90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2022, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Size

97KB
MD5

3e0280728dd451fac5adeaa605d26e74
SHA1

a04e9396763e76400d7abc276a0ed7de2d04dec9
SHA256

90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc
SHA512

880e1b92391d27f9aac3e18105fb821595d6a3f1652f8316fa11d7b690926e967a994ef4f44a773483ada12f6c5193aaa800c0ed1f46c78218a3800e848cf2f1
SSDEEP

1536:anqdu3abBGy3G8V0iuodPprBmh/F9hSNfWy:aqhMPsDrBmh/F9sl

Score

10^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nizw.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	nizw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	nizw.exe

Executes dropped EXE 2 IoCs

pid	Process
4092	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
3344	nizw.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File created	\??\c:\windows\Desktop.ini	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File opened for modification	\??\c:\windows\Desktop.ini	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File opened for modification	\??\c:\windows\Desktop.ini	nizw.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	nizw.exe
File opened (read-only)	\??\N:	nizw.exe
File opened (read-only)	\??\P:	nizw.exe
File opened (read-only)	\??\R:	nizw.exe
File opened (read-only)	\??\Y:	nizw.exe
File opened (read-only)	\??\Z:	nizw.exe
File opened (read-only)	\??\F:	nizw.exe
File opened (read-only)	\??\J:	nizw.exe
File opened (read-only)	\??\K:	nizw.exe
File opened (read-only)	\??\O:	nizw.exe
File opened (read-only)	\??\S:	nizw.exe
File opened (read-only)	\??\T:	nizw.exe
File opened (read-only)	\??\E:	nizw.exe
File opened (read-only)	\??\H:	nizw.exe
File opened (read-only)	\??\L:	nizw.exe
File opened (read-only)	\??\W:	nizw.exe
File opened (read-only)	\??\X:	nizw.exe
File opened (read-only)	\??\G:	nizw.exe
File opened (read-only)	\??\I:	nizw.exe
File opened (read-only)	\??\M:	nizw.exe
File opened (read-only)	\??\Q:	nizw.exe
File opened (read-only)	\??\U:	nizw.exe
File opened (read-only)	\??\V:	nizw.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\maxtrox.txt	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File created	\??\c:\windows\SysWOW64\XPs.ini	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	nizw.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	nizw.exe
File opened for modification	\??\c:\windows\SysWOW64\XPs.ini	nizw.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	nizw.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	nizw.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Desktop\Wallpaper = "c:\\Documents and Settings\\Admin\\Application Data\\Microsoft\\NIMDA ANGEL.bmp"	nizw.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	nizw.exe
File opened for modification	\??\c:\Program Files\HideComplete.exe	nizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	nizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	nizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	nizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	nizw.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	\??\c:\windows\Desktop.ini	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File opened for modification	\??\c:\windows\Desktop.ini	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
File opened for modification	\??\c:\windows\Desktop.ini	nizw.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	nizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	nizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	nizw.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe
3344	nizw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
3344	nizw.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4092	1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe	81
PID 1316 wrote to memory of 4092	1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe	81
PID 1316 wrote to memory of 4092	1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe	81
PID 1316 wrote to memory of 3344	1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe	82
PID 1316 wrote to memory of 3344	1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe	82
PID 1316 wrote to memory of 3344	1316	90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe	82

C:\Users\Admin\AppData\Local\Temp\90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
"C:\Users\Admin\AppData\Local\Temp\90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Users\Admin\AppData\Local\Temp\90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
  C:\Users\Admin\AppData\Local\Temp\90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe
  2⤵
  - Executes dropped EXE
  PID:4092
- \??\c:\Documents and Settings\Admin\Application Data\Microsoft\nizw.exe
  "c:\Documents and Settings\Admin\Application Data\Microsoft\nizw.exe" 90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc
  2⤵
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe

Filesize
25KB

MD5
8795c0339a7a7ee2c7a162f478b3e413

SHA1
8706dcf336076d47ebda7931351a466941cc4f00

SHA256
7adac90bdab7bb970b18dfd60c41d743f26bdbbc4de671776e9c10847aa76fa2

SHA512
c97889e9d0f70e215e599ab181c3cb33816f8eb6192c109fb7c306e1781dbf01684e7e33e77c742b97a0d84fbcb7eaa8008bc498613ae8270e8e9e74c1db6c7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\90d7ed6f01d8f532b4952193a124ec7a81e3583a5edca568547bf1aa7df447fc.exe

Filesize
25KB

MD5
8795c0339a7a7ee2c7a162f478b3e413

SHA1
8706dcf336076d47ebda7931351a466941cc4f00

SHA256
7adac90bdab7bb970b18dfd60c41d743f26bdbbc4de671776e9c10847aa76fa2

SHA512
c97889e9d0f70e215e599ab181c3cb33816f8eb6192c109fb7c306e1781dbf01684e7e33e77c742b97a0d84fbcb7eaa8008bc498613ae8270e8e9e74c1db6c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\nizw.exe

Filesize
76KB

MD5
31e48afa265e32da90f0097593fc20e1

SHA1
8e842f74b6606cf8cd5ab3ac06dc850c8eac02ed

SHA256
5517873d2e4fefcdac54f8c137d06a45834a78cfc25d1762224acd5b3ca8dbb0

SHA512
6fb29ceace35ec4f143743e1c3c1f63be43cade6c52fdd88c1d87dffbe42942ee744488110b15f5b8d165bbaac8394c4e34d1ae9717ac818f6b106e75ce8e774

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\nizw.exe

Filesize
76KB

MD5
31e48afa265e32da90f0097593fc20e1

SHA1
8e842f74b6606cf8cd5ab3ac06dc850c8eac02ed

SHA256
5517873d2e4fefcdac54f8c137d06a45834a78cfc25d1762224acd5b3ca8dbb0

SHA512
6fb29ceace35ec4f143743e1c3c1f63be43cade6c52fdd88c1d87dffbe42942ee744488110b15f5b8d165bbaac8394c4e34d1ae9717ac818f6b106e75ce8e774

Download Submit
\??\c:\windows\Desktop.ini

Filesize
127B

MD5
8052b40f98237069a82665e8e410104a

SHA1
3036d150d270117154f87834fa3bb06410b6ee47

SHA256
107ea9afadb0dd5adc3ac7e41520d4d65530da78cf86c70bf225572c0d1a4329

SHA512
a6e77194678ffb3b8844628e98562f644a58ba04661477a7cdc6cfabd0fba8d71fbff60f621a1b3bc7949a983b0a29df689c4a5b6b838e757b047a020dc56631

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
89944409647eee7c202487941ee58ebb

SHA1
e693cabb00e9c4bce82d0a9c6e57741df1252d20

SHA256
7003c105ae89b360cb65da1e95e6fe1ea306c139f35ced3ea61529f451727b06

SHA512
5b39ccb153749a75cb2e935d57644eeb5e3e413c9fc792d5c212dbf02cd3945e51a28495f619a8b3e4228014563003dbfbbc5dda14b363331bfe08aab6076a1d

Download Submit
\??\c:\windows\SysWOW64\XPs.ini

Filesize
1.4MB

MD5
d91c164d324457e45bd71bca367ea5f1

SHA1
5ceb0e1780e34053ba2771d0073df746a5ebb1cd

SHA256
e9e3f7ac57f2ab482861b3cf1afbdc15b2a51ae0d0512fb2fd9639d2266a9421

SHA512
6bd86a8ded4be8d0a9c28d240105e632ecb5132606791ec0a16a6640d11fff503745f3bb3d7f4c3dbaaa058eb93985fe0349ebcebc07737f602502c5355b5499

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit