
MD5: 80eb2e641537338413c17e9bcefea6f9
SHA256: 054f25afee8cf5724ac40bd5f0e1fc1784ced640edfc15770352c04ec8b1ee60
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\4f92e887-7fef-4a98-9f74-501f37835639.png
binary
MD5: 48e06ae8b811894b25aefc6a4fc1fcb0
SHA256: a67dfdcff1dfab49363b90846f97fa552c14c9d0e791b4a9d8ec2c300ae1a690
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\OneNoteOfflineCache_Files\2d02d28e-c843-42a7-ba9c-3541f1bd4e3a.png
binary
MD5: b1d830b36b19568a254d6797dba00d4b
SHA256: 693b1560fa7a56c38f3c437ec5493d358accb5b04eaf7d0cfa7766b8b87339e0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\Word14.customUI
binary
MD5: fed8273437461979b6cf8f478cee8db1
SHA256: 5caf0134aa20aa5afcfed700c936c054a27923b0495661d61f787e55b717cf3f
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\PowerP14.customUI
binary
MD5: 6022bf75bc8d02bc54482c8787ba6ec1
SHA256: 47af16c3258d4104a3bf9bff09ce8189384658f95c5166ca445b44d81fd546fc
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\OneNote\14.0\Backup\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\1393006d820cae7905d0cd57314ee6ac.xml
binary
MD5: 562904cfaa6212a76369c47e1a32a38a
SHA256: 09bdbd7fcca2d2b209c71f2636d5b8073dde6c27dce986a7f8562a86db0cf540
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\f0008bc476267c1e98c0470af48ad1f1.xml
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\786b7d3a5372048de949b5ce333fe46e.xml
binary
MD5: 007690695371efd0bcdd94a013610f7c
SHA256: 80b937090745ac37f57d96a55027bfee5503bed4fa6f744c42b144dfe758bc29
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\786b7d3a5372048de949b5ce333fe46e.sig
binary
MD5: 3c1e8b4475825770bafb5591931e8973
SHA256: 458df8e067810eac9bc55905cf748d83b576a13f37e20a8bb770912c0c613974
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\5a09d74f269ff6241000b9def1b5daa1.sig
binary
MD5: 8099b64257530a4a50553a2c85824440
SHA256: 27dbbde9c8e7f8c7f9f3cecdfaca7d8251a4be85460bb923e5e48144226e20b7
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.xml
binary
MD5: 5bd184ae0eaee267fdc234b76e7665c6
SHA256: ca35776a3e373c8e44864ff326dd0c5af2c1b8271992001334ee9587005f6375
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\54946941a2b45a5ba7f3e1b905b42959.sig
binary
MD5: 911d9510b2545e0f60b36851c13ec140
SHA256: 4366f1cd61aa3aa9046b7b3dd3b149f8a7a930bb73b4864b44652cbc22dffa40
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\RyukReadMe.txt
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\5a09d74f269ff6241000b9def1b5daa1.xml
binary
MD5: 0d4ba7e9ef2c1acb7916cd5e24db498b
SHA256: c03a1ac5f289d84b480a48511cc5f38767274ee654aa71fe31cc4f9f22a0855c
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\54946941a2b45a5ba7f3e1b905b42959.xml
binary
MD5: 7aff977704709bc138cff2676c3e28cc
SHA256: 4b77dccdb011ccaed9ad9335b4f3e39d3f1de2daed5fab618e7c9005778b8d39
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\b6419f5bc3093b5f22142ce454e02407.sig
binary
MD5: adc165ef944e012111e58d93c4204811
SHA256: 7f4186fe28c1b5b75cefc1e3652a36de759556bdd9872e7de7d0e0b862c93838
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.xml
binary
MD5: 8aa1bcf72e5428ee1a669270ab3d90ea
SHA256: 903d848ff0c9f39e28b85c27df1c9b7e2916b5bb12085f7da1da33fe774ccf26
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\f0008bc476267c1e98c0470af48ad1f1.sig
binary
MD5: 8a469f223a2b5d8ba9ffb009913aad49
SHA256: a6766864b90ded6d131acf6ebb9b7c031c7190999aa816d4ee460b5b86c923c0
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\350db95df4cbd94b2a1c300510e12e11.sig
binary
MD5: 5b05e109c98d88d80a1234f341d9d087
SHA256: 241c89fc9a5f857c6bf198fb53c7cf41f8950968b28902c1f0ec8c8554e3ea90
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\14.0\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_372.wmdb
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Office\ONetConfig\1393006d820cae7905d0cd57314ee6ac.sig
binary
MD5: 51a979ffb08953968a7ad260f771378f
SHA256: dd6c82bfcefca7fab16cc14ba722a6ca246360e5efe878729213d200f107ed82
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms
binary
MD5: 9441d4c2d0d5931227b5f084cf5f590f
SHA256: fa4cb238932308320b9d8e7cb3def1df33098b76fdcfe3fcf278972fb1cafb64
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\Popular Government Questions from USA~dgov~.feed-ms
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Credentials\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Credentials\6D1A87920349DD4D3283E3AD94EF4076
binary
MD5: fa68b349b5e469be09e5de42598a34fe
SHA256: 4a336c90862eb09bdf8c3d7fda295d53d94e830b1700fc38b8b6e6b8a0e567e6
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Credentials\CF843E73A6F6A0495AE1CE9B416455AD
binary
MD5: 9f942e18af05c61fc1175c6d7452277e
SHA256: 47924caabe830bd3f7dbd7d433b97277107f240e3c67f0bd866444795c665c54
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Event Viewer\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\Feeds for United States~\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Feeds\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\GDIPFONTCACHEV1.DAT
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool.log
binary
MD5: 67242cba346a67619d29abb033e0c291
SHA256: 93a5543c6e7ee05cf1f4ca481c66422f6c864c80c132f3d63401e8693ad3e4fb
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\reports\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\settings.dat
binary
MD5: 0b9fc086a5b45d29e9175a4517b20fc5
SHA256: 3598644dd548473709adb5400ecac8644f71130469c91d38b1a20e0129c0aba9
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-sandbox.log
binary
MD5: 5c2253a67e6f5f5747458259d0a4a632
SHA256: b745e34ea1df519b5f5878b699c193b1242b7526deeba0cec0ebb0276a686dcb
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\Software Reporter Tool\software_reporter_tool-crashpad.log
binary
MD5: 9170d31aa7562770cf56b44bd5372454
SHA256: 9682c1fca05fd7d3575081bc904bd198b7bcfc88bd97ebeee63903aac46a88c4
1996
dwm.exe
C:\Users\admin\AppData\Local\Microsoft\Windows\History\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_compare20x20.png
binary
MD5: 3d39b50c64f40a7578aae19a039cda38
SHA256: 9b2752fb9f735e2e77edebb095e3da0fa662ef92030c404f2d5655c75acc0541
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_folder16x16.png
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_logview20x20.png
binary
MD5: dac2449867e3e93cdb7879c6be20eac1
SHA256: 1aa34cbee738c609005eec03a8ad2963daa9132dabdfb9903c103f42836c83ad
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_speedlimits16x16.png
binary
MD5: 11b73a4c33d437e4c1ac6a428d6a77b9
SHA256: 4e0d90332ee6fd8fa6c89279ef0f2f8eb3e7de8bb4d8ff5015eb91e6c0c50910
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_processqueue20x20.png
binary
MD5: bb906361273502d58f483e009a70311b
SHA256: 92d4c55604a59063ae8ca38e0a9ae818d826a28c33f188c2e79c85c808fad0e4
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_close12x12.png
binary
MD5: c866f01eb784319b5ceaf0aa189ce7c0
SHA256: 1879980a8c20b2faaab0cfd4a0dddeba1cfd4744978ada820d7dd2a868cbe1d7
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_disconnect20x20.png
binary
MD5: e74f3cef57e867cc51305a9771a35dd9
SHA256: 0968b0b73be229ed3ed8a6e5b7ddf1c92e532b62707072ae14c4b667c0d7e769
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_server16x16.png
binary
MD5: e485b103dff6c8252a84ce643a86e961
SHA256: 79e4c616ea052396d67f8124b2f4cb08f17f58f905ea853c2aae365b53ea1484
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_filter20x20.png
binary
MD5: 771ae1f620479f75a0946dae9d5d15f9
SHA256: d6a280191bf0f69187c157f27d56b2d59a79e5ef8dfb2a371dc1a16461730247
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_leds24x24.png
binary
MD5: c798427381bdbd045df3a43bf06b9b8c
SHA256: b96a734529d27a5d93fa720a8bd7a08c7f4a3a188620a5302d0f2e85a3e9860a
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_queueview20x20.png
binary
MD5: cd314ec72ace10826415dcc007bcabf4
SHA256: 3a0f20337044c83a852d8f9f82a7c2bdb283158ffe8c234a8d45c9f0b3dff958
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_reconnect20x20.png
binary
MD5: 01d9fbceafc29b1cadfd66e2268da70e
SHA256: 61d9bf65bad6ec972625c75cd2fb77fdb2e9d635ac74237aec4ee5ce111190fa
1996
dwm.exe
C:\Users\admin\AppData\Local\Google\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_synchronize20x20.png
binary
MD5: a0680b11a9b6ecfe13c6707cf6de88d5
SHA256: 95d961401804c5afd93161eb31dc44f2f8a10d4e080ed1e879e70b2d7eaf3f3c
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_refresh20x20.png
binary
MD5: baffc9597c563038ed37b5784764e598
SHA256: 2294e9b3d1cd2561b1f037e2a6ddb9f53c0628ec5d4bf9cb194d918189de0d5f
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_remotetreeview20x20.png
binary
MD5: 37cc8b99bf141abc6cb4d625c09e7912
SHA256: fa67f1783ec16b8bc565ee76a8c8f00e2e91cc59d16255c275eab5018fd88db5
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_sitemanager20x20.png
binary
MD5: 625664bdb9ef00be398ba4f3d8815741
SHA256: 7fb0663c9beb29a0fdc8b34343d627a856755290bfa8bcc23325bab5237ad623
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_find20x20.png
binary
MD5: 849715cee3b18d88c2845673984fbc12
SHA256: 8b8e4eca712cc3d6a2ecfc773bebae42813de0c74c594742870fb6de18d312d6
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_cancel24x24.png
binary
MD5: 3438d317ac27c8be4124e9cc498f34ad
SHA256: 0aa16bb76f3bad33cf8507b63661fd94b2e4e96f321fcd716fcd6048ae7b0a06
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_localtreeview20x20.png
binary
MD5: 212e1d1199b9785632916319dc7cc0ee
SHA256: e5f0c5c9c8873db0693dc1387fc84bf6d0fc161621bfa61d9447d6e84171fa86
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_file16x16.png
binary
MD5: 83ec315e410e27bb572d093e06e32809
SHA256: 799aa3324ec4a0724ad6f684f452d41bd68332e2eb354f5aaa9f9e0009e6e984
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_auto16x16.png
binary
MD5: 541adb8a11311c6f0286d449c3a13be4
SHA256: 16c81d21605e789feadd77ec258ccbb66f78ca81a5be85425459a65fc4e80927
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\CrashpadMetrics.pma
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_dropdown12x12.png
binary
MD5: 14f73f9898e7505b4323e3b55eae3e41
SHA256: 7948e50e14015124b0018a3a6e3024a17d0c867106f6b3d39c2877f7542968f7
1996
dwm.exe
C:\Users\admin\AppData\Local\FileZilla\default_cancel20x20.png
binary
MD5: 9516d5915492b80452f09dfaa49c9e26
SHA256: f4d82ad787a76f6d45f52ec1cfe5b27b2eb33c6fcb4f896e46ed6977a69a3d27
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\CrashpadMetrics-active.pma
binary
MD5: 9d8512040ce25509078c02bde8daf4f4
SHA256: 53ba25e80afa7762be2ca6a6c8cacf1f1143798b03f37e3d15789b44f3353b34
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Dictionaries\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Crashpad\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\wsRGB.icc
binary
MD5: f13a81087f52fe52ef4ceb0f0c0f8775
SHA256: 030ef314c08da8433f3a804aa44fa7eb1219de0d89c0bca22bf9313dc10cb789
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\wscRGB.icc
binary
MD5: 1c89deb928dcecb6703a77da78f31143
SHA256: 9dd059bdd9a2c1be437b58596ab160e0f5a8bc49bce269c907e61b916d30b057
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies
binary
MD5: b0d15adce07d022382f274d6dfcf4332
SHA256: 94b4927c9da7d376fe928821881a81bf1c4d7b5350c1fce9dfadacc40538d598
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\ACECache11.lst
pgc
MD5: 286d00e02cea24b6c9fd4003fcffc22b
SHA256: f761dcb30736aef0dd6a16a48df183760ea18e5a201e988fcac7b9bc65f30ebb
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Crashpad\settings.dat
binary
MD5: 6a8690f90596a24fb5a23443ca96e08e
SHA256: 948f3c26d5d20657b9eab2733cac7c30c0f654fa13cc50b0107eda01494f0f67
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_1
binary
MD5: 6bb41b76814b2ecb9b9209ea35093e50
SHA256: ee70a79e42b98b13acb86f729be26a44394c291e2cf3601f6fb7d911994dafd1
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\Profiles\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cookie\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\index
binary
MD5: 5fb429aa3776e139741d48dc4396cb13
SHA256: 411d913d16faee584e09306c7d1fdc7c3fbad0c20e1e14da15c6e748d27cbdf2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\CEF\User Data\Crashpad\reports\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Color\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_0
binary
MD5: d6f96d24951aae13590688630da6c0fd
SHA256: 8b865001b7098190a3460fa7dc1d9ddaa23aa5eea2af5cdbcdb64c113137c7fb
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr65536.dat
binary
MD5: 55c0d1e21c4de2426d460018ab703f43
SHA256: 6781abf3888085fe74e726f3c55d4a3707634511f04736b034eac64c25745563
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_3
binary
MD5: a1894886a3e65d31c98f410725a69641
SHA256: 86fbf43b96efa7984269d61afa779dc2d7a1a01e4735bca3e54f3df73c82c45d
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SharedDataEvents
binary
MD5: e56552be031ced465437c83a799ca02b
SHA256: 2de9023bd3bf00d54d0ac0b7b290f7444adaf41a4ad4cf42912b4e91c2e3b199
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\UserCache.bin
binary
MD5: 1a74e0974d407566d064efa19a93f7ab
SHA256: eefccb67568127d6446377b6f4045d9c5d9a93042e47e04283cc75bd7108dba9
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeSysFnt15.lst
binary
MD5: 9bc6c7c83eb5d4ae801171082c86e297
SHA256: 343b98e44cef789dc5315c44a1ea68461389b107af5c31d9b28645962ec08137
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\ToolsSearchCacheRdr\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\AcroCef\DC\Acrobat\Cache\data_2
binary
MD5: 2e8603ee8fd2008c07910f7bdf4601dc
SHA256: 95a036db45b0f35852dcea91af89933e186b1e69af63eed434efde6bd31b18f4
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\IconCacheRdr.dat
binary
MD5: 0faaf54ff504cf6a135268e3b212cc95
SHA256: af75908fdd60fd10e55ca747d88ea145726e7f2d0e0259d1ddcddc94b597eb8b
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\AcroFnt15.lst
binary
MD5: 49eecc3563690a84d2a5a05267aaa993
SHA256: b3d250ffcfc247e566d3442df800a228671d67c26e5aee0461d29706e33b1f49
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Skype\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt15.lst
binary
MD5: 22257383a5d99d89a946df88dae4966d
SHA256: f94929499ac693f880aecd2d9674481afdab464f6a506a11e5583e69ff1de4a7
1996
dwm.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
binary
MD5: a290136151657b686e0a654d47a67503
SHA256: 6e2de41bd2a5f771d05f1a49b96bf36589437259a5c41d6bbdebdee4c82ea30c
1996
dwm.exe
C:\Users\admin\AppData\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Cache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\admin\.oracle_jre_usage\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Oracle\Java\installcache\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Oracle\Java\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\qemu-ga\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Skype\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Oracle\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\RAC\PublishedData\RacWmiDatabase.sdf
binary
MD5: 09e1d2388cc76f96b0cf24a66cace8b1
SHA256: 2d99c585647831c0cfd63111b3ab6c9042b5cd0a851dc1cc91f233f9c36415e8
1996
dwm.exe
C:\ProgramData\Microsoft\User Account Pictures\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\RAC\Temp\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\RAC\PublishedData\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\MF\Pending.GRL
binary
MD5: deff4c97814fbd2aac50e15a49249537
SHA256: ad2e9041f7bb8454fcf683d75a24dfb8ebaea8510d3437536b5d824f61668781
1996
dwm.exe
C:\ProgramData\Microsoft\MF\Active.GRL
binary
MD5: 0731ac961cfce1788dbade8cbbd9b572
SHA256: 475cf33bce97fff6d5fe7ab56bde6523b398374d2762afe851c74143ae4db2db
1996
dwm.exe
C:\ProgramData\Microsoft\NetFramework\BreadcrumbStore\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\eHome\logs\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\eHome\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\DeviceSync\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\DSS\MachineKeys\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_90059c37-1320-41a4-b58d-2b75a9850d2f
binary
MD5: c137d98f1184350b90602a9b82b0be45
SHA256: ace3ec11fb21bf5506aee157ed14f5b1ce8d87f0a26d49200fb0dd243e66ec66
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Favorites\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\Transforms\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Users\Public\Documents\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\ARM\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\Setup\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\ARM\Reader_15.007.20033\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\Program Files\Google\CrashReports\RyukReadMe.txt
text
MD5: cd99cba6153cbc0b14b7a849e4d0180f
SHA256: 74c43a177917b1d57ea2eaf6212ccf3b9012b4d68bc45284349443eed0bf5ee2
1996
dwm.exe
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\08e575673cce10c72090304839888e02_90059c37-1320-41a4-b58d-2b75a9850d2f
dbf
MD5: 93a5aadeec082ffc1bca5aa27af70f52
SHA256: a1a21799e98f97f271657ce656076f33dcb020d9370f1f2671d783cafd230294
1996
dwm.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
1996
dwm.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
binary
MD5: 13241593d4373f63332df620c0f7150b
SHA256: c832eee855162fb26ebed40350a530aaf966272e905671872c24eba979143f87

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.