General Info

File name

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe

Full analysis
https://app.any.run/tasks/18700f43-3ed6-4a8d-b2a7-07af53d3d94d
Verdict
Malicious activity
Analysis date
7/2/2021, 23:00:40
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

561cffbaba71a6e8cc1cdceda990ead4

SHA1

5162f14d75e96edb914d1756349d6e11583db0b0

SHA256

d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e

SSDEEP

24576:vMz7ETDWX4XukZeVL/kYx9P/JY6gfjcsAE:kfF7k4pB/JYPIsAE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 11.0.9600.17843 KB3058515
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
  • Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
  • Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
  • Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)
  • srvpost (2.12.74)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Hyphenation Parent Package English
  • IE Spelling Parent Package English
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • InternetExplorer Package TopLevel
  • KB2533623
  • KB2534111
  • KB2639308
  • KB2729094
  • KB2731771
  • KB2786081
  • KB2834140
  • KB2882822
  • KB2888049
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • PlatformUpdate Win7 SRV08R2 Package TopLevel
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Application was dropped or rewritten from another process
  • MsMpEng.exe (PID: 1836)
Drops executable file immediately after starts
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe (PID: 1188)
Loads dropped or rewritten executable
  • MsMpEng.exe (PID: 1836)
Renames files like Ransomware
  • MsMpEng.exe (PID: 1836)
 Executable content was dropped or overwritten
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe (PID: 1188)
Drops a file with a compile date too recent
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe (PID: 1188)
  • MsMpEng.exe (PID: 1836)
Drops a file that was compiled in debug mode
  • d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe (PID: 1188)
Uses NETSH.EXE for network configuration
  • MsMpEng.exe (PID: 1836)
Creates files like Ransomware instruction
  • MsMpEng.exe (PID: 1836)
Executed via COM
  • unsecapp.exe (PID: 572)
 Dropped object may contain TOR URL's
  • MsMpEng.exe (PID: 1836)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win64 Executable (generic) (76.4%)
.exe
|   Win32 Executable (generic) (12.4%)
.exe
|   Generic Win/DOS Executable (5.5%)
.exe
|   DOS Executable Generic (5.5%)
EXIF
EXE
Subsystem:
Windows GUI
SubsystemVersion:
6
ImageVersion:
null
OSVersion:
6
EntryPoint:
0x13ef
UninitializedDataSize:
null
InitializedDataSize:
863232
CodeSize:
45568
LinkerVersion:
14.23
PEType:
PE32
TimeStamp:
2021:07:01 14:40:29+02:00
MachineType:
Intel 386 or later, and compatibles
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
01-Jul-2021 12:40:29
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x00000108
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
5
Time date stamp:
01-Jul-2021 12:40:29
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x0000B072 0x0000B200 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.62319
.rdata 0x0000D000 0x000059F0 0x00005A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.86046
.data 0x00013000 0x00001410 0x00000A00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.81175
.rsrc 0x00015000 0x000CAB18 0x000CAC00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 6.98949
.reloc 0x000E0000 0x00000E04 0x00001000 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.12011
Resources
101

102

Imports
    KERNEL32.dll

Exports

    No exports.

Screenshots

Screenshot of d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e taken from 12956 ms from task started Screenshot of d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e taken from 36069 ms from task started Screenshot of d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e taken from 39091 ms from task started

Processes

Total processes
40
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

+
drop and start start d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe msmpeng.exe no specs netsh.exe no specs unsecapp.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
1188
CMD
"C:\Users\admin\Desktop\d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe"
Path
C:\Users\admin\Desktop\d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe
Indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\system32\kernel32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\systemroot\system32\ntdll.dll
c:\users\admin\appdata\local\temp\msmpeng.exe
c:\users\admin\desktop\d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll

PID
1836
CMD
"C:\Users\admin\AppData\Local\Temp\MsMpEng.exe"
Path
C:\Users\admin\AppData\Local\Temp\MsMpEng.exe
Indicators
No indicators
Parent process
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Microsoft Corporation
Description
Antimalware Service Executable
Version
4.5.0218.0
Modules
Image
c:\windows\system32\samcli.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\webio.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\netapi32.dll
c:\users\admin\appdata\local\temp\msmpeng.exe
c:\windows\system32\srvcli.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\rstrtmgr.dll
c:\users\admin\appdata\local\temp\mpsvc.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\user32.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\lpk.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\winmm.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\profapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\browcli.dll
c:\windows\system32\winsta.dll
c:\windows\system32\drprov.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll

PID
2588
CMD
netsh advfirewall firewall set rule group="Network Discovery" new enable=Yes
Path
C:\Windows\system32\netsh.exe
Indicators
No indicators
Parent process
MsMpEng.exe
User
admin
Integrity Level
MEDIUM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Network Command Shell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\mpr.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\nshhttp.dll
c:\windows\system32\credui.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\fwcfg.dll
c:\windows\system32\netsh.exe
c:\windows\system32\rasman.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msctf.dll
c:\windows\system32\nsi.dll
c:\windows\system32\odbc32.dll
c:\windows\system32\firewallapi.dll
c:\windows\system32\lpk.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nshwfp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\imm32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ws2help.dll
c:\windows\system32\httpapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rasmontr.dll
c:\windows\system32\ole32.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\wevtapi.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\odbcint.dll
c:\windows\system32\slc.dll
c:\windows\system32\qutil.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\dhcpcmonitor.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\dhcpqec.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\wshelper.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\whhelper.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ifmon.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\onex.dll
c:\windows\system32\profapi.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\eappprxy.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\wlanapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\activeds.dll
c:\windows\system32\nettrace.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\polstore.dll
c:\windows\system32\wlanutil.dll
c:\windows\system32\wcnnetsh.dll
c:\windows\system32\hnetmon.dll
c:\windows\system32\tdh.dll
c:\windows\system32\p2pnetsh.dll
c:\windows\system32\p2p.dll
c:\windows\system32\authfwcfg.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\nci.dll
c:\windows\system32\rpcnsh.dll
c:\windows\system32\winipsec.dll
c:\windows\system32\netshell.dll
c:\windows\system32\netutils.dll
c:\windows\system32\devobj.dll
c:\windows\system32\devrtl.dll
c:\windows\system32\eappcfg.dll
c:\windows\system32\certcli.dll
c:\windows\system32\adsldpc.dll
c:\windows\system32\wdi.dll
c:\windows\system32\version.dll
c:\windows\system32\atl.dll
c:\windows\system32\napmontr.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\netiohlp.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\dot3api.dll
c:\windows\system32\ndfapi.dll
c:\windows\system32\webio.dll
c:\windows\system32\shell32.dll
c:\windows\system32\dot3cfg.dll
c:\windows\system32\nshipsec.dll
c:\windows\system32\userenv.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\tsgqec.dll
c:\windows\system32\peerdistsh.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\provsvc.dll
c:\windows\system32\sstpsvc.dll
c:\windows\system32\eapqec.dll
c:\windows\system32\wwancfg.dll
c:\windows\system32\napipsec.dll
c:\windows\system32\clbcatq.dll
c:\windows\microsoft.net\framework\v4.0.30319\servicemodelevents.dll
c:\windows\system32\qagent.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\snmptrap.exe
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wlancfg.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\wwapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\wlanhlp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\netlogon.dll

PID
572
CMD
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Path
C:\Windows\system32\wbem\unsecapp.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Version:
Company
Microsoft Corporation
Description
Sink to receive asynchronous callbacks for WMI client application
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wbemcomn.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\msctf.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\usp10.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ws2_32.dll
c:\systemroot\system32\ntdll.dll
c:\windows\system32\cryptsp.dll

Registry activity

Total events
426
Read events
0
Write events
89
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
LanguageList
en-US
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-100
DHCP Quarantine Enforcement Client
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-101
Provides DHCP based enforcement for NAP
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-103
1.0
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\dhcpqec.dll,-102
Microsoft Corporation
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-1
IPsec Relying Party
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-2
Provides IPsec based enforcement for Network Access Protection
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-4
1.0
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\napipsec.dll,-3
Microsoft Corporation
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-100
RD Gateway Quarantine Enforcement Client
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-101
Provides RD Gateway enforcement for NAP
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-102
1.0
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\tsgqec.dll,-103
Microsoft Corporation
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-100
EAP Quarantine Enforcement Client
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-101
Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies.
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-102
1.0
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%SystemRoot%\system32\eapqec.dll,-103
Microsoft Corporation
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@C:\Windows\Microsoft.NET\Framework\v4.0.30319\\ServiceModelEvents.dll,-2002
Windows Communication Foundation
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@peerdistsh.dll,-9003
BranchCache - Hosted Cache Client (Uses HTTPS)
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@peerdistsh.dll,-9002
BranchCache - Hosted Cache Server (Uses HTTPS)
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@peerdistsh.dll,-9001
BranchCache - Peer Discovery (Uses WSD)
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@peerdistsh.dll,-9000
BranchCache - Content Retrieval (Uses HTTP)
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@sstpsvc.dll,-35001
Secure Socket Tunneling Protocol
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@netlogon.dll,-1010
Netlogon Service
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@snmptrap.exe,-3
SNMP Trap
2588
netsh.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
@%systemroot%\system32\provsvc.dll,-202
HomeGroup
1836
MsMpEng.exe
write
HKEY_CURRENT_USER\Software\BlackLivesMatter
Ucr1RB
BF1EEE02663433A181DBB08784140ED12913D266FDEED2F70985DD598B7D16EA43B196DF630823D7434B91EA398191E5501043A121ACA71AF99074BFBC1191ADA90E341C14A9ADE5912236946FAA464513DB723D9797D9DC
1836
MsMpEng.exe
write
HKEY_CURRENT_USER\Software\BlackLivesMatter
Ed7
F7F020C8BBD612F8966EFB9AC91DA4D10D78D1EF4B649E61C2B9ADA3FCC2C853
1836
MsMpEng.exe
write
HKEY_CURRENT_USER\Software\BlackLivesMatter
QIeQ
4590AA7C08D0ECB55C47FF04006CE98975926E7B68F2D11EC98FE9362494B845
1836
MsMpEng.exe
write
HKEY_CURRENT_USER\Software\BlackLivesMatter
wJWsTYE
.w4p009z
1836
MsMpEng.exe
write
HKEY_CURRENT_USER\Software\BlackLivesMatter
JmfOBvhb
ADCEE44E656BAB8F482D94F8A08B2EFC5FE35A9453E308A52703058D75AE695B42997E022E781277171B7704B813FEAAE90F85BA735ADFC82DE46B0C831BF42869168FEDAFABD752A9F1A45D0069474CB39ACF837AB9FD9C8243B9A922A30AE36A980263954B4FCF2FAAFEECCB7EBE003307F59D076602BF7A92728FC8D6835A1509F46378956427B96FA948E69D55F948F7F2CF4D0D2753C557F7DE6AB50D6481DA5B8C7B9F311949226814740C20CA2DB7A32FB555EAA7730FCAF961AA6B37263DD50E4980A074F1A59AD842B3A911E39DE1540500AE4642AA0C44CF3011B267679DEFC461D0B3860F094E9791A842FE6122EF9849D946EBA532D088C812888A118CE554D31867F3ABFB5C668646A76BBD7FF32A266A7DAC2E4D642BEC85AD5AC414572A4EB75BDFE1A46D25021AA2D4918CB49C96B8DCD12A4D96A1E8B8870390B7198DA253C2B01BA5DC6DB5455EBEB1B683B07AA68A4A77EDBCFBDA12E62FE273DB31886D8788D837BEF5D4446A4A6FAD3AAA84B854556306DD482D78368DE233699E1DBF1C6F1422E3FA9975DF027420856FD2C8AF4E15F1B4118D25B943F51B50AF92CFA1FA586E318884EBF89A8A04D0AC2C48D055D6D5C0E744BFF3E23CAD1CFD99ABAAC44BD116540CCA237DA72102EF899338AA1DF328818517FBA4459293D65BA87888DF5C96971ABB5D91EDBCC11A3DF1A73C66B77626D6C098D521878D8F4A6B6B78F8863FE41A47FDD468C6B1C9E61FB8E3EF9A9A55DA8CAFB9D64BEB8AF5DE17FB2A0C60ACCA4F2DA9920068BE410B6D8EB3D98E84CB742E55657AEBF208F76569217A5ECB51994D5DE3292ED6DE5E79B3E9C113D53A7A3B22299BFCD9042ABB0B66FC43D54B59C12EDD34162C1C865857F6D9F9909DFCA65DA98ED2C7FB36F5F0401BF48FE74652A1D31D7CB35316131EE573A0B39B8481B427D32617CD1DB6D0C5FC07875FE0DAF50F74BD7801CDBB8E2F73C657058BC96F933E08E6ECD248DCDB9395C46537BEE2F7D037B7A017DF7B616140A11A1B49F58D58C305C84F5E5CCDCCD6F9C20A5A8BA0B26B5849F6B2AAC126346C76A5464E74767ED2C2773E78192D7F56D3B852AABA2171300DEA350EF5D1E544230BACB8CA66DDC5F2A1C2EAC6C27EA390EEBC1733BBA98F88B9C63CCA0453ED6B5E4F74EE65E98352A31EAB60FDBC67BEE7681EBC237EE15BF18EE58CB44615FF9D0C066BCBA0741BD3C739902903429D7599793B6D23F45A7CFA1E0C42FF7FFBE70ED26194C6C78B5D6364E103B2197D1E8F9A18743DD3AF41BB8CA476FEE3974B518FBF423328CB7E6B82CD31541B70AF11673496759CA724CF99B21DCA4A78F0148053E91985875A073EF81BD1156235F9986DF88F35B8
1836
MsMpEng.exe
write
HKEY_CURRENT_USER\Software\BlackLivesMatter
96Ia6
A91A267B3EC336AFC66739A4268F59EFD1DAFDF422D1192E8FC8B3D7A130B6F2F12866BEBA02382F5F87281531088C32D6DCB5CB8BE2B4810438FC047962C13E3E1F3158C484124902F87C1BDEFA73B1F40296E5330352E3

Files activity

Executable files
2
Suspicious files
97
Text files
1
Unknown types
2

Dropped files

PID
Process
Filename
Type
1188
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe
C:\Users\admin\AppData\Local\Temp\MsMpEng.exe
executable
MD5: 8cc83221870dd07144e63df594c391d9
SHA256: 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
1188
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e.exe
C:\Users\admin\AppData\Local\Temp\mpsvc.dll
executable
MD5: a47cf00aedf769d60d58bfe00c0b5421
SHA256: 8dd620d9aeb35960bb766458c8890ede987c33d239cf730f93fe49d90ae759dd
1836
MsMpEng.exe
c:\users\public\recorded tv\sample media\win7_scenic-demoshort_raw.wtv.w4p009z
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\public\music\sample music\Kalimba.mp3.w4p009z
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\public\music\sample music\Sleep Away.mp3.w4p009z
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\AppData\Local\Temp\hqp66e8k621.bmp
image
MD5: 69f2eae49948ceba831dab65b891a3db
SHA256: fc03b10ab297dccee5f8fc2953a552e186e97c576593dbff9b2aeed1325d1ed4
1836
MsMpEng.exe
c:\users\admin\documents\onenote notebooks\personal\Unfiled Notes.one.w4p009z
binary
MD5: becdcf6a94e4e25431854c14dcf3b428
SHA256: b0284358c387f267f56163389f0edc8df285e85208bee188b382f83a7f89d859
1836
MsMpEng.exe
c:\users\admin\documents\onenote notebooks\personal\Open Notebook.onetoc2.w4p009z
binary
MD5: 7fbdacc0c1f1defcd45aef4cfb69f5b4
SHA256: ca0da03206fbffa8cafea1c83fc12260786b424ac22b754648fdf37a198e1c3f
1836
MsMpEng.exe
c:\users\admin\documents\onenote notebooks\personal\General.one.w4p009z
binary
MD5: 59d9a21c2a779d20c95697a7d0a9805d
SHA256: 7060aa3af1d2a11773fff1e9e4f410263f2b758cfa94d94dc4962f485b16ac7c
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Tulips.jpg.w4p009z
binary
MD5: cbe9675f27a560bdbf0306993be20239
SHA256: f69388454ec597af332697b0b8a89948986ce7b922172218bb3204fb666b7cec
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Penguins.jpg.w4p009z
binary
MD5: 0b01c1dca07af137a601203eb8787341
SHA256: eb084afd0beacc14ea4d9d04a1f4113f480ad419130c6ebbf781a7a23353753b
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Lighthouse.jpg.w4p009z
binary
MD5: 6678b8563a33d2f09a78e61a62c985ab
SHA256: 186cc9479ca819812adfc66f04f2ad842b1cecf6be572ffd6153383f8243e045
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Koala.jpg.w4p009z
binary
MD5: 1fc57f59addb4f678744fc938d13b365
SHA256: cf03eeb3e44e9a0d1fe705455203891fde8e98bb11b240295ad863f5dca1d63f
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Jellyfish.jpg.w4p009z
binary
MD5: 1e0e2216b4b32045b4529bcf16899f3f
SHA256: d4dbea13aa3e05fdc406f0f6a1e3b2df809c15cee1df044b583a103bb902009e
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Hydrangeas.jpg.w4p009z
binary
MD5: c47641f8584ce28dfe4085f2f783de9b
SHA256: c1d5a29c90883fb0e592b24cde068bfddc93fc0f515c5f12a333a5e138156aed
1836
MsMpEng.exe
c:\users\public\music\sample music\Maid with the Flaxen Hair.mp3.w4p009z
binary
MD5: a360bb10dd9573887fb182bdf563d094
SHA256: 316b20d94db6e11c1838950cc0555700b6a322229618e4a9eba2cfd7336e74ef
1836
MsMpEng.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Desert.jpg.w4p009z
binary
MD5: ecb6ea0a7d4aa6689d5eb811e3b991a2
SHA256: 85fa82e593880ba39594809dcf394471fb317d5e31b52d12ee1446cc464d75c5
1836
MsMpEng.exe
c:\users\public\pictures\sample pictures\Chrysanthemum.jpg.w4p009z
binary
MD5: 10e7b0295c32f2bfb6629497b43b4dcc
SHA256: d6ee6bfbdbf1019bb4f1f91dcd7e12b4c1e3de39dea075d620bb8e6e2f4b7392
1836
MsMpEng.exe
c:\users\admin\favorites\windows live\Windows Live Spaces.url.w4p009z
binary
MD5: 514a6e1c32b0fbd6686b9a5e6aacea68
SHA256: 830ee66b37a1bfd5fb466256426a8179c3e406abd847d5bf04dd9d3ec73cda04
1836
MsMpEng.exe
c:\users\admin\favorites\windows live\Windows Live Mail.url.w4p009z
binary
MD5: 73ff02ea23b093dc3fa7aa16d5628740
SHA256: 363a47f39fae22f59f12960ed87fa7775742a0091f3dbde08500c15a8e9227c2
1836
MsMpEng.exe
c:\users\admin\favorites\windows live\Windows Live Gallery.url.w4p009z
binary
MD5: 0cb298a26bb6c36f81ac796f14d73764
SHA256: a5dc130a4425544870a7ed71c22ef9b370db51f4307b123576aef6a0c16094f9
1836
MsMpEng.exe
c:\users\admin\favorites\windows live\Get Windows Live.url.w4p009z
binary
MD5: 47755ecc9804a6a605279a9e65c58150
SHA256: cfc333df30965c626a64394af7ebe7fc7ef351909d59706e599bbd93dc5bb86d
1836
MsMpEng.exe
c:\users\admin\favorites\msn websites\MSNBC News.url.w4p009z
binary
MD5: a59d19b0737bdf724e155c87ac7de4ff
SHA256: eb810048b797de151d290287c488ede975f46344d34bd3d25f75e6296506424e
1836
MsMpEng.exe
c:\users\admin\favorites\msn websites\MSN.url.w4p009z
binary
MD5: cfaccb7f42d461846099c36df25c437b
SHA256: c91377b5d8432cbd7e79f7ece522af3fae976584ce3bd604e06460b29c14cad8
1836
MsMpEng.exe
c:\users\admin\favorites\msn websites\MSN Sports.url.w4p009z
binary
MD5: 379b90218b5d7d2933afadd869349e74
SHA256: c5cf2f0824ef4cf6b171a9ecd23902a56df609a55f8f651672cd01a388c944ff
1836
MsMpEng.exe
c:\users\admin\favorites\msn websites\MSN Money.url.w4p009z
binary
MD5: 1989a2f227aa9cb19ed9b9e0e1931111
SHA256: d87b62520fc25430113f6c717be764972fd187d064ed365169402995cc531d87
1836
MsMpEng.exe
c:\users\admin\favorites\msn websites\MSN Entertainment.url.w4p009z
binary
MD5: cb397cf2451db96e6265f2678754a710
SHA256: 200137c781d92a77a9bc5c31a0acf45a7d2201fe2c884f498eca6750f490757e
1836
MsMpEng.exe
c:\users\admin\favorites\msn websites\MSN Autos.url.w4p009z
binary
MD5: 815ec6db5bbaf330dd39f1138d53a6b6
SHA256: 7e89c3c2997d6da9e415c276f64fc8987af313887239175fbc948bc281c7debb
1836
MsMpEng.exe
c:\users\admin\favorites\microsoft websites\Microsoft Store.url.w4p009z
mp3
MD5: 15168a0c726343bb9a6d2be134db9f4a
SHA256: d05613526bbef71169aba72db508cae6a26743f977090d225d3bc53e85fe8506
1836
MsMpEng.exe
c:\users\admin\favorites\microsoft websites\Microsoft At Work.url.w4p009z
binary
MD5: 465a1cb8672eaa8b8a38f7e80b15d9d7
SHA256: f16147fc166a806c3a1b06a43f50b95ecf366e5f47681697bfd9ed129922d8d5
1836
MsMpEng.exe
c:\users\admin\favorites\microsoft websites\Microsoft At Home.url.w4p009z
binary
MD5: 21c3eb3bd674204d38409c25d21b8637
SHA256: c9ba47ea71b846890d6e997498e321d73b45a4e4caf7b2efd080b222006d5e1d
1836
MsMpEng.exe
c:\users\admin\favorites\microsoft websites\IE Add-on site.url.w4p009z
binary
MD5: 6868eb3a62d19609b608ea7d30286147
SHA256: b01d1f218ffc9b73c6d917c42abe5c839681a1f4152a22c0b58e536b7845b86f
1836
MsMpEng.exe
c:\users\admin\favorites\microsoft websites\IE site on Microsoft.com.url.w4p009z
binary
MD5: 4ad7ab31ecbe60bbe2224f3668a4e51e
SHA256: c69d151a530a080675478f3617c057f8c2add42408312550ded2d362f8ce043b
1836
MsMpEng.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Documents\Outlook Files\Outlook.pst
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\admin\favorites\links for united states\USA.gov.url.w4p009z
binary
MD5: 5b3f775afd4992c1054ad25b8aac9f9a
SHA256: 5751a46aa5148194cb509680ea0b1e99678180a54d562244d630d23bf62b268a
1836
MsMpEng.exe
c:\users\admin\favorites\links for united states\GobiernoUSA.gov.url.w4p009z
binary
MD5: 10038bde7d0f38cff9ff0dce68d82505
SHA256: 3cd01dab6d667d9b1503db4650d7429d99627f114b68351e263fbc47a1e95c7f
1836
MsMpEng.exe
c:\users\admin\documents\outlook files\~Outlook.pst.tmp.w4p009z
binary
MD5: ed91218a4e6f68e25a695e1196368bef
SHA256: 03f41f7e23cbfbfacf0bc707ad9d3bb96113d93481857dff2a1ee60585c9ec3c
1836
MsMpEng.exe
c:\users\admin\documents\outlook files\Outlook.pst.w4p009z
binary
MD5: 475fe3e865435291e14816e2db001ef0
SHA256: c90b6e9a532031de7459cec85dc9f612e9bfefd558a8730e3060e710f9ed8a23
1836
MsMpEng.exe
c:\users\admin\documents\outlook files\Outlook Data File - test.pst.w4p009z
binary
MD5: 9c07dc593ce6c0217cba5a943bd2aaa5
SHA256: 281b47361e73cacd658d5cb8f018c177eac40e4d676200cd5904e1f116e3301d
1836
MsMpEng.exe
c:\users\admin\documents\outlook files\Outlook Data File - NoMail.pst.w4p009z
binary
MD5: 0511a3373179019661929b7f0128765a
SHA256: 12c49903e7ad25a1490d52100561a2a478ba00736f8fb9e8fde75498179f2c2e
1836
MsMpEng.exe
c:\users\admin\documents\outlook files\[email protected]
binary
MD5: 8c95d2a85648bf8a4d9c39c46b6fcb26
SHA256: 6d9225fd549609fa4336ee1214e2d85f791da2ee1519f1ded25a6bcf3da030f4
1836
MsMpEng.exe
C:\users\admin\documents\onenote notebooks\personal\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\videos\sample videos\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\recorded tv\sample media\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\music\sample music\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\pictures\sample pictures\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
c:\users\public\libraries\RecordedTV.library-ms.w4p009z
binary
MD5: e9fff96de5dedb1fc2c6d7bf4be0ce6f
SHA256: acf0f7fe710749ba9d3c4dc9547516e448dadd3de61ba4dbb340b68cc1ebc225
1836
MsMpEng.exe
C:\Users\admin\Searches\Indexed Locations.search-ms
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Searches\Everywhere.search-ms
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Pictures\thoughhappy.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Pictures\employeelong.png
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Pictures\advertisescreen.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Downloads\submittedtherefore.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Downloads\considergives.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Downloads\comeform.png
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\admin\searches\Microsoft Outlook.searchconnector-ms.w4p009z
binary
MD5: b8dfd0340118a9d0652ecabbc261ba4e
SHA256: 25aefdeebe04555a7015d6ec4bc1b39ca94caba2e63d17b87b0ef7e8749b5ef3
1836
MsMpEng.exe
c:\users\admin\searches\Microsoft OneNote.searchconnector-ms.w4p009z
binary
MD5: b6a2c7ac16e9423ec42a26f966e989f7
SHA256: fbe85b1fb67ab71ce9b7b435e478fbba3a1010353e35fa07f744e5adef427d35
1836
MsMpEng.exe
c:\users\admin\searches\Indexed Locations.search-ms.w4p009z
binary
MD5: 7bd1ce034428f4868fce2defe2d99de4
SHA256: 99c3e7289f9296ebb33351ad1b3936a8fb027a00cdb38116c4d810663c1927d1
1836
MsMpEng.exe
c:\users\admin\searches\Everywhere.search-ms.w4p009z
binary
MD5: 569fa804ff19c7facdd4bb8efaac5c49
SHA256: 88fa4655c01558f49bbeb73150dc25ce7cdf74213dedce939d2ea2ba6063f87d
1836
MsMpEng.exe
c:\users\admin\pictures\telfilm.jpg.w4p009z
binary
MD5: 5bba38d0e11ddc87e472ac3cd76e43cf
SHA256: 5f6073cccfaaf5a44687d4a74939c4ca587b73346b2eecee8c6f6132ae2bc6ef
1836
MsMpEng.exe
c:\users\admin\pictures\thoughhappy.jpg.w4p009z
gpg
MD5: cc4ffcf141b522540428160e1620beee
SHA256: 133f7bcec4f54c05c4919310b399f56e8132599c460c6eee1e64fb21584d3c8b
1836
MsMpEng.exe
c:\users\admin\pictures\employeelong.png.w4p009z
binary
MD5: f6275537fea424c3bee5b07a09274d93
SHA256: b9cdd9db4fe4771e83cc5ada486ae58e3acabeb9f3bb147a45aff5aa6213a5e8
1836
MsMpEng.exe
c:\users\admin\pictures\advertisescreen.jpg.w4p009z
binary
MD5: 5e5bb2088a594f105419b1b46c526538
SHA256: 50a31006a268372e6789cfef02cc4556ffc44a8c6d63a10b1d50c9d9e710eafa
1836
MsMpEng.exe
C:\users\admin\favorites\windows live\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\favorites\msn websites\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\favorites\microsoft websites\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\favorites\links for united states\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\favorites\links\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
c:\users\admin\downloads\testactions.png.w4p009z
binary
MD5: e816b41674f630cd4e77bee97e422f49
SHA256: 8ccf248d07d1c7fc25b395bd64bb48c4766db7ebe5ce10c1828ac83b96ace6d5
1836
MsMpEng.exe
c:\users\admin\downloads\submittedtherefore.jpg.w4p009z
binary
MD5: 9678eb0ba0e42ff51fa89b049484e2ac
SHA256: 3857a92b357a31f6469c2cd6a0c4e2c99857de81666bf69d8468e3cddcbe7304
1836
MsMpEng.exe
C:\Users\admin\Documents\storagevol.rtf
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\admin\downloads\considergives.jpg.w4p009z
binary
MD5: bc088a699bd528eadf548623c34d9ece
SHA256: 21888509b005b75ee920e4cd3ebc051ee64473c6fb7b96b285f053781c68e67b
1836
MsMpEng.exe
c:\users\admin\downloads\comeform.png.w4p009z
binary
MD5: efd9499872586106241786224a03233c
SHA256: 1118f5371ebef2bbe814a4b54eafa9959993b4be0149cd1977f9d9f278788b26
1836
MsMpEng.exe
c:\users\admin\documents\storagevol.rtf.w4p009z
binary
MD5: 65da83642ea35468a2244df988215bd9
SHA256: cf6b6db9f32f338e49ecf70206088d7556ac81bb3b62ce1d5bacc10d53870131
1836
MsMpEng.exe
C:\users\admin\documents\outlook files\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
c:\users\admin\documents\meanssample.rtf.w4p009z
binary
MD5: fce7361c8c8c70ba89481d85e0d749fe
SHA256: 211a91c0acd75e84cda69529c02b83c633e3a27908779c7a15e26bc21a9a9ea4
1836
MsMpEng.exe
C:\users\admin\documents\onenote notebooks\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
c:\users\admin\documents\longrequest.rtf.w4p009z
binary
MD5: 12adfe9948a39fb5c4b6677b3b4f1afa
SHA256: e41590a881fbaf4a012755795863a1f892150e0906e4b5ab4120efc0ec080ce8
1836
MsMpEng.exe
C:\Users\admin\Documents\friendlyarchive.rtf
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Documents\enginedata.rtf
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Desktop\thisman.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Desktop\itselfrating.jpg
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Desktop\cancerinterface.rtf
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\admin\documents\linuxfour.rtf.w4p009z
binary
MD5: ae2685655d67532b9cfcce651ad68537
SHA256: 009720fd956bd26d1a721746cfe6c43d967250f9a366b21b2057c3e0ae07a938
1836
MsMpEng.exe
c:\users\admin\documents\iraqapr.rtf.w4p009z
binary
MD5: b95d53e681ca4e3dbbb5b60e7ec2e569
SHA256: 095d841c3c91c9a7beda027b09f500a5e69d3c8bc18d55758289a035caa1007f
1836
MsMpEng.exe
c:\users\admin\documents\friendlyarchive.rtf.w4p009z
binary
MD5: cb39e2847d912b6d4e80a055df9f5464
SHA256: d41c9cd14ccab826f814e0b26c13dde0cd9d2f7eaa22439bfbe940e0b9a706ff
1836
MsMpEng.exe
c:\users\admin\documents\enginedata.rtf.w4p009z
binary
MD5: 59df70a35c00d08c9818655a5022a232
SHA256: d11ab26c91a44065426209ffa8e10d2e938854e6482a1e71a27f0b19b1889e7e
1836
MsMpEng.exe
c:\users\admin\desktop\toysoptional.png.w4p009z
binary
MD5: 2b60c5b23b421ad5572719a8f0b4c709
SHA256: 1feb0292edc0ca6fc4e4dc66adf3559e4c29c13d630f5b1a3f53fc15d4cb5d3d
1836
MsMpEng.exe
c:\users\admin\desktop\thisman.jpg.w4p009z
binary
MD5: 1050c4150f2904edfcdb388ad7e79d0d
SHA256: dc2d38274aa2db2e0ef97e7c1d43b6a18379f93290421b6aa755293005ed211a
1836
MsMpEng.exe
c:\users\admin\desktop\shownleft.rtf.w4p009z
binary
MD5: e809bcc52bc2e04815549e00375f3c93
SHA256: ad0035a1ed45d0ff8dc62dc0ee94f82149bf2128aaebce899e8803ceccd098dd
1836
MsMpEng.exe
c:\users\admin\desktop\secglass.jpg.w4p009z
binary
MD5: 072bb633859444aea433e8f15b7fa11c
SHA256: d39e2a7a13f4cc24c862dfd0d68a5c975fd7292f6280a06a9d08be61a5e7ddd2
1836
MsMpEng.exe
c:\users\admin\desktop\metalyears.rtf.w4p009z
binary
MD5: c266312e53585e96de9f747d6d57f736
SHA256: 850f87bc8699fb4ae44d8943d3638b039c8532de7c8bfb6e3134335d3d7dd5cf
1836
MsMpEng.exe
c:\users\admin\desktop\itselfrating.jpg.w4p009z
binary
MD5: 136bf25b8dbab548bf1c2622c956ab83
SHA256: 14edc9065aabe490cf2b5bf07afd515dad460567a074a2b0a9ad0c3efd9b155c
1836
MsMpEng.exe
c:\users\admin\desktop\fmetal.jpg.w4p009z
binary
MD5: 2c2e0a74b2d95bead304ae34cff178ec
SHA256: c302171c6c737fe1822e0dd9935a435096c8da7d445256174ae5d95e2175f12e
1836
MsMpEng.exe
c:\users\admin\desktop\companyed.rtf.w4p009z
binary
MD5: 62bf5d66ce1af863edb1e8f839efd090
SHA256: 1339362118adae7545c6ed946dc7978cc5c4aedb36707940b1e0b04c505366f5
1836
MsMpEng.exe
c:\users\admin\desktop\cancerinterface.rtf.w4p009z
binary
MD5: 6ab000d2264b5dad208a41b4320b9170
SHA256: ef2bc4129358c75283b2480f2e9670a857a12d0c783cfb711c9d6b3654db70da
1836
MsMpEng.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
c:\users\admin\contacts\admin.contact.w4p009z
binary
MD5: 4808628fbb2200693352849c40766707
SHA256: d5d4448d176e261be7867db85ff1aaaa19516159bb5782bdf5c99133bc84ad6f
1836
MsMpEng.exe
c:\users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.w4p009z
binary
MD5: 94fcff33336a66b5db76aca2a91ea8bb
SHA256: 753f6f5496d81d1009fa890de86b63fff4e9d9c71a2331f7a69c4c040345687d
1836
MsMpEng.exe
C:\users\public\videos\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\recorded tv\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\pictures\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\music\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\libraries\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\favorites\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\downloads\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\documents\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\videos\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\searches\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\saved games\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\pictures\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\music\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\links\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\favorites\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\downloads\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\documents\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\desktop\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\.oracle_jre_usage\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\contacts\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\public\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
C:\users\admin\w4p009z-readme.txt
binary
MD5: 328c968bd46215ccc787adf181404fd1
SHA256: 432da5f7ee1ca76334b0117247d694d92dad6c4fd0fdd6fabac64936d242cd51
1836
MsMpEng.exe
c:\users\public\videos\sample videos\Wildlife.wmv.w4p009z
––
MD5:  ––
SHA256:  ––
1836
MsMpEng.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

No network activity.

Debug output strings

No debug info.