General Info

File name

w.exe

Full analysis
https://app.any.run/tasks/9c930a10-e181-4ead-89d2-518b22bf20ce
Verdict
Malicious activity
Analysis date
10/9/2019, 18:36:36
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:

ransomware

sodinokibi

Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

5bae3b513617471179f9531cd1d9d767

SHA1

acbe505a07e9b974e28dfd2c91052ff0064e366d

SHA256

d5f7964dc07bb3465fbc3a995fcadd623197716480f6b86518a5dfdafc9f3af7

SSDEEP

6144:i1xYJ/Jcv+FYjj9aHHQxMZIL+S4NICOcL94WTxMFhMjK6sxFlm5AhekQY:2xYJRcRcnQhLX4NIe4XmjKR0TkQY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
off
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (75.0.3770.100)
  • Google Update Helper (1.3.34.7)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.7.2 (4.7.03062)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
  • Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
  • Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
  • Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB4019990
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Sodinokibi ransom note found
  • w.exe (PID: 940)
Renames files like Ransomware
  • w.exe (PID: 940)
Executed via COM
  • unsecapp.exe (PID: 3420)
Creates files in the program directory
  • w.exe (PID: 940)
Executes PowerShell scripts
  • w.exe (PID: 940)
Executed as Windows Service
  • vssvc.exe (PID: 3884)
Creates files like Ransomware instruction
  • w.exe (PID: 940)
Application launched itself
  • w.exe (PID: 2696)
Creates files in the user directory
  • powershell.exe (PID: 2404)
Dropped object may contain TOR URL's
  • w.exe (PID: 940)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2018:06:26 19:15:28+02:00
PEType:
PE32
LinkerVersion:
12
CodeSize:
68608
InitializedDataSize:
411648
UninitializedDataSize:
null
EntryPoint:
0x2c04
OSVersion:
5.1
ImageVersion:
null
SubsystemVersion:
5.1
Subsystem:
Windows GUI
FileVersionNumber:
1.0.0.4
ProductVersionNumber:
1.0.0.4
FileFlagsMask:
0x006f
FileFlags:
Pre-release, Patched
FileOS:
Unknown (0x40304)
ObjectFileType:
Static library
FileSubtype:
81
LanguageCode:
Chinese (Simplified)
CharacterSet:
Unicode
FileVersion:
1.0.0.4
InternalName:
dgfjhdgfjdf.exe
LegalCopyright:
Copyright (C) 2019, dfgjdgfhdgf
ProductVersion:
1.0.0.4
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
26-Jun-2018 17:15:28
Detected languages
Chinese - PRC
English - United States
FileVersion:
1.0.0.4
InternalName:
dgfjhdgfjdf.exe
LegalCopyright:
Copyright (C) 2019, dfgjdgfhdgf
ProductVersion:
1.0.0.4
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000E8
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
7
Time date stamp:
26-Jun-2018 17:15:28
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_AGGRESIVE_WS_TRIM
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00033000 0x0003B7C0 0x0003B800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 5.24158
.rdata 0x00012000 0x0000A53A 0x0000A600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.93132
.data 0x0001D000 0x000154A0 0x00005800 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.08777
.tls 0x0006F000 0x00000009 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00070000 0x00007BE0 0x00007C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 5.47193
.reloc 0x00078000 0x0000146C 0x00001600 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 6.36456
Resources
1

2

3

12

13

14

15

16

17

128

216

391

469

683

771

945

Imports
    KERNEL32.dll

    ADVAPI32.dll

Exports

    No exports.

Screenshots

Processes

Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

+
start w.exe no specs #SODINOKIBI w.exe powershell.exe no specs unsecapp.exe no specs vssvc.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
2696
CMD
"C:\Users\admin\AppData\Local\Temp\w.exe"
Path
C:\Users\admin\AppData\Local\Temp\w.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\w.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\propsys.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\wininet.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\sfc.dll
c:\windows\system32\sfc_os.dll
c:\windows\system32\devrtl.dll

PID
940
CMD
"C:\Users\admin\AppData\Local\Temp\w.exe"
Path
C:\Users\admin\AppData\Local\Temp\w.exe
Indicators
Parent process
w.exe
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\w.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\msvcr100.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\mpr.dll
c:\windows\system32\shell32.dll
c:\windows\system32\winmm.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\drprov.dll
c:\windows\system32\winsta.dll
c:\windows\system32\ntlanman.dll
c:\windows\system32\davclnt.dll
c:\windows\system32\davhlpr.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\iconcodecservice.dll
c:\windows\system32\windowscodecs.dll
c:\windows\system32\credssp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\cabinet.dll

PID
2404
CMD
powershell -e RwBlAHQALQBXAG0AaQBPAGIAagBlAGMAdAAgAFcAaQBuADMAMgBfAFMAaABhAGQAbwB3AGMAbwBwAHkAIAB8ACAARgBvAHIARQBhAGMAaAAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBEAGUAbABlAHQAZQAoACkAOwB9AA==
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
w.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll
c:\windows\system32\wbem\wmiutils.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\napinsp.dll
c:\windows\system32\pnrpnsp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\winrnr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\netutils.dll

PID
3420
CMD
C:\Windows\system32\wbem\unsecapp.exe -Embedding
Path
C:\Windows\system32\wbem\unsecapp.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Microsoft Corporation
Description
Sink to receive asynchronous callbacks for WMI client application
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\wbem\unsecapp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll

PID
3884
CMD
C:\Windows\system32\vssvc.exe
Path
C:\Windows\system32\vssvc.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Microsoft® Volume Shadow Copy Service
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\atl.dll
c:\windows\system32\ole32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\vssapi.dll
c:\windows\system32\vsstrace.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\xolehlp.dll
c:\windows\system32\version.dll
c:\windows\system32\resutils.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\authz.dll
c:\windows\system32\virtdisk.dll
c:\windows\system32\fltlib.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\vss_ps.dll
c:\windows\system32\samlib.dll
c:\windows\system32\es.dll
c:\windows\system32\propsys.dll
c:\windows\system32\catsrvut.dll
c:\windows\system32\mfcsubs.dll

Registry activity

Total events
633
Read events
558
Write events
75
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2696
w.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2696
w.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
940
w.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\GitForWindows
ZXQ
D4B49BDFE704BD461962FCD4D3A9FCC0589009CCD867432B670502CB41CDED36
940
w.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\GitForWindows
E9OI
0A8DDCCD9D7E82F83E623B18FEEECAB95B5E2718A03D132C97B054F00BE6FA36
940
w.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\GitForWindows
uvm9h
79A1C013036195D1BE74225DE8B7D36F70503FA5CD7825EDA4D3E035F5B91908559CA6347D32AC445EA35C617020D57286406A2E8A317B623CC3647B127C6B4501085E331877A83FDC088670941DA542ED8E0BE6445FD710
940
w.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\GitForWindows
PNjp30
A3A1B37DA234C24851A1A4646DB79FD0D39B55FFFEEBC58B3D8AE135C79BC6E434BE855B78B71ABEC151915BFC401B0F2CA6A45A7A37F73C3670AEB67B92179559CDE42478A34B791B194204AC6F21823AD7B65249337986
940
w.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\GitForWindows
lYBttLJ
.8mig700b
940
w.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\GitForWindows
FK8LfRFZ
AEB19BB8774986B0B0F709ABA4CB2A56E8FF8E12EBFD7790F2191BFB910A48642B2B954188E57AEC793115BE942EA73ABFF3132B747BE99AA63B726FA11185B3B1914ADD79CC6CFEE42DC3AA23EBF7F4F271B8AC70E87F04F469836FA07CA9FD7F433E725E6186DCC805F512BE0A95D3C53FEF083DC78EC5EBB2444F081BEBC08B5B36CF99604B947D0A3CF0413539BF1E81181CD27C4ABADBC710EE114BB6BBAAB8669D5F45AF669FB5F191B63D0E1DBA59B2491E753910DBF7C0D206F3349DF02ED99F0A6165F4E4E3420B61BE75B661ACBC3CF458810E6035D19F399A4DDC110F26A44E5481C2AF258A8D0AED468743908B94169DA8B03561BFC239BF14590824DA69720D8F6CF11769056248AC62833FF6FB1BD012BA6D4371DFE4531DEB9605C87A739AEF7A5DCDA2B0F2A9EA07B862E68275656FC7E22B0F4C0FE40CEDB78E958E62EFE30162FED50602691C804A1CA808CBA7D67E0A27974A2FC8C3EFF84CCF45DC85AA08E9057E86DC78E4CFB5C031BF562EE821B49F4298D30FA05779F9BDE8D454EC658CD5DE4B8EA0644E7D549A0C82DEAB6835CF4F6FB3DDBC22BEF2B94C60DAF3AA8AD2D10046E84033BC23E21F1F28A867DE00BE45D47E9A2FFB931FAE6D586C579FDCF7415D0DC404F213190F0329E55BAA9304AAD79AD962F7C675C4EED54DAC05F6A9D7A30B0840D6DEC186E9EFB5172D87C2B781BB9EBCEB8AABAFBE9D1D00B914A8CAEB7CF2054B9ABCD7A68D8114A84B0DE9DDC4D859223B2A25B17914D858DFBB3C3A1893B8AB6403C097513199D632A262EED546011C9DA4D56C828A8C6D4206F6E223342BB646BB77679994A73C501AA07F66B303F749C01027EF0A5B56318DDCEDADC58AE4D792FB34FF4F8C9E36F4C80D39A69E302C047A506150C4A78A1EE1EFF721BD98EB971665C270C398414E779CAFB566F94B86B7AAADE54D028E86C1756DF1310CE587C56F48952A745C7F42D8EA400815D03E55108189BC174853F3580AB92846F7EF42B39C1E20E3B50E4D1A20DE55B1B752B3655379A86FFB142A057DE23942998E758324307E1B39889046CCA56E1A689B7CABE2193CE882E49796C70B5936B9ABE12D2A2CDC4F4D928F03769710C0EB37F9B4737C2A8804B3ADFF809CFE144B213967D15361D72F00361152CCC691DD684581A93D6F8B55E29F96DCA37865111141E3BBD14E8F9ED1BFC71EAF4110E27D23467D2F8759ED1203
940
w.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US
2404
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E
LanguageList
en-US

Files activity

Executable files
0
Suspicious files
168
Text files
1
Unknown types
4

Dropped files

PID
Process
Filename
Type
940
w.exe
C:\Users\admin\AppData\Local\Temp\Tar47DF.tmp
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Searches\Indexed Locations.search-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\AppData\Local\Temp\Cab47DE.tmp
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\AppData\Local\Temp\Tar47CE.tmp
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\AppData\Local\Temp\Cab47CD.tmp
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\AppData\Local\Temp\js0.bmp
image
MD5: f504939eba509125cfae9346acde929b
SHA256: 88edd19800bd23769f5954b7240d21b5b4b0c2580ac83cb33b736ff1750a096b
940
w.exe
c:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.8mig700b
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\videos\sample videos\Wildlife.wmv.8mig700b
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\recorded tv\sample media\win7_scenic-demoshort_raw.wtv.8mig700b
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Recorded TV\Sample Media\win7_scenic-demoshort_raw.wtv
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\onenote notebooks\personal\Unfiled Notes.one.8mig700b
binary
MD5: 45c06224eb73f80b5219155c11c97ffe
SHA256: dc5a8e2db89fb9fc2ebade75b1335e99b502cda7a78c7668b0cab9d04249e054
940
w.exe
c:\users\admin\documents\onenote notebooks\personal\Open Notebook.onetoc2.8mig700b
binary
MD5: bba0e79c84d975189668834d306e21f7
SHA256: 5e270b1b34e6dbbeefc87369578cff5fa19be607c6b4e8ab310aae9144a0aaef
940
w.exe
c:\users\admin\documents\onenote notebooks\personal\General.one.8mig700b
binary
MD5: cff3bdcab876352f6d764c034232551b
SHA256: 47a6b42159bc076908ca8593c9910cb075c581bc73bf677220297979ff3619de
940
w.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Unfiled Notes.one
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\Open Notebook.onetoc2
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Documents\OneNote Notebooks\Personal\General.one
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\music\sample music\Kalimba.mp3.8mig700b
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\pictures\sample pictures\Tulips.jpg.8mig700b
binary
MD5: 8cba3b9bac3069fa6fd5c47da41c2783
SHA256: 3043eea92ea39baf364a4abf8bd4f06c76336d3f7d398438b5d65594a4cd5fa0
940
w.exe
C:\Users\Public\Music\Sample Music\Kalimba.mp3
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\pictures\sample pictures\Penguins.jpg.8mig700b
binary
MD5: e6d7310991acee440e3e2c0fc057b591
SHA256: b27bd6901cf9ea9c4ec088b249789d7203f26530f70a13281ac9ed45a69effdd
940
w.exe
c:\users\public\pictures\sample pictures\Lighthouse.jpg.8mig700b
binary
MD5: 280cf59cdba75023dc8cb9b0dc51b8ac
SHA256: d8415644b6d71d890c35892bc279baf251e94d3eeec1eead3db10fbb4b44e81d
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\music\sample music\Sleep Away.mp3.8mig700b
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\pictures\sample pictures\Koala.jpg.8mig700b
binary
MD5: e69ab118d2f78ae21cce0c1c92e51fe2
SHA256: ed5ea8f5efffb5c30e8155ce82a0f9195e7df1d6ccce1b19202586600a08434b
940
w.exe
C:\Users\Public\Music\Sample Music\Sleep Away.mp3
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\pictures\sample pictures\Jellyfish.jpg.8mig700b
binary
MD5: ada4df8588eedc940f50b8835fd61aa4
SHA256: e003e5ba541e06bf293f36a6f033335f9e8290baac2804cda6259102469066ab
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\public\music\sample music\Maid with the Flaxen Hair.mp3.8mig700b
binary
MD5: c04202ac3609768ac098ecc168198bf9
SHA256: 5cd6f067cc61ab0820d6d3a64c34365a4aae41a61e2ce1064bd8ff9e7037c945
940
w.exe
c:\users\public\pictures\sample pictures\Hydrangeas.jpg.8mig700b
binary
MD5: 6505618e41df3b98feb2b1d259c31303
SHA256: 4e4269dd8f07bb204818ea109fc73eef9b92e5d2aadc7c97784c8db792acea4c
940
w.exe
c:\users\public\pictures\sample pictures\Chrysanthemum.jpg.8mig700b
binary
MD5: cf15612d937951c33a28ddb3c60f3535
SHA256: 0f39ccc3287eb05253911eaaa625c2f90411d4bf08c02f9cf7e9dce74d39c239
940
w.exe
c:\users\public\pictures\sample pictures\Desert.jpg.8mig700b
binary
MD5: f8f1f528834ebfe8b0c3377eba61df69
SHA256: 4c039c33153ca84147720124b9989b5628e9962765f3e29854ab8a7c966c6785
940
w.exe
C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\windows live\Windows Live Spaces.url.8mig700b
binary
MD5: 6dd398b263befce97d78a90ea72afb75
SHA256: c9c20ed9e47c3d6bb9cbb20015321c25a52d9c59740692c45d023a20a09d6dc7
940
w.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Spaces.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\windows live\Windows Live Mail.url.8mig700b
binary
MD5: 30553a470eb3a826c9a2895ce183ffbe
SHA256: f0db44d2ba9c0b0acf6b6716964935fa6645fab46c181c5d16d3d6e22c1c692e
940
w.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\windows live\Windows Live Gallery.url.8mig700b
binary
MD5: cab951aac2f8cf3507e240f89ee72ec5
SHA256: fd36c820e39877f92740ec07fb9eab0406c0998d055df543c3e22f8e384ab160
940
w.exe
c:\users\administrator\favorites\windows live\Get Windows Live.url.8mig700b
binary
MD5: 1da1e1ffb848b3bb46e829701145d989
SHA256: 4af548049cfa26623f650a576dfc859e5e70b5df7244f611c20bad32453f1179
940
w.exe
C:\Users\Administrator\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\msn websites\MSNBC News.url.8mig700b
binary
MD5: 71269e90f21d29d9d5703ccc5caf8d5e
SHA256: 864465f98fad98a6601bb0b8034ee6ba40ab2b40cb86b09f13fd929bd4287264
940
w.exe
C:\Users\Administrator\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Administrator\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\msn websites\MSN.url.8mig700b
