b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e

Analysis

max time kernel
202s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Size

840KB
MD5

6b3ce93d85920fbb6945ae50444e9814
SHA1

4136c8bd98230f322a66b716657b5416e5b54709
SHA256

b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e
SHA512

99d1a5634dcce95b58804dc03cef2e6ad282db415ceeb2e47bb26ddaafe5d4a26800271ddefd471b1508271b3f5fd9ca5a6fb4b3880135456b4200b7d7fe68d7
SSDEEP

24576:6Woih7R4t1VyWkuS6/D7TnF7Ex7UM4Fs:6IAkW77p

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wscp.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	wscp.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wscp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe

Executes dropped EXE 2 IoCs

pid	Process
4924	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
2204	wscp.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	\??\c:\windows\Desktop.ini	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\Desktop.ini	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\Desktop.ini	wscp.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	wscp.exe
File opened (read-only)	\??\E:	wscp.exe
File opened (read-only)	\??\Q:	wscp.exe
File opened (read-only)	\??\R:	wscp.exe
File opened (read-only)	\??\V:	wscp.exe
File opened (read-only)	\??\O:	wscp.exe
File opened (read-only)	\??\T:	wscp.exe
File opened (read-only)	\??\F:	wscp.exe
File opened (read-only)	\??\G:	wscp.exe
File opened (read-only)	\??\H:	wscp.exe
File opened (read-only)	\??\I:	wscp.exe
File opened (read-only)	\??\L:	wscp.exe
File opened (read-only)	\??\N:	wscp.exe
File opened (read-only)	\??\U:	wscp.exe
File opened (read-only)	\??\Z:	wscp.exe
File opened (read-only)	\??\J:	wscp.exe
File opened (read-only)	\??\P:	wscp.exe
File opened (read-only)	\??\W:	wscp.exe
File opened (read-only)	\??\X:	wscp.exe
File opened (read-only)	\??\Y:	wscp.exe
File opened (read-only)	\??\K:	wscp.exe
File opened (read-only)	\??\M:	wscp.exe
File opened (read-only)	\??\S:	wscp.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	wscp.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	wscp.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File created	\??\c:\windows\SysWOW64\XPs.ini	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	wscp.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	wscp.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	wscp.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	wscp.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	wscp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	wscp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	wscp.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	wscp.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	wscp.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	wscp.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\Desktop.ini	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\Desktop.ini	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
File opened for modification	\??\c:\windows\Desktop.ini	wscp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	wscp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	wscp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	wscp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	wscp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	wscp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	wscp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	wscp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	wscp.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe
2204	wscp.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
2204	wscp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4924	4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe	82
PID 4540 wrote to memory of 4924	4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe	82
PID 4540 wrote to memory of 4924	4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe	82
PID 4540 wrote to memory of 2204	4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe	83
PID 4540 wrote to memory of 2204	4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe	83
PID 4540 wrote to memory of 2204	4540	b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe	83

C:\Users\Admin\AppData\Local\Temp\b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
"C:\Users\Admin\AppData\Local\Temp\b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
  C:\Users\Admin\AppData\Local\Temp\b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe
  2⤵
  - Executes dropped EXE
  PID:4924
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\wscp.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\wscp.exe" b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e
  2⤵
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe

Filesize
768KB

MD5
2a7a3a8f016fba41d92070eee333f97e

SHA1
7545e28936ac8a169f384084c8fda7200f565a6d

SHA256
6429ea6f4f3beb2bf732b30b6688d9767a3dbfe82ece08f3b36feb229f6c0ac0

SHA512
5441065eefbec6f787781eb6873c47ba9c62b40c4ff5e9dfdaf86395d444934b9a0330d81401667ae1968c8d2778684a4bd159a3df33d015f91719ccfa562be3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b50330e478d8f64d2bcfe0dcc5594f9e18d993308c44fed9d94b04eb8e40e60e.exe

Filesize
768KB

MD5
2a7a3a8f016fba41d92070eee333f97e

SHA1
7545e28936ac8a169f384084c8fda7200f565a6d

SHA256
6429ea6f4f3beb2bf732b30b6688d9767a3dbfe82ece08f3b36feb229f6c0ac0

SHA512
5441065eefbec6f787781eb6873c47ba9c62b40c4ff5e9dfdaf86395d444934b9a0330d81401667ae1968c8d2778684a4bd159a3df33d015f91719ccfa562be3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\wscp.exe

Filesize
76KB

MD5
2ebb2a4399cbfd6ffec53e813f92f9b8

SHA1
f69b7fb9ce0b3092b5bd9e7dd33f4a91e4147598

SHA256
a1c88eed3e59f1a35371424cb3dfeadca168c0496ba0ff496d2c29062a18602b

SHA512
43e3d2ad40354838797a2cdc05c826d82d62bf6a8498604062a94b788bc8411c9887f23088e022ae3f4e7b8f72c373aa73b60fac66df270e950ba3c8e84302be

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\NIMDA ANGEL.bmp

Filesize
448KB

MD5
e7887e0244bca82d067ca54d68a5836d

SHA1
ab5e75e99d054fa9eeb7a654ab1b4950313edd59

SHA256
84ce3dc90d1826b6739a2119460f031d9751d0e36e8569e6bc1cc9428b761437

SHA512
132790a81dd638e951674c53275147745a4584414dc4b61d58b471cb73922bac3c812d749556a446838e75e3044c67909dc616aceca0b4987250a51a9b606d0d

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\wscp.exe

Filesize
76KB

MD5
2ebb2a4399cbfd6ffec53e813f92f9b8

SHA1
f69b7fb9ce0b3092b5bd9e7dd33f4a91e4147598

SHA256
a1c88eed3e59f1a35371424cb3dfeadca168c0496ba0ff496d2c29062a18602b

SHA512
43e3d2ad40354838797a2cdc05c826d82d62bf6a8498604062a94b788bc8411c9887f23088e022ae3f4e7b8f72c373aa73b60fac66df270e950ba3c8e84302be

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
256KB

MD5
42b947eae0d63c06564b0f6c47d34fc5

SHA1
a995481e06dd5e0aab39c5c9eb969728802c9f5c

SHA256
c76b0187013c31feb7fdd810c4f2d01c347cfbc1dbe71e1711ca3c245d4a0fd3

SHA512
14abd8f93e25763aaafd273a59c9eac384015c0761dcb488622362b1e05d46bec95782f1af7f8011e50227bcaed8320ef4e4cacddf4a03ba257f73d14eeffb87

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit