23dbff82389243685ef46c7f0a3bcb9c52806696e5d4701c7cab562891bc4619

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
10/05/2024, 00:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
Size

796KB
MD5

2a82a8d01b2ddc18dd140c7473d2e3f0
SHA1

c176cda981e9252dbb4f651611d0a105f23c2dc9
SHA256

23dbff82389243685ef46c7f0a3bcb9c52806696e5d4701c7cab562891bc4619
SHA512

760a78b554d3f668bc211641e57a8b700ebcccb35de6f7390ae35c5dfb344cc7ff8ba1087cb13f5b47053f35561e5f2b7465b875cadda56e5eaccae97f1bae13
SSDEEP

24576:CgJ8cTa1yn1R6v+3Wqdd69lgJ8cTa1yn1R6v+3WqddG:rS+gi1c+GmlS+gi1c+GmU

Score

10^/10

defense_evasion evasion execution impact persistence ransomware spyware stealer

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+gnq.txt

Ransom Note

__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#!__!@#!@#! NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) How did this happen ? !!! Specially for your PC was generated personal RSA-4096 KEY, both public and private. !!! ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BITCOIN NOW! , and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://pp4dehh5nlkcs.pesslaugh.com/DFDD184C756560D5 2. http://ss7fh33dfnourebfle.geckoyao.com/DFDD184C756560D5 3. http://h5534bvnrnkj345.maniupulp.com/DFDD184C756560D5 If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: yez2o5lwqkmlv5lc.onion/DFDD184C756560D5 4. Follow the instructions on the site. !!! IMPORTANT INFORMATION: !!! Your personal pages: http://pp4dehh5nlkcs.pesslaugh.com/DFDD184C756560D5 http://ss7fh33dfnourebfle.geckoyao.com/DFDD184C756560D5 http://h5534bvnrnkj345.maniupulp.com/DFDD184C756560D5 !!! Your personal page Tor-Browser: yez2o5lwqkmlv5lc.onion/DFDD184C756560D5 !!! Your personal identification ID: DFDD184C756560D5

URLs

http://pp4dehh5nlkcs.pesslaugh.com/DFDD184C756560D5

http://ss7fh33dfnourebfle.geckoyao.com/DFDD184C756560D5

http://h5534bvnrnkj345.maniupulp.com/DFDD184C756560D5

http://yez2o5lwqkmlv5lc.onion/DFDD184C756560D5

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1424	bcdedit.exe
2964	bcdedit.exe
1600	bcdedit.exe
1652	bcdedit.exe
580	bcdedit.exe

Renames multiple (431) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe

Executes dropped EXE 2 IoCs

pid	Process
2704	cmjmppr.exe
2768	cmjmppr.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\verif-8746 = "C:\\Users\\Admin\\AppData\\Roaming\\cmjmppr.exe"	cmjmppr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\verif-8746 = "C:\\Users\\Admin\\AppData\\Roaming\\cmjmppr.exe"	cmjmppr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2704 set thread context of 2768	2704	cmjmppr.exe	34

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css	cmjmppr.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\fr-FR\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cs\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\RSSFeeds.css	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\slideShow.js	cmjmppr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\ru.pak	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\cronometer_settings.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\es-ES\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_color120.jpg	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js	cmjmppr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_leftarrow.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\eu\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\TextConv\en-US\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\el.pak	cmjmppr.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\de-DE\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\fr-FR\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	cmjmppr.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\HELP_RECOVER_instructions+gnq.html	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_pressed.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\HELP_RECOVER_instructions+gnq.txt	cmjmppr.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	cmjmppr.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\HELP_RECOVER_instructions+gnq.png	cmjmppr.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationUp_ButtonGraphic.png	cmjmppr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
264	vssadmin.exe
2060	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DDC1ACC1-0E62-11EF-B5B3-EE05037B2B23} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0d95cb26fa2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000004247ac7d65a9fb932fdb7c5172b01587d5eba5e15cfd7cb7d5b332efec9da133000000000e800000000200002000000042d157e307d9abac403124d163607310a1148d8033081c61cd396838e16b08d620000000dff6220deb717071c650bd95e6dd79dfeb616516a4e6386905c6800046e79fe740000000443df16e091cef15c0ccf6754f531cd9487e0c0ad6ccdcf859b447d2bfe9ab02dc9d0073722adf0f384e715fc4a60b6ed20be0539e4871ed8b15651192515e15	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000004d4057f6b91ffe55f5853a6ebd7cffc672ddb05a4a18b8546e587612871002ad000000000e8000000002000020000000112ce5e93048a4a76ffac964a181f1645f59cce71de6558d2ec03c8fe0ffb50290000000ce562a443e28e78387ae277073d0806fd2c6d19e7205448b3e65e1f217a7352922740416e9ca54ae5412ee9e0ee518ee2641eabec3ff00a5c5da4b1e4090baf86c06c388f00d38b4d4e15de62dac7a3db489cf390951d08043898da069fdb09f5c0dd01b696f378b83618b5eec99a3900f3a59e44e779ef9c2c8e54b59f5a79a6777d1b936c6cbe1daa957c4225ee1b7400000000906f553cc8851be91e37530a3c549dec28776dbb2c4b6dba353171da9d4ce095730fa3f04263852f264479fb05a2ba2d8edf0d22cda8d2f3e8fcabe9886dee2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1536	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe
2768	cmjmppr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
Token: SeDebugPrivilege	2768	cmjmppr.exe
Token: SeBackupPrivilege	2512	vssvc.exe
Token: SeRestorePrivilege	2512	vssvc.exe
Token: SeAuditPrivilege	2512	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2704	iexplore.exe
2028	DllHost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
2704	cmjmppr.exe
2704	iexplore.exe
2704	iexplore.exe
1500	IEXPLORE.EXE
1500	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 2128 wrote to memory of 3044	2128	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	28
PID 3044 wrote to memory of 2704	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	29
PID 3044 wrote to memory of 2704	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	29
PID 3044 wrote to memory of 2704	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	29
PID 3044 wrote to memory of 2704	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	29
PID 3044 wrote to memory of 284	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	30
PID 3044 wrote to memory of 284	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	30
PID 3044 wrote to memory of 284	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	30
PID 3044 wrote to memory of 284	3044	2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe	30
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2704 wrote to memory of 2768	2704	cmjmppr.exe	34
PID 2768 wrote to memory of 1424	2768	cmjmppr.exe	35
PID 2768 wrote to memory of 1424	2768	cmjmppr.exe	35
PID 2768 wrote to memory of 1424	2768	cmjmppr.exe	35
PID 2768 wrote to memory of 1424	2768	cmjmppr.exe	35
PID 2768 wrote to memory of 2060	2768	cmjmppr.exe	37
PID 2768 wrote to memory of 2060	2768	cmjmppr.exe	37
PID 2768 wrote to memory of 2060	2768	cmjmppr.exe	37
PID 2768 wrote to memory of 2060	2768	cmjmppr.exe	37
PID 2768 wrote to memory of 2964	2768	cmjmppr.exe	41
PID 2768 wrote to memory of 2964	2768	cmjmppr.exe	41
PID 2768 wrote to memory of 2964	2768	cmjmppr.exe	41
PID 2768 wrote to memory of 2964	2768	cmjmppr.exe	41
PID 2768 wrote to memory of 1600	2768	cmjmppr.exe	43
PID 2768 wrote to memory of 1600	2768	cmjmppr.exe	43
PID 2768 wrote to memory of 1600	2768	cmjmppr.exe	43
PID 2768 wrote to memory of 1600	2768	cmjmppr.exe	43
PID 2768 wrote to memory of 1652	2768	cmjmppr.exe	45
PID 2768 wrote to memory of 1652	2768	cmjmppr.exe	45
PID 2768 wrote to memory of 1652	2768	cmjmppr.exe	45
PID 2768 wrote to memory of 1652	2768	cmjmppr.exe	45
PID 2768 wrote to memory of 580	2768	cmjmppr.exe	47
PID 2768 wrote to memory of 580	2768	cmjmppr.exe	47
PID 2768 wrote to memory of 580	2768	cmjmppr.exe	47
PID 2768 wrote to memory of 580	2768	cmjmppr.exe	47
PID 2768 wrote to memory of 1536	2768	cmjmppr.exe	53
PID 2768 wrote to memory of 1536	2768	cmjmppr.exe	53
PID 2768 wrote to memory of 1536	2768	cmjmppr.exe	53
PID 2768 wrote to memory of 1536	2768	cmjmppr.exe	53
PID 2768 wrote to memory of 2704	2768	cmjmppr.exe	54
PID 2768 wrote to memory of 2704	2768	cmjmppr.exe	54
PID 2768 wrote to memory of 2704	2768	cmjmppr.exe	54
PID 2768 wrote to memory of 2704	2768	cmjmppr.exe	54
PID 2704 wrote to memory of 1500	2704	iexplore.exe	56
PID 2704 wrote to memory of 1500	2704	iexplore.exe	56

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	cmjmppr.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	cmjmppr.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\2a82a8d01b2ddc18dd140c7473d2e3f0_NeikiAnalytics.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Roaming\cmjmppr.exe
    C:\Users\Admin\AppData\Roaming\cmjmppr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\AppData\Roaming\cmjmppr.exe
      C:\Users\Admin\AppData\Roaming\cmjmppr.exe
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2768
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} bootems off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1424
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:2060
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} advancedoptions off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2964
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} optionsedit off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1600
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:1652
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit.exe /set {current} recoveryenabled off
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:580
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\help_recover_instructions.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1536
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\help_recover_instructions.HTM
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2704
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2704 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1500
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
        5⤵
        Interacts with shadow copies
        
        PID:264
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\2A82A8~1.EXE
    3⤵
    PID:284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+gnq.html

Filesize
8KB

MD5
4df3b8ab7f63ff9fbe1d8f59383aa2ec

SHA1
ebe343c15fb2742f330e84f082691bf2d8cbd10f

SHA256
b46e71164fdb2d7899a0c3fa09a9b701d2150366cda1630a7fc70ebfcd0c0b21

SHA512
98fa053d95a247a05634ea295ca868a8e8deb3312596cb4bef5656f992ccfd1d560bfbf8fe3d05bfead9fa12cf2264819a53e8661d173dafcf3cd5865ee46c38

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+gnq.png

Filesize
65KB

MD5
72a9d1ae5d85ccfb0c20ad83d993a551

SHA1
71d488eaee4721486afeab4d8d8364007b131a61

SHA256
70131a5b77d285be863042d3ae5f10fa232dc0d5a3a415c0822013255895442a

SHA512
b1995624ed5f01d54a5715d4aed491c878baea1f3bb36ad65c22751090b8bf94968063a3c24c7bb60e4010759dcdd999a867627982a8f447ddb29db1ae44605b

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\HELP_RECOVER_instructions+gnq.txt

Filesize
2KB

MD5
7d9d3808ca9b3e8dee435e521d976031

SHA1
cae6f68f12c143e2def12c51ee6897db4cbdb357

SHA256
58fd859e8119c6fa6f171441e200c922e52df3c898dd554eb735f8a9d59bcbde

SHA512
aa7693066bc8f907e6641507dcfcb256c853e8be28cfef817821a5624254ff7165b39ed3ec346ee5fbc92f2a7187518950a9c274d6eb01486c96187824aa3691

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt

Filesize
11KB

MD5
f61a004867fe8e6844e985dfe01316a3

SHA1
1275147ce22788047533baca8625a5dfabd75eac

SHA256
13d0522d07f32436847460daf0e132abb93d5cbd0286359f28304698bcfef7a4

SHA512
d2c7309a86ac40cca7407eb827b60a11ffb6201486b49758e12ca981100680c7c51a0b11a97be0e2274d671004b738e32c590fdea08f70e6e7cc5d4390690a22

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
109KB

MD5
79e40b795e91159f9c2899a0f50c69a6

SHA1
f2c126e368c5bc56c446be460f38c03e72539e10

SHA256
46f0b16dadbcafde74f7496a87cc4bee6bdba17821b02eeb66d09c11db03273e

SHA512
0210e344da9ba082c7143f5b7ae7210b9cfcf7d461d54d648d22e735315bb6d825eecf6131b1d8035d90e018ef7a2252b91a418a927a5e833e3a46a2ef344f62

Download Submit
C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt

Filesize
173KB

MD5
5e8b1f231e96ee3303df462c3c01b125

SHA1
f8c06a70228126e427b7dd07d7076901204972bc

SHA256
4f0a07a558c078af69a51ffbe8f64ce4c16cca0d306616f1543c72f99f73f90d

SHA512
0887b1172041989cfac969aa117c80acefbebaaa5549bccaa5e2752b7733f93760352bd13bc6fd0fa9cb06ae4ee1386816a7a5437b6942b43ac94c0a9f48037b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e65a507a41788a4822037c765818d275

SHA1
fc7a46f5828fcbfbc969dc66c0751bbc1dbbb29f

SHA256
dcd0425a0d22395f388bfc8316a0edf0dd2596ba38e4cf84ce74de93ebaf2b16

SHA512
a9581b060239a701112ada047634bc701a40af0432a8d5d1214d60cb257dc6ccffbb83cb97038a39cc3f5f664466a257ecce8ddcdf2980ac90372fc432d20a79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4bf5cdb4bd331d3af659f115fd39e4c

SHA1
8bf92d363b2ae940158e11c60603f1b74e31b94b

SHA256
56e15e20c63737eefdb0296e9c53c9fe5c5ed93ab19dcec494bd3ee16999a0ae

SHA512
2f707f4c89448bcf5cc3ee5a18b7d9bd5f834d5f0b0b566c8909a600cfa495a80838631fdbc262f5d0f003679a3f647164427a89bee5018ecf8e6aae7502541b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e949b217ea0d223ab6b451a32be2f1e5

SHA1
41d8f325ac56f60c0823789182ed2b7c8ed7c25f

SHA256
92874ca00f16ff0a412d80020d5025b3a37741e156bc21d5b12eea0a0a9ec483

SHA512
cb78be60d75e4d79a6db2fbd0eaec7268ed9dcd18e99777006aed4855cc1be99a03f54b5452d9cbd3d0769995660aaf44fa661155735ef1a0430969283c22685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d73ccc29ed0ef7e2a0e69341dc2a5c44

SHA1
6fdb7c9fc7e6ff3f50e9bc90b5db8277226e3016

SHA256
3eb505309dc77bc2bb11bac1f4861e8b3face9e768314a582a2f39ee2652fc50

SHA512
75db6e6416cf96c7502190a135e780e9413efb4e295ca766a162a42658b8d48296924039edc39b5d6c28d586c5300540dc1d7a7051b6724c82fb3a2befeff2be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e444000dd6f02f3632c238756ff7a872

SHA1
d0bab64fc227acd664c1a296ae0ffdbe42e970b7

SHA256
e1e95f268517b856272c3ad427469dd1546a519b3ce6edca6f70e9efc4689650

SHA512
b3eb713a4fff0c3d55bfcf26d7ac1d0add9e8d7a46d421961955c9a447b477013671ccaf37c647b574c7fe2b47018de5b96b5a63d4456e296958bb386ff2ffae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3557640e418191d7c93baed2de44a658

SHA1
e9a40b466a341568aa0c13286a73b4903de1fdd5

SHA256
61cfaa7b0310678eb2b244950fd262959fc92408685f14103e79e1f25af23639

SHA512
a9940b4dcefcaba3ed40bf3182a0dc86dbc98542a19ce6269be35a552a13073176d6788ecfd2c43c68a3c6a5a51abaca537cc86c2a6d6a6e625dc079b717bf3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be91f6070ed79d676b3aa877f8d6f83e

SHA1
975eaf7a90acc7fd8a41a1c3a2af55c08d4fe865

SHA256
b83cfd4a2701440075a874b2137421e4e34a33bd906794cf42c86ef6234146e1

SHA512
7c8398b9e087824f3712b40ed384a70b71740e45eaeb51a171d65529b5996cba4c2938e9e6b2bb7b0107a030eab21d9abcb60457f4ddbdcaa69b3708c3a0d3b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e12dd9d09fa37fb47cd8c79a43e1486

SHA1
d9501c9481caa67f43dfba363635380de9b61c77

SHA256
bbb1382a8c15f17d8786195dda8902ac09a5354f556cd841d8c00d21adfd7069

SHA512
4540372f01e3562cd1a51fedcfef8397062afa2ca0047b9f5413569125853b513198b17d1472da0b64e49fd16fbc3bd159f410ff920efaecf2a32a8602994c51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d5f09f6bcaf51b03215d33aa76a2e5f6

SHA1
20962a5e1a5918cdc72409ebef17ef949272c0dc

SHA256
22c2d443818f3708c61ff0e87d8531f6271cd5a51817818966f68fda87ada97b

SHA512
45afba39cb6cfbfdd542aa5d741d91aef545605487ca7b3b5e13d575e043b2fffe678fb8f537e4bac28eb10e6da30741ca248cbc9b1d35efe3bd3194e13be630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a64241c6f4b02476fc5dd52cf74794fb

SHA1
0dc205cde0e779df6a34ebb59538f678ac242fe4

SHA256
eeee31f79d3c7b18bdc8b5a36b1128813c8416f637599cdf4f3e3ea8fbdb511e

SHA512
1fd7ca5fcb9af93b6388e94d9af8b91c93705a3f33a17e06ab36a000613ce399a962821e4916f958e750152df36e31037ef4e780fa8094dfca0819c2f51e169f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1c9d2c138ddf2e5218c94213d88abadc

SHA1
fcf0bd3952567999e09d031b13056fded605656b

SHA256
9baf7890d3a639795b45b6fbac43363fefcabc69c4bbd9f9a090f2d9c3491412

SHA512
8a0694b3ed088b7b35e4412a8c7c7164cac4e8d648f42492e76d0d48e954057da25a155d3e7c4e9f1f5f213933a4890524c431a70affaa9a2ea9d02f203979e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
735be2d27d754ca183aadda6b9a24816

SHA1
7904177a0cdb36d37d0f6e66306c19cb765f3f82

SHA256
76c0def53d544d25a537bd5cb307011dc3bdfa5c501850a05c1cbfd958dac412

SHA512
65157ce23afafceef127f3bb724a3c6f2530df41d5f63ce4ecd8e60fc8307205b98e92d314c768365ad6960ebb3c54c70b547f6026d32a15c97bb5eb7b1ac382

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA16E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA1D3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Roaming\cmjmppr.exe

Filesize
796KB

MD5
2a82a8d01b2ddc18dd140c7473d2e3f0

SHA1
c176cda981e9252dbb4f651611d0a105f23c2dc9

SHA256
23dbff82389243685ef46c7f0a3bcb9c52806696e5d4701c7cab562891bc4619

SHA512
760a78b554d3f668bc211641e57a8b700ebcccb35de6f7390ae35c5dfb344cc7ff8ba1087cb13f5b47053f35561e5f2b7465b875cadda56e5eaccae97f1bae13

Download Submit
memory/2028-6098-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2128-1-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2128-2-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2128-3-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2128-20-0x0000000000260000-0x0000000000263000-memory.dmp

Filesize
12KB

Download
memory/2128-24-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2128-22-0x0000000002620000-0x0000000002AF9000-memory.dmp

Filesize
4.8MB

Download
memory/2128-0-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2704-56-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2704-34-0x0000000000400000-0x00000000008D9000-memory.dmp

Filesize
4.8MB

Download
memory/2768-6097-0x0000000003610000-0x0000000003612000-memory.dmp

Filesize
8KB

Download
memory/2768-62-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-6542-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-3963-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-6090-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-6091-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-55-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-57-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-6102-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-6103-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-1037-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-58-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/2768-60-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-8-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-23-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-14-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-18-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-21-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-6-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-4-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-10-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-33-0x0000000002740000-0x0000000002C19000-memory.dmp

Filesize
4.8MB

Download
memory/3044-35-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/3044-12-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download