binary
MD5: 93d1225ba725dd2d3728062774d14c4c
SHA256: d74f02a1d6e38ec0a4a224477191b896b81ba27f119727cca6e90189247fb61b
940
w.exe
c:\users\administrator\favorites\msn websites\MSN Sports.url.8mig700b
binary
MD5: 849d1a2bd742ff96d0be31c8fe596735
SHA256: ac1542a609a1dddf1afb8cbcdcdb6ee57f6711073136d6a3fabc16f0a5af5388
940
w.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\msn websites\MSN Money.url.8mig700b
binary
MD5: 05f97f77ed7fd5bfb8a14509c62bb53e
SHA256: 25a5a181bedf552d8ff902c8a0edd91d3cd402c816a980a15bd8ebe3c71a26f4
940
w.exe
c:\users\administrator\favorites\msn websites\MSN Autos.url.8mig700b
binary
MD5: 611b8cb7c693f00eea7a4547845d6e14
SHA256: 579ac011648fa7c7322ae71ff3dc1144c0c12919e997217cc9fbd3eb0288082f
940
w.exe
c:\users\administrator\favorites\msn websites\MSN Entertainment.url.8mig700b
binary
MD5: 3e86c7f37ca9927dd9563dd151227afb
SHA256: f0f93e83fdffd2f7a309f0971b1985475efea5195de364ce86101323146089c9
940
w.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Administrator\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\microsoft websites\Microsoft Store.url.8mig700b
binary
MD5: 4eed984c839ce943ba121343096914db
SHA256: f392a0465f739d847cec092d9e0cfe3afa9d98ac709dc04d726bcf7ab087503c
940
w.exe
c:\users\administrator\favorites\microsoft websites\Microsoft At Work.url.8mig700b
binary
MD5: e28a746973292ccd39dd38648e430eb3
SHA256: 2a413b03522c862c63a708ba87f02cd7b23a9f7fc7bf63ab0c939e0a30af6d8d
940
w.exe
c:\users\administrator\favorites\microsoft websites\Microsoft At Home.url.8mig700b
binary
MD5: e28c1c7fd7c4d169614ce01f6dbdc3a6
SHA256: ef0e82137f6800cdad4250d42ce9974205bc9db8ebbfaa505765baaeef3a1dbf
940
w.exe
c:\users\administrator\favorites\microsoft websites\IE Add-on site.url.8mig700b
binary
MD5: 33f715b93ffa7f3283c84b1cfed3be99
SHA256: f0de9618081a75949ca0d5bbc519cea3efd769334ea5ff1eea5469d2cb9b9e34
940
w.exe
c:\users\administrator\favorites\microsoft websites\IE site on Microsoft.com.url.8mig700b
binary
MD5: aa16c8b367607a6d944ecffd54dd46f9
SHA256: 2c28551492956600593049a0e0c01365471bbc288346b83d4d0f252fcc0c1488
940
w.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Administrator\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\links for united states\USA.gov.url.8mig700b
binary
MD5: eb0a7ebaa2389f876cda5ee3167a0fa5
SHA256: acc67e9ac15bedb23915f8b7b93c90b295c441bf4f19b701820ae5d4b43c9255
940
w.exe
C:\Users\Administrator\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\favorites\links\Web Slice Gallery.url.8mig700b
binary
MD5: 713aecc4c2e336a87d450049d9703de1
SHA256: b0816908a958b7971c4add991f58cd9f5621686514bcec8e76cfbc3ab89dc864
940
w.exe
c:\users\administrator\favorites\links for united states\GobiernoUSA.gov.url.8mig700b
binary
MD5: 13c18450cf432f454222b0690b86c4bd
SHA256: 0a36ce7fada1a72f595b441d6d63d04f870631af56dcdeea5d62a025ad7b4d15
940
w.exe
C:\Users\Administrator\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Administrator\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\windows live\Windows Live Spaces.url.8mig700b
binary
MD5: 47263feb34a7a81e9d1dbd8e74cd8fec
SHA256: e522355f04347fbdcff904226435db39f5f42633e7f9cb4fa22c5de68c29c750
940
w.exe
c:\users\admin\favorites\windows live\Windows Live Mail.url.8mig700b
binary
MD5: 06288afc592209355b89455ca4c04f1f
SHA256: 9e2ee000ce1cdce27ed4eafcd8e815bbb049af5eeb1d9de428758bbfd644e957
940
w.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Mail.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\windows live\Windows Live Gallery.url.8mig700b
binary
MD5: 53b49d33c4ddd478f2bc59ec96bc033b
SHA256: 2ab618a04f34a175533d9db414b03e364a79668e6f765b0f3007b226380b5255
940
w.exe
C:\Users\admin\Favorites\Windows Live\Windows Live Gallery.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\windows live\Get Windows Live.url.8mig700b
binary
MD5: a0fee7e0baaa76c5351930c368717fa0
SHA256: 870d63a2eefa85980c2608d8154af8bae9552957cebb826b1d7e5ecb59a8a324
940
w.exe
c:\users\admin\favorites\msn websites\MSNBC News.url.8mig700b
binary
MD5: 5c9ed12b5e8f9c2cee3ee31a4b2684db
SHA256: fca1c57855769e14b36fb09f75f9bbfe2ad159c7dbac2135eea79ae6280b7c99
940
w.exe
C:\Users\admin\Favorites\Windows Live\Get Windows Live.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Favorites\MSN Websites\MSNBC News.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\msn websites\MSN.url.8mig700b
binary
MD5: fc667435f36554de5a134426a747d478
SHA256: 307e6bc56b0738d1b341baf2ad26fc3f4d20f3164fb6bf91b1d1e4b3f3424fa0
940
w.exe
C:\Users\admin\Favorites\MSN Websites\MSN.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\msn websites\MSN Sports.url.8mig700b
binary
MD5: 1ea7499d9c81af4ef50c57b80ae6a28f
SHA256: 9be04d4cf013aabf0b15426d102fbe31c2f074f08ca6880ea256458c5cd24fa4
940
w.exe
C:\Users\admin\Favorites\MSN Websites\MSN Sports.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\msn websites\MSN Autos.url.8mig700b
binary
MD5: a592bf35cc3039b964d31c6a91ec9cb8
SHA256: 740c5b611ac5db42534af0c8c7aeed051fee0890a77eb679d86c64d5cd9cab71
940
w.exe
c:\users\admin\favorites\msn websites\MSN Entertainment.url.8mig700b
binary
MD5: ae9d14e5e5c3736807db884c21681ecd
SHA256: a9cb3156da8031bf9122cc1cc11308cae823ca404bb4e2bd3bef2d8bb9940768
940
w.exe
c:\users\admin\favorites\msn websites\MSN Money.url.8mig700b
binary
MD5: 15458ef428fb6d0951fcba3cebdac645
SHA256: 18e909f29468bbe5de4588582c58e8243964450dcfe0d77dadbe4cef5a70b681
940
w.exe
C:\Users\admin\Favorites\MSN Websites\MSN Money.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Favorites\MSN Websites\MSN Autos.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Favorites\MSN Websites\MSN Entertainment.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\microsoft websites\Microsoft Store.url.8mig700b
binary
MD5: 100669b22ef652160073c5ed91af81d3
SHA256: 3dbd611d2667c977476d6ec3af7ff4cbbc92bf7fed0c46f6881c4d120aa85189
940
w.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft Store.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\microsoft websites\Microsoft At Work.url.8mig700b
binary
MD5: 8ec9582730e8e892e59710e82f84288f
SHA256: 5797b40ba05934cf90ac1526291ad950093c6149bef959e915ac6b84f12cf726
940
w.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Work.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\microsoft websites\Microsoft At Home.url.8mig700b
binary
MD5: b8085e86b4342d3e534894c6376e07f1
SHA256: 397276181ccd781cfb2b8042f29e421c2b2923791384e8629c985e6008dc3686
940
w.exe
C:\Users\admin\Favorites\Microsoft Websites\Microsoft At Home.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\microsoft websites\IE site on Microsoft.com.url.8mig700b
binary
MD5: c00157d3f7dfd2b4e81964bc3ec5472f
SHA256: a4e34c110cdc15164dcfd09aa5f7853c61af18f8d0910a9dfff80b038e7040f1
940
w.exe
C:\Users\admin\Favorites\Microsoft Websites\IE site on Microsoft.com.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\microsoft websites\IE Add-on site.url.8mig700b
binary
MD5: ef55c60aec7bbc26d6e991c681966460
SHA256: 14e8a470b84b6187197cc511b4aacbaa4d2998697baa2f435f6010c6d1e3b0af
940
w.exe
C:\Users\admin\Favorites\Microsoft Websites\IE Add-on site.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\links for united states\GobiernoUSA.gov.url.8mig700b
pgc
MD5: 6d2821ac47a4cb7ea1d6f9f1e52a1c3f
SHA256: d9ca7f35cfd1fb36380bf14b38c2833b98ba888c261add44227b21548e20fbfa
940
w.exe
c:\users\admin\favorites\links for united states\USA.gov.url.8mig700b
binary
MD5: 30d03d167033bee3a2427724c62c415e
SHA256: ad5af4a878400d723ed18d745288505278f5b2ee40aa42bc8d35340e2919d1af
940
w.exe
C:\Users\admin\Favorites\Links for United States\USA.gov.url
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Favorites\Links for United States\GobiernoUSA.gov.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\links\Web Slice Gallery.url.8mig700b
binary
MD5: cd38328de5390f9f9e372b82412a2f7a
SHA256: 67ff0f10e5259443e45d2e2a5c0ed3057dda822ddbf0ae13e1ed263e19bc4c3f
940
w.exe
C:\Users\admin\Favorites\Links\Web Slice Gallery.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\favorites\links\Suggested Sites.url.8mig700b
binary
MD5: 2f4312b747f36801e4ed41d43a8e7319
SHA256: 9981d403ee766475552d8ee4c8a6afbdaebeeaa941523c982a982d6e0db893d8
940
w.exe
C:\Users\admin\Favorites\Links\Suggested Sites.url
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\outlook files\~Outlook.pst.tmp.8mig700b
binary
MD5: e627b635aa2fe3f2d0841d584d53d1db
SHA256: be78edd741c0b4f6a411cb540cfd007ddf7b3a4c2cc8859f3cf7114d802895e4
940
w.exe
C:\Users\admin\Documents\Outlook Files\~Outlook.pst.tmp
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\outlook files\Outlook Data File - test.pst.8mig700b
binary
MD5: e526c0822b72cdba9af2355a0aab9a2b
SHA256: e1f5187031a42624625dda3b7bc70157e494d01d46b2a3faea0885da3549d91d
940
w.exe
c:\users\admin\documents\outlook files\Outlook.pst.8mig700b
binary
MD5: 209dfb940a806e35bd1b1efdbd8db52e
SHA256: 52e6a98ad3456b3564849d64104516ea9228d582264f440e3316d8f8edfd5ea1
940
w.exe
c:\users\admin\documents\outlook files\Outlook Data File - NoMail.pst.8mig700b
binary
MD5: ba0309c04d46403b481ca03ddac2bc11
SHA256: e5de3b69e998c7872705c6a4de7ca37b53ef5bd5f47523b67aff31d8aa5685e3
940
w.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - test.pst
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Documents\Outlook Files\Outlook Data File - NoMail.pst
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\outlook files\[email protected]
binary
MD5: 06f463994dec06a60541e0f9b063f5e8
SHA256: 6299008aeb54f955cb43a3a35a3a513295bf7e11760a7fc4051e0c05f9da27b4
940
w.exe
C:\Users\admin\Documents\Outlook Files\[email protected]
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\public\videos\sample videos\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\documents\onenote notebooks\personal\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\recorded tv\sample media\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\pictures\sample pictures\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\public\libraries\RecordedTV.library-ms.8mig700b
binary
MD5: ee3ecbd12d20741e93943f761fbc8b32
SHA256: 5a281449dc2076dd4cdbfba95eb8f849d64357661e734a4d6b7df899661f7cf9
940
w.exe
C:\users\public\music\sample music\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\Users\Public\Libraries\RecordedTV.library-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\searches\Indexed Locations.search-ms.8mig700b
binary
MD5: ae270409b73ee41b1c9eb6df57490df0
SHA256: c7189caf846145a4f02c116748d2603467089e76147c1c5ab352a12df63c2f67
940
w.exe
C:\Users\Administrator\Searches\Indexed Locations.search-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\administrator\searches\Everywhere.search-ms.8mig700b
binary
MD5: fb948a58dfdaa7745de4ef0322a6351f
SHA256: de1e91a95fc62481da8aebc6b68df3bbaf35c50930c9520060818ddd6ca88cb7
940
w.exe
C:\Users\Administrator\Searches\Everywhere.search-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\administrator\favorites\msn websites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\favorites\windows live\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\favorites\microsoft websites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\administrator\contacts\Administrator.contact.8mig700b
