medusalocker | b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-02-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Neshta.exe
Size

719KB
MD5

8474039d83805eb7b447325c3a8d1ebb
SHA1

a07d537f4253745a087709a9a07c449f84deed8d
SHA256

b2493a580153291b69ca23190d00a00b1220cd0aadf469b3974fdaa726516649
SHA512

3272091bbf123ba5e1592e8b2bd7740cddcb174fa158bc6980b25ee61d92387e94a25284736253f83a6eea78b427f6717e888e843db9d7759cfe9a7676576438
SSDEEP

12288:q4UOTYQivI2qZ7aSgLwkFVpzUvest4ZEbjJLuhJVoM7SPd:bRTYVQ2qZ7aSgLwuVfstRJL6YM6

Score

10^/10

medusalocker neshta evasion persistence ransomware spyware stealer trojan

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

Ransom Note

<html> <style type="text/css"> body { background-color: #f5f5f5; } h1, h3{ text-align: center; text-transform: uppercase; font-weight: normal; } /*---*/ .tabs1{ display: block; margin: auto; } .tabs1 .head{ text-align: center; float: top; padding: 0px; text-transform: uppercase; font-weight: normal; display: block; background: #81bef7; color: #DF0101; font-size: 30px; } .tabs1 .identi { font-size: 10px; text-align: center; float: top; padding: 15px; display: block; background: #81bef7; color: #DFDFDF; } .tabs .content { background: #f5f5f5; /*text-align: center;*/ color: #000000; padding: 25px 15px; font-size: 15px; font-weight: 400; line-height: 20px; } .tabs .content a { color: #df0130; font-size: 23px; font-style: italic; text-decoration: none; line-height: 35px; } .tabs .content .text{ padding: 25px; line-height: 1.2; } </style> <body> <div class="tabs1"> <div class="head" ><b>Your personal ID:</b></div> <div class="identi"> <span style="width:1000px; color: #ffffff; font-size: 10px;">815201A8D536FE72D39430928A60A1230816F34A22B41C6B8A44583FCA4F7F6442846FFD31107B21E4001F4FCFD6844C3B2E9DC208B0202950D058FF74DF334B<br>E3BCD5DB8950513C4B03B2D9730E23FEB365F2AB8A1321233189816BFD894ACB33C3CBE94F9DA272CB1364A7AAD4A5D807A400A358BB598464C4C0F34D28<br>C3A88B0FA0BF6EE50478F682692B2E08851AD9E876E54DB07C5745E5B7818A7F16B9402E09C6C1E6F62D06D39AA590A5236C17057E53EAC822D8E382B2F6<br>94644A4F84CA9C9429A9BE1491C137AA65752C3D2B581C6904E595E35653D7237F0107D4327B129F9BE942C29DEDD3AF7A0A0F91FC6033FEDC6E18552119<br>1EC6DE74316DAC07281BB85F7EF947F9375F8C5BEE5ACFA001CAC94E963DA7DA3E0F22B5FF61AC33DE1A1AF5F00E61F4E5C2DE0177811EE99692DD932519<br>E5CDF0D057ECD0A3BC91E6FCC22B2FC879CBBD8061A6FFC1102F54FC75C9A6A0CE81CF67E459A0431C477F68F144F03E3923CEA3C9516BA28CD8445A2B00<br>CB3EE1C09C95D8184F4CEC3E75049874F71E40CF99AAF9712B72BAEBF9E9E7AF26B524DF8D18A4136B759AE08D47845F0F4ED6D7E313E6EF77AB978C9BAF<br>6ABCA4E7526DDF08761112C13C998F723E8441114EEF29E0276525D1EFA9125B7030885880664B83AD5B01B3989ADA13713A625D7DC7BC88B42CD49909AA<br>902A3E3D736CF99AEC0FC6514720</span> <br>  </div> </div>  <div class="tabs">  <div class="tab"> <div id="tab-content1" class="content"> <div class="text">  <b>/!\ YOUR COMPANY NETWORK HAS BEEN PENETRATED /!\</b><br> <b>All your important files have been encrypted!</b><br><br> <hr> Your files are safe! Only modified. (RSA+AES)<br><br> ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE<br> WILL PERMANENTLY CORRUPT IT.<br> DO NOT MODIFY ENCRYPTED FILES.<br> DO NOT RENAME ENCRYPTED FILES.<br><br> No software available on internet can help you. We are the only ones able to<br> solve your problem.<br><br> We gathered highly confidential/personal data. These data are currently stored on<br> a private server. This server will be immediately destroyed after your payment.<br> If you decide to not pay, we will release your data to public or re-seller.<br> So you can expect your data to be publicly available in the near future..<br><br> We only seek money and our goal is not to damage your reputation or prevent<br> your business from running.<br><br> You will can send us 2-3 non-important files and we will decrypt it for free<br> to prove we are able to give your files back.<br><br>  <hr> <b>Contact us for price and get decryption software.</b><br><br> <a>http://gvlay6u4g53rxdi5.onion/31-LPy3hdSfGLBgLSfGcKN9rubDKoa1VMK4-dbCnNSAul0fvq3TbbLW6VkdqGEHqT6g2</a><br> * Note that this server is available via Tor browser only<br><br> Follow the instructions to open the link:<br> 1. Type the addres "https://www.torproject.org" in your Internet browser. It opens the Tor site.<br> 2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.<br> 3. Now you have Tor browser. In the Tor Browser open "{{URL}}". <br> 4. Start a chat and follow the further instructions. <br><br> <hr> <b>If you can not use the above link, use the email:</b><br> <a href="[email protected]">[email protected]</a> <br><a href="[email protected]">[email protected]</a> <br> <b>* To contact us, create a new mail on the site:</b> <a href="https://protonmail.com">protonmail.com<br> <hr> <b>Make contact as soon as possible. Your private key (decryption key) <br> is only stored temporarily.<br><br> IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.</b><br> </div> </div> </div>   </div> </div>  </div> </div> </body> </html>

Emails

href="[email protected]">[email protected]</a>

Signatures

Detect Neshta payload 7 IoCs

resource	yara_rule
behavioral1/files/0x0001000000010320-12.dat	family_neshta
behavioral1/files/0x000100000001031e-134.dat	family_neshta
behavioral1/memory/1732-547-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1732-719-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1732-720-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/memory/1732-722-0x0000000000400000-0x000000000041B000-memory.dmp	family_neshta
behavioral1/files/0x000100000001127d-727.dat	family_neshta

MedusaLocker
Ransomware with several variants first seen in September 2019.
ransomware medusalocker

MedusaLocker payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000012270-2.dat	family_medusalocker

Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
persistence spyware neshta

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Neshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Neshta.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (203) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 2 IoCs

pid	Process
2432	Neshta.exe
1748	svhost.exe

Loads dropped DLL 4 IoCs

pid	Process
1732	Neshta.exe
1732	Neshta.exe
1732	Neshta.exe
1616	IEXPLORE.EXE

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Neshta.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Neshta.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-452311807-3713411997-1028535425-1000\desktop.ini	Neshta.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Neshta.exe
File opened (read-only)	\??\X:	Neshta.exe
File opened (read-only)	\??\F:	Neshta.exe
File opened (read-only)	\??\B:	Neshta.exe
File opened (read-only)	\??\J:	Neshta.exe
File opened (read-only)	\??\M:	Neshta.exe
File opened (read-only)	\??\Q:	Neshta.exe
File opened (read-only)	\??\V:	Neshta.exe
File opened (read-only)	\??\W:	Neshta.exe
File opened (read-only)	\??\Y:	Neshta.exe
File opened (read-only)	\??\Z:	Neshta.exe
File opened (read-only)	\??\A:	Neshta.exe
File opened (read-only)	\??\N:	Neshta.exe
File opened (read-only)	\??\O:	Neshta.exe
File opened (read-only)	\??\R:	Neshta.exe
File opened (read-only)	\??\T:	Neshta.exe
File opened (read-only)	\??\P:	Neshta.exe
File opened (read-only)	\??\S:	Neshta.exe
File opened (read-only)	\??\U:	Neshta.exe
File opened (read-only)	\??\E:	Neshta.exe
File opened (read-only)	\??\H:	Neshta.exe
File opened (read-only)	\??\I:	Neshta.exe
File opened (read-only)	\??\K:	Neshta.exe
File opened (read-only)	\??\L:	Neshta.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpshare.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ONENOTE.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmlaunch.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wab.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~1\wabmig.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\UNINST~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	Neshta.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmplayer.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE	Neshta.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	Neshta.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	Neshta.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\svchost.com	Neshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2824	vssadmin.exe
3044	vssadmin.exe
2736	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DD9F001-CE8F-11EE-BFFC-EAAD54D9E991} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "21"	IEXPLORE.EXE

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	Neshta.exe
Key created	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000_Classes\Local Settings	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WINWORD.EXE	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithList\WINWORD.EXE	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe
2432	Neshta.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeBackupPrivilege	1884	vssvc.exe
Token: SeRestorePrivilege	1884	vssvc.exe
Token: SeAuditPrivilege	1884	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1704	wmic.exe
Token: SeSecurityPrivilege	1704	wmic.exe
Token: SeTakeOwnershipPrivilege	1704	wmic.exe
Token: SeLoadDriverPrivilege	1704	wmic.exe
Token: SeSystemProfilePrivilege	1704	wmic.exe
Token: SeSystemtimePrivilege	1704	wmic.exe
Token: SeProfSingleProcessPrivilege	1704	wmic.exe
Token: SeIncBasePriorityPrivilege	1704	wmic.exe
Token: SeCreatePagefilePrivilege	1704	wmic.exe
Token: SeBackupPrivilege	1704	wmic.exe
Token: SeRestorePrivilege	1704	wmic.exe
Token: SeShutdownPrivilege	1704	wmic.exe
Token: SeDebugPrivilege	1704	wmic.exe
Token: SeSystemEnvironmentPrivilege	1704	wmic.exe
Token: SeRemoteShutdownPrivilege	1704	wmic.exe
Token: SeUndockPrivilege	1704	wmic.exe
Token: SeManageVolumePrivilege	1704	wmic.exe
Token: 33	1704	wmic.exe
Token: 34	1704	wmic.exe
Token: 35	1704	wmic.exe
Token: SeIncreaseQuotaPrivilege	2648	wmic.exe
Token: SeSecurityPrivilege	2648	wmic.exe
Token: SeTakeOwnershipPrivilege	2648	wmic.exe
Token: SeLoadDriverPrivilege	2648	wmic.exe
Token: SeSystemProfilePrivilege	2648	wmic.exe
Token: SeSystemtimePrivilege	2648	wmic.exe
Token: SeProfSingleProcessPrivilege	2648	wmic.exe
Token: SeIncBasePriorityPrivilege	2648	wmic.exe
Token: SeCreatePagefilePrivilege	2648	wmic.exe
Token: SeBackupPrivilege	2648	wmic.exe
Token: SeRestorePrivilege	2648	wmic.exe
Token: SeShutdownPrivilege	2648	wmic.exe
Token: SeDebugPrivilege	2648	wmic.exe
Token: SeSystemEnvironmentPrivilege	2648	wmic.exe
Token: SeRemoteShutdownPrivilege	2648	wmic.exe
Token: SeUndockPrivilege	2648	wmic.exe
Token: SeManageVolumePrivilege	2648	wmic.exe
Token: 33	2648	wmic.exe
Token: 34	2648	wmic.exe
Token: 35	2648	wmic.exe
Token: SeIncreaseQuotaPrivilege	1972	wmic.exe
Token: SeSecurityPrivilege	1972	wmic.exe
Token: SeTakeOwnershipPrivilege	1972	wmic.exe
Token: SeLoadDriverPrivilege	1972	wmic.exe
Token: SeSystemProfilePrivilege	1972	wmic.exe
Token: SeSystemtimePrivilege	1972	wmic.exe
Token: SeProfSingleProcessPrivilege	1972	wmic.exe
Token: SeIncBasePriorityPrivilege	1972	wmic.exe
Token: SeCreatePagefilePrivilege	1972	wmic.exe
Token: SeBackupPrivilege	1972	wmic.exe
Token: SeRestorePrivilege	1972	wmic.exe
Token: SeShutdownPrivilege	1972	wmic.exe
Token: SeDebugPrivilege	1972	wmic.exe
Token: SeSystemEnvironmentPrivilege	1972	wmic.exe
Token: SeRemoteShutdownPrivilege	1972	wmic.exe
Token: SeUndockPrivilege	1972	wmic.exe
Token: SeManageVolumePrivilege	1972	wmic.exe
Token: 33	1972	wmic.exe
Token: 34	1972	wmic.exe
Token: 35	1972	wmic.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2788	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2788	iexplore.exe
2788	iexplore.exe
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2432	1732	Neshta.exe	28
PID 1732 wrote to memory of 2432	1732	Neshta.exe	28
PID 1732 wrote to memory of 2432	1732	Neshta.exe	28
PID 1732 wrote to memory of 2432	1732	Neshta.exe	28
PID 2432 wrote to memory of 2736	2432	Neshta.exe	29
PID 2432 wrote to memory of 2736	2432	Neshta.exe	29
PID 2432 wrote to memory of 2736	2432	Neshta.exe	29
PID 2432 wrote to memory of 2736	2432	Neshta.exe	29
PID 2432 wrote to memory of 1704	2432	Neshta.exe	32
PID 2432 wrote to memory of 1704	2432	Neshta.exe	32
PID 2432 wrote to memory of 1704	2432	Neshta.exe	32
PID 2432 wrote to memory of 1704	2432	Neshta.exe	32
PID 2432 wrote to memory of 2824	2432	Neshta.exe	34
PID 2432 wrote to memory of 2824	2432	Neshta.exe	34
PID 2432 wrote to memory of 2824	2432	Neshta.exe	34
PID 2432 wrote to memory of 2824	2432	Neshta.exe	34
PID 2432 wrote to memory of 2648	2432	Neshta.exe	36
PID 2432 wrote to memory of 2648	2432	Neshta.exe	36
PID 2432 wrote to memory of 2648	2432	Neshta.exe	36
PID 2432 wrote to memory of 2648	2432	Neshta.exe	36
PID 2432 wrote to memory of 3044	2432	Neshta.exe	38
PID 2432 wrote to memory of 3044	2432	Neshta.exe	38
PID 2432 wrote to memory of 3044	2432	Neshta.exe	38
PID 2432 wrote to memory of 3044	2432	Neshta.exe	38
PID 2432 wrote to memory of 1972	2432	Neshta.exe	40
PID 2432 wrote to memory of 1972	2432	Neshta.exe	40
PID 2432 wrote to memory of 1972	2432	Neshta.exe	40
PID 2432 wrote to memory of 1972	2432	Neshta.exe	40
PID 2500 wrote to memory of 1748	2500	taskeng.exe	46
PID 2500 wrote to memory of 1748	2500	taskeng.exe	46
PID 2500 wrote to memory of 1748	2500	taskeng.exe	46
PID 2500 wrote to memory of 1748	2500	taskeng.exe	46
PID 2788 wrote to memory of 1616	2788	iexplore.exe	49
PID 2788 wrote to memory of 1616	2788	iexplore.exe	49
PID 2788 wrote to memory of 1616	2788	iexplore.exe	49
PID 2788 wrote to memory of 1616	2788	iexplore.exe	49

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Neshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Neshta.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	Neshta.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Neshta.exe
"C:\Users\Admin\AppData\Local\Temp\Neshta.exe"
1⤵
- Loads dropped DLL
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\3582-490\Neshta.exe
  "C:\Users\Admin\AppData\Local\Temp\3582-490\Neshta.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2432
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2736
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2824
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2648
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:3044
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic.exe SHADOWCOPY /nointeractive
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\taskeng.exe
taskeng.exe {396D24F5-511B-4E93-A44A-8826375E7996} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Users\Admin\AppData\Roaming\svhost.exe
  C:\Users\Admin\AppData\Roaming\svhost.exe
  2⤵
  - Executes dropped EXE
  PID:1748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\Recovery_Instructions.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
  2⤵
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

Filesize
547KB

MD5
cf6c595d3e5e9667667af096762fd9c4

SHA1
9bb44da8d7f6457099cb56e4f7d1026963dce7ce

SHA256
593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

SHA512
ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Recovery_Instructions.html

Filesize
4KB

MD5
077a64fccd6bc77d75cc9266645b8f5d

SHA1
a1962b6aed3feda99104c310d994c95132da90da

SHA256
774cfdcc5f7a2a11bb3d8de646505bd246f17dfae06147c037c7503ea52b9a27

SHA512
ee92e0081bdf272ea75b64a37fc4682dbfdcb619effeee51c0f325422dae744b339383ffcbea0fe2025b79802429b3cb70304c0db1dba12708772402c9e1ebc6

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

Filesize
864KB

MD5
5c8e52b8cec7121c5c2f0f15417eafcf

SHA1
9b25615db299bafbf8e88e53cbd80ce52a61564b

SHA256
8c7cb017b6ec0c6ff4d891533707024947950ab2f33d5c3c9f18b758636a3190

SHA512
e68815670156dba5706d72eb6af5b0cea4d172101d08aac7e7313229793bf1cb940b3ef326e36d45bef613ac16750e047709e8c284b4dcbd8519257274719163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d340a61ca36424b5daf059bd19a2816e

SHA1
0189f9e22d00e47c2b64b76150bec4494929f610

SHA256
4c6b5f09327f1659c3e3d716c9700d3fbdf0251aca08f6bb1b1638c4125b7954

SHA512
76c7018a4d88d4338e197c7fce7d1d60c62a2a30d5f57601b0c7d048d89c98e831a79f2b7b075a97b39d5d381550b50663171a7a885f0ac27fb300ecd4dad5ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f2ecefab8cbf9ca2aa89f071f3f1212

SHA1
b40fc1deb583f0022ba689780302fe1cd2853d7e

SHA256
a3ee5ce1cd1fe753c8cbac3dcc6da11b00dcc0da10213d064f42e016984049e5

SHA512
07bf8c836ce25656fc7eaf45c63b9be901589c30679cca9425c570528fda7028b107994521ca74d96db02320e28e5e5c6c38688d8bcd0087b42630378a08f345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6d3a5e97ec9d304ed6e789c7f754bed

SHA1
1ab1b292b28fe5f6c5847dd6db04bf36bb2b5ba6

SHA256
aabdd670f30e939d07c84ea6a5c5a82666e0d3dceabfe0e18b0a60d3bc2ebb2a

SHA512
a67ccdbfec4d36dae4b01ab6f10be69730683bbe22fb8ccf917ba5fcd1825d9c4d40aa35291d90ec23f6ffdcb931d3ae6e9d10ebee27bcda47aaf1854d8d9e2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
034d05ee785409c420ff73ba625e38e0

SHA1
26305c2ff06aa7e25fe0397ea98140cdb8eddca5

SHA256
9b0545d0e132c3dcbb2990d5155fcf61e356cefdbd484fe0d2488cda720bd804

SHA512
a671287528a0c2fb0994ba676fdd3546d57a0f0a5f22c2d115c39228a02808a96884e943db8d8c2e5927a48fe9d20f707ff05f4c66571987d028192c1eca6db0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5ccc3a89cd874da2da3816b1b779222d

SHA1
e0ff9e38c9f9ae0859ab360de3c02e2fe9ab11f7

SHA256
fe7b12f548e1b4963b4fe9b6f90d2f5cc7a186749228f882121b8eef5af630cd

SHA512
3cd30c18baa6ac318eb00b2ecb718e084e51927aab74056b19766d8f77ab196b70962c6e2f1b36f91e4d661df9e1d0f90eff32f265560c39bf8588d660001a05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d95d0683fd99d1ad612007629d2f501

SHA1
ac7b9c6fe2d67d686ef34d5998a3cb72e3c7dd38

SHA256
534a6eeb5bc3fbe4751676d5d0ea77ae767bdcdf22c3432b94eec7570b91071b

SHA512
d5189dffef4d94476819b1ed3ace9fc122ddb05cc10d9132a833930b0cc5113d81cdea36392d77bbe437b9dfd594e71d92f9994003f876d8fb2c0b0b73cff17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c678e7ea65fa1631ea65d96a2cea11f

SHA1
923d029976ee29be82360a550e202f56a9f46ad8

SHA256
5f6ab499d44bbe929aac09be8894a01901e06395026861162e90343f011d890e

SHA512
83155ff3d98ef26aeb2130e376301f2e8e3cea94c04703d49a6afe4fe22e53e22af2952e6dcfc740047eb50c99592bc25888c68cdb4ce4f5679a3deacfb489f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11d12b2accad60d1d253ef076c381448

SHA1
abd2372b383ea5d2e2fada3792a87e8c338c33d4

SHA256
a52a5224da9d174a13875196d3b52112852562169f736c365b3d5c931184473f

SHA512
41e759ca4aaae06f57b98e4ff75fa40f93a406875cd8533c7d2f8f320e3bcabadbf7bb009fb392f3424a661f7e695ba43659df0bf8bd1574ca0ec0137fc7bd03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab712D.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar71FB.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Default\NTUSER.DAT.LOG2

Filesize
536B

MD5
b9ec90e9a4be2310ea1b65d428b4a93a

SHA1
a5a856a14f193e28b834d139c19dfbb145e87f9b

SHA256
cbb79eea2196ecdab882045363e8358eaa0177fe459d7118849863055abe44d3

SHA512
66cc3ac608d5d209a390d6e32b8db37820776436a48731b24533746e9e5aec533de71d7bbcbe689dd1de9eb722d111ff19dd37d5e465ba54349ff1b40b896ee3

Download Submit
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

Filesize
252KB

MD5
9e2b9928c89a9d0da1d3e8f4bd96afa7

SHA1
ec66cda99f44b62470c6930e5afda061579cde35

SHA256
8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

SHA512
2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

Download Submit
\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

Filesize
1.4MB

MD5
5ae9c0c497949584ffa06f028a6605ab

SHA1
eb24dbd3c8952ee20411691326d650f98d24e992

SHA256
07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

SHA512
2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

Download Submit
\Users\Admin\AppData\Local\Temp\3582-490\Neshta.exe

Filesize
678KB

MD5
5aa0a571567f8437556e9b00ae5a3532

SHA1
45377cb152832c9112db7909219fa87a6e760aae

SHA256
73549f6017ad04e475e40e9d306b3e042d080843d8e7c029a5bb6b8ab7e34432

SHA512
d320fecef75b4514b9cf154d41c3cc03e2cd8f6bf15ff0d7c97398127c0728cf0b24e5a46435573d38b384b1515876070f28daa7d37e81de10d1db2b27ae51ec

Download Submit
memory/1732-722-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-720-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-719-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1732-547-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download