binary
MD5: 437c724197f294a844ddec92dbf58c3c
SHA256: b6686b65594070794170579c720948f781ac94088865e793ef37d8db8c4024ba
940
w.exe
C:\users\administrator\favorites\links for united states\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\favorites\links\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\Users\Administrator\Contacts\Administrator.contact
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\searches\Microsoft Outlook.searchconnector-ms.8mig700b
binary
MD5: 6f9d51de96f8d971cc73b3d301b7b578
SHA256: ebefce34e039b349fdea080d610df0110930d5ca74324192a9b507c9ed0c07d4
940
w.exe
c:\users\admin\searches\Microsoft OneNote.searchconnector-ms.8mig700b
binary
MD5: 815ecd72584ea003c6e4255fd41a57fe
SHA256: e9c113ee32640f8b8c05950d8fdfb92eb259c8dcdf96d3e58c47a96766ef3d86
940
w.exe
C:\Users\admin\Searches\Microsoft Outlook.searchconnector-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\searches\Indexed Locations.search-ms.8mig700b
binary
MD5: fdb44451993b15861df6210a40ad9a73
SHA256: f7020e05dba41bcbac70580302f0223eebcae54aaa400c5d477e4ec2470fb4d3
940
w.exe
C:\Users\admin\Searches\Microsoft OneNote.searchconnector-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Windows\System32\CatRoot2\dberr.txt
––
MD5: 902904b48a4bed06b8241a1c28e6ba68
SHA256: 28795a5af8025b195fa2e8bb8ade1e207b5bb0ff583d662bbc061b02789be74e
940
w.exe
c:\users\admin\searches\Everywhere.search-ms.8mig700b
binary
MD5: e81020af4a15ec23aec50cfd321445ec
SHA256: a6a1109bee77e197697fb6cd019776059fcec94dd0ca2c8ad032a7cbd680bac4
940
w.exe
C:\Users\admin\Searches\Everywhere.search-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\pictures\providefair.jpg.8mig700b
binary
MD5: eccd5fa29d2e75f1a272d39261884dcf
SHA256: ace3fb87a15964d8b1717c8b9c3761b17233a3a4618e9466b7823c093d87c826
940
w.exe
c:\users\admin\pictures\receivedsexy.jpg.8mig700b
binary
MD5: ced6b59efa906013da4b1e393345d4ce
SHA256: f4baed57bd06d6a7e737db450008664feb618fba2d506470b30d177ea944866e
940
w.exe
C:\Users\admin\Pictures\providefair.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\pictures\openstyle.jpg.8mig700b
binary
MD5: 6585f55af8bc05134ed2ac430b7e9083
SHA256: 3f9165db6e595fae84702c874c48581e35d3b439ea78b6f9b737b39a4a375bc8
940
w.exe
C:\Users\admin\Pictures\openstyle.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\pictures\networkinghomes.png.8mig700b
binary
MD5: 248c2e12e85e3e8e50c7e6b64926135a
SHA256: 3bc1e2eec0c382f8dbcbea315c7a6b51283459e5533f7208ae9ff4ce133d1709
940
w.exe
C:\Users\admin\Pictures\networkinghomes.png
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\pictures\ministerreviews.jpg.8mig700b
binary
MD5: d1f625b2cad405b5928b5b5739e22a8b
SHA256: 023e1861864fc8a4ebb972b871b830a0921b92f805ed11d297bb373bfa724f9a
940
w.exe
C:\Users\admin\Pictures\ministerreviews.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\pictures\archivesring.jpg.8mig700b
binary
MD5: 54a55b9e1b3f44e1caa4cd9208fb632c
SHA256: cbb063cba11fc2aaef0fea91b41487e4cb7b3582f7bbb7eb70a56a958432f3b1
940
w.exe
C:\Users\admin\Pictures\archivesring.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\pictures\accesspro.png.8mig700b
binary
MD5: b384aaaf0d3c45dd320a583eee9be200
SHA256: b715fb7f5ae80004ff6194b3fc876f372ffc9681f184de96e00e18e529d268f9
940
w.exe
C:\Users\admin\Pictures\accesspro.png
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\admin\favorites\windows live\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\favorites\msn websites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\favorites\microsoft websites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\favorites\links for united states\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\admin\downloads\unitedselect.jpg.8mig700b
binary
MD5: c063ea1106325a88d9440510d6b472e6
SHA256: 73c661d4d578461d7cd25df51f0f68889335d7492ebd286399811e81b880b359
940
w.exe
c:\users\admin\downloads\understandmini.png.8mig700b
binary
MD5: c04033c91636c547ee7ac107eb34bc38
SHA256: 09f3b9d9935f8479500feabdcde9e0964a2d40495701b78884fb2edc059d74c7
940
w.exe
C:\users\admin\favorites\links\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\Users\admin\Downloads\unitedselect.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\downloads\storiesphotos.jpg.8mig700b
binary
MD5: d30d11b5e32abe1a02a7a3b0ec226aa0
SHA256: 0bb395682a23f560ae8a944995d60dee1ffe2b3d3369a8bf1588fec0f68fb221
940
w.exe
C:\Users\admin\Downloads\storiesphotos.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Downloads\understandmini.png
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\downloads\requirementssatellite.png.8mig700b
binary
MD5: 07548c1a72421f6e1845556aea644fac
SHA256: eac2f07e0d919aa31eb9c4f85fb13839f5964b8e45301acb4145befdb20bb9c3
940
w.exe
c:\users\admin\downloads\japaneseaccount.jpg.8mig700b
binary
MD5: 0a17c5d9e9f08d7a9d9cb96025d26c16
SHA256: 19e7c5650c2dc622229551c36c715f955e08c25c12b0cb2d41c63ad6fed15857
940
w.exe
C:\Users\admin\Downloads\japaneseaccount.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\downloads\hpdaily.png.8mig700b
binary
MD5: b91ca3cff7ded989482e34ac0f6213a3
SHA256: 726afeac939376c9242a74f66b36f76405d1f2017f46620b4da2afb7ba444972
940
w.exe
c:\users\admin\downloads\duringago.png.8mig700b
binary
MD5: fa23c95422d9a6184dd48299ea847593
SHA256: 711926a0cbd79da9d276ab74fa6e2b07c3f17e37e1dbd3ff8e4d5d9ba31cef40
940
w.exe
C:\Users\admin\Downloads\hpdaily.png
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Downloads\duringago.png
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\admin\documents\outlook files\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\admin\documents\lordopen.rtf.8mig700b
binary
MD5: 1c6b6e8c8f18fdd2b88b96b63d0e9d44
SHA256: 244e3e6f3c4922ce3394aa87fddde93ff2298ba04349a0ec55560bd1f196b8fe
940
w.exe
C:\users\admin\documents\onenote notebooks\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\Users\admin\Documents\lordopen.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\focusdifference.rtf.8mig700b
binary
MD5: 14ee3de825dc1dd2d99e66b25de2026c
SHA256: 84cdb68eeea42c8b7dce167388f532bd4b2a4530d24069094ea3b3058951ecba
940
w.exe
c:\users\admin\documents\favoritewill.rtf.8mig700b
binary
MD5: 07b21c72c5c4a2c7386892bb40539e82
SHA256: 8decb8578071ba01dcae2b1e3fecc6e2f4aa784bc739a4bca1e894a95e4b4a48
940
w.exe
C:\Users\admin\Documents\focusdifference.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Documents\favoritewill.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\economylink.rtf.8mig700b
flc
MD5: 262d52fb8e5fdf40c6f732e629f51291
SHA256: 785b203bbee3ee39a40524931cba0428b8ebfe92ded4b54b3e849e4264df4b8c
940
w.exe
c:\users\admin\documents\callcolor.rtf.8mig700b
binary
MD5: c15ea89cca3a430a574102978c45c698
SHA256: c8b77e7e71213ee5cdb2f1e29c47dc72758f9761fe73c1e07158a694763e7592
940
w.exe
C:\Users\admin\Documents\callcolor.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Documents\economylink.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\documents\butcd.rtf.8mig700b
binary
MD5: 39738632bfc566f10f11a99176ffab46
SHA256: 454ecd83ad3b2efd8b061640212fa44841ec37818855625909b0109110412b4a
940
w.exe
C:\Users\admin\Documents\butcd.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\desktop\restshipping.rtf.8mig700b
pgc
MD5: f4e069bb5d3494a51815817490a970b9
SHA256: 393e8afa5fdbe841fb18ec26679f27279515c673198833e66c5b7ac06ae6bcd4
940
w.exe
C:\Users\admin\Desktop\restshipping.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\desktop\ohiolove.rtf.8mig700b
binary
MD5: ca67ddcb01936fc443e1126a74729f6a
SHA256: 73303ccd469b37e4c0380fdcdf2308469cc631b88ace5be77137478d8dae76a7
940
w.exe
C:\Users\admin\Desktop\ohiolove.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\desktop\galleriesmanager.rtf.8mig700b
fli
MD5: 0f4861af0390a4e825a957b1d61550c9
SHA256: 63a900740f41165d95c8ce82a7c157ac3dfcc92d2ad73c1ab4f580a9cbdea6aa
940
w.exe
c:\users\admin\desktop\heartgraphics.rtf.8mig700b
binary
MD5: c467463c68db45495d0ed457d3b56644
SHA256: 69f1259b1c3a31e166210c53d27bb67be1f970bd453ba0f0fac71cef878aacdf
940
w.exe
C:\Users\admin\Desktop\galleriesmanager.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Desktop\heartgraphics.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\desktop\contactcom.rtf.8mig700b
binary
MD5: 4d2450d69083b5ae982e0e6ccf21964f
SHA256: 0e85c6f07607e437047b141f8c08c772a9d2f3e6662116f637a6da86d9e14fbb
940
w.exe
c:\users\admin\desktop\flmike.rtf.8mig700b
binary
MD5: 58722b7b0c04df095b84645be22e246d
SHA256: 73051f77cd803aef25290e1bf3eb9a360dc6a7cb9b7336eab85cdb134b5622c6
940
w.exe
C:\Users\admin\Desktop\flmike.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Desktop\contactcom.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\desktop\clearenvironment.png.8mig700b
binary
MD5: 7a5afecb65aa1ba80ff23d9e0fed7850
SHA256: 4320c0217edc13e59387d5017d9597b1a1d57e6332f3c135837eef3b71820065
940
w.exe
c:\users\admin\desktop\chairthink.jpg.8mig700b
binary
MD5: 278d6f3fab5ff5ada6e7bfe8cadb8a96
SHA256: 93bdbada97385f23021f5bc138f60cdf33537f6445572255bae7e99ef61ef510
940
w.exe
C:\Users\admin\Desktop\clearenvironment.png
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Desktop\chairthink.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\desktop\categorytraining.rtf.8mig700b
binary
MD5: 097a579004c385fee8fe879e62e30be5
SHA256: bf3c1c125d01490e8cbe5e3fd9da1185e521785caa5061904b358edd032f1835
940
w.exe
C:\Users\admin\Desktop\categorytraining.rtf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\contacts\admin.contact.8mig700b
binary
MD5: eaaa43efa10736b7952cd253f99a7843
SHA256: a43629fbd5946db39c62435a6aa430c8acf93c1600c753d4a9f353ce33e54b7e
940
w.exe
c:\users\admin\desktop\blackford.jpg.8mig700b
binary
MD5: 253d559e65fd1f6bd2e801b528b332a7
SHA256: 23bd884c0ebbce3823416e10575103579b497daecad9f9f03ef4c7ef54143a94
940
w.exe
C:\Users\admin\Desktop\blackford.jpg
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\admin\Contacts\admin.contact
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp.8mig700b
binary
MD5: e24dd1a4785bd58827298e9a45e033e3
SHA256: 94f6e9b69d96644d76cdafd95a00dd49b48dad99960591f33e124a44e8c61422
940
w.exe
C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\public\recorded tv\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\pictures\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\videos\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\libraries\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\music\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.8mig700b
binary
MD5: f2610a424abe6e443117b70a1bd70050
SHA256: d83a5ca81e5462d89a34934eb4741eb06ef27c048699c0d1318c1c026d4fe3ac
940
w.exe
c:\users\default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.8mig700b
binary
MD5: ed7e26a5d337337688b89df8c6f07d82
SHA256: 2fdabe2691a24aa0158cea08fdc5693375edeb80b9b7d7b8cef6d8113dd61bf4
940
w.exe
C:\users\public\downloads\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\favorites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\public\documents\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\saved games\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\desktop\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\videos\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\pictures\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.8mig700b
binary
MD5: 2c913397fdd216f34be1ca27e2a97185
SHA256: 5067e5c5ebc5f23113270c1242bd300db83de85e6580cb4e13f13201cc7cad9d
940
w.exe
C:\Users\Default\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\users\default\NTUSER.DAT.LOG1.8mig700b
binary
MD5: d0a714b794a99141895b50d52eeb76f1
SHA256: 3cfe957a9dbd808152def6a4e55913de28624eade2dadcc0fabb780252157e0d
940
w.exe
C:\Users\Default\NTUSER.DAT.LOG1
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\default\music\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\links\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\downloads\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\favorites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\desktop\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\documents\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000002.regtrans-ms.8mig700b
binary
MD5: bb349ebeebe0a9c7fa0ffa6d7ac5c451
SHA256: 4f29d0ff620d301a312d6b2091496c3bd75b934d43d6dd60b439bb8ea8f6115e
940
w.exe
c:\users\administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms.8mig700b
binary
MD5: 456e8dd38bcbe8e5a8ed0cbbade2a34b
SHA256: 086f457d086b0b1577e07c950f9b78c0f50ad74d4cbfa121b6f9684248f05fff
940
w.exe
C:\users\administrator\videos\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\searches\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TMContainer00000000000000000001.regtrans-ms
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\administrator\saved games\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\pictures\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
c:\users\administrator\ntuser.dat.LOG1.8mig700b
binary
MD5: e9f6c6f80e80a3cb4415615495f6a1f8
SHA256: db16268de882fdece8061371e5cce16583f2325279e5864af16194a7a860b05c
940
w.exe
c:\users\administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf.8mig700b
binary
MD5: 36c35fb1319c5e1533fdab4731a980ca
SHA256: 3b4ab587434af7e250a22edbecb0f165c36b82b7f50db5ec7c93d62a3a2185b2
940
w.exe
C:\Users\Administrator\ntuser.dat.LOG1
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\Users\Administrator\NTUSER.DAT{6cced2f1-6e01-11de-8bed-001e0bcd1824}.TM.blf
––
MD5:  ––
SHA256:  ––
940
w.exe
c:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi.8mig700b
binary
MD5: f1350efceea75f58b1c491eb8fbbf8df
SHA256: 600cb5ac91937b12bd0724d03f67f942efcf2a4af320f4e6f754e7c18ee3b30f
940
w.exe
C:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
––
MD5:  ––
SHA256:  ––
940
w.exe
C:\users\administrator\links\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\music\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\favorites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\downloads\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\documents\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\desktop\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\searches\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\saved games\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\contacts\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\videos\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\pictures\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\links\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\music\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\downloads\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\favorites\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\contacts\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\documents\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\.oracle_jre_usage\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\desktop\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\public\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\default\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\administrator\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\admin\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\recovery\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\users\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\program files\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
940
w.exe
C:\8mig700b-readme.txt
binary
MD5: f89661080d2a3a4f6f7dff513d05de97
SHA256: 82ffe8f1c0a15ba72f529f464ee17b940a09ac6fa3ad3312a8ee23a16c5ff860
2404
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: a272b20d1454efe23a324e582f0e701d
SHA256: 68aa16559f2894a02236a7716541c3fcf362333253818fdfe6fde31c94e95051
2404
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF18968e.TMP
binary
MD5: a272b20d1454efe23a324e582f0e701d
SHA256: 68aa16559f2894a02236a7716541c3fcf362333253818fdfe6fde31c94e95051
2404
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0U6V6RX2WT5YXQ51GV97.temp
––
MD5:  ––
SHA256:  ––

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

No HTTP requests.

Connections

PID Process IP ASN CN Reputation
940 w.exe 51.77.194.81:443 GB unknown
940 w.exe 162.208.49.124:443 Database by Design, LLC US unknown
940 w.exe 217.160.0.51:443 1&1 Internet SE DE malicious

DNS requests

Domain IP Reputation
brunoimmobilier.com 51.77.194.81
unknown
rubyaudiology.com 162.208.49.124
unknown
teutoradio.de 217.160.0.51
malicious
bluelakevision.com No response unknown

Threats

No threats detected.

Debug output strings

No debug info.