Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
28-05-2023 20:57
Static task
static1
Behavioral task
behavioral1
Sample
HawkEye.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
HawkEye.exe
Resource
win10v2004-20230220-en
General
-
Target
HawkEye.exe
-
Size
232KB
-
MD5
60fabd1a2509b59831876d5e2aa71a6b
-
SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa
-
SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
-
SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
-
SSDEEP
3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi
Malware Config
Signatures
-
Chimera 64 IoCs
Ransomware which infects local and network files, often distributed via Dropbox links.
description ioc Process File created C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\SpiderSolitaire\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\FreeCell\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Purble Place\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\db\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Microsoft Games\Solitaire\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt HawkEye.exe File created C:\Program Files (x86)\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\ManagedObjects\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe -
Chimera Ransomware Loader DLL 2 IoCs
Drops/unpacks executable file which resembles Chimera's Loader.dll.
resource yara_rule behavioral1/memory/1720-54-0x0000000010000000-0x0000000010010000-memory.dmp chimera_loader_dll behavioral1/memory/1720-59-0x00000000009C0000-0x0000000000A00000-memory.dmp chimera_loader_dll -
Renames multiple (1999) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Modifies extensions of user files 5 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\StartProtect.crw => C:\Users\Admin\Pictures\StartProtect.crw.crypt HawkEye.exe File renamed C:\Users\Admin\Pictures\SplitTest.png => C:\Users\Admin\Pictures\SplitTest.png.crypt HawkEye.exe File renamed C:\Users\Admin\Pictures\NewInitialize.crw => C:\Users\Admin\Pictures\NewInitialize.crw.crypt HawkEye.exe File opened for modification C:\Users\Admin\Pictures\CopyWrite.tiff HawkEye.exe File renamed C:\Users\Admin\Pictures\CopyWrite.tiff => C:\Users\Admin\Pictures\CopyWrite.tiff.crypt HawkEye.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 37 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\FreeCell\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Searches\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Documents\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Libraries\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Purble Place\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Links\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Desktop\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\desktop.ini HawkEye.exe File opened for modification C:\Program Files\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Downloads\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Chess\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Music\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Users\Public\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini HawkEye.exe File opened for modification C:\Program Files (x86)\desktop.ini HawkEye.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini HawkEye.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\desktop.ini HawkEye.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 bot.whatismyipaddress.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.server_8.1.14.v20131031.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.commands.nl_ja_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\org-openide-modules_zh_CN.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_right_over.gif HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\AssemblyInfoInternal.zip HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.jobs_3.6.0.v20140424-0053.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-nodes.jar HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Push\push_item.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_left_hover.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\logo.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler_ja.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterToolTemplates.xml HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\menu_style_default_Thumbnail.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-openide-io.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sa_ja.jar HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\16_9-frame-image-mask.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\attention.gif HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\glass.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\logo.png HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_h.png HawkEye.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.intro.nl_zh_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\topnav.gif HawkEye.exe File opened for modification C:\Program Files\7-Zip\Lang\sa.txt HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\PublicFunctions.js HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\gadget.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dial.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_box_left.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\bg_OliveGreen.gif HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.nl_zh_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.director.app.nl_zh_4.4.0.v20140623020002.jar HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\settings.html HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\icon.png HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_blue_partly-cloudy.png HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\org-netbeans-lib-profiler-common.jar HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\NavigationLeft_SelectionSubpicture.png HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-border.png HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\search_background.png HawkEye.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML HawkEye.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\localizedStrings.js HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_alignleft.gif HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg HawkEye.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\Title_Trans_Notes_PAL.wmv HawkEye.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml HawkEye.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_bottom_right.png HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.common_3.6.200.v20130402-1505.jar HawkEye.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_ja.jar HawkEye.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png HawkEye.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C846111-FDAB-11ED-AB51-5E76FDCFC840} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d04a80731c0724289715f6d8feebdf6000000000200000000001066000000010000200000008883557583038c91773452ed92eca482c38b79ca00efab1df5b0613b05239fe2000000000e80000000020000200000000f15bcab5d2ea37614b4209e4f4b695fb07a6f30f86874f7a3362338baeca29b9000000030c87ee29c3aa5ed9099ccc2a30d3f018931fe89dd2b697aead2612bf0833cc19d51f987bab07c6ebaece64d9eda1ebba3936d1f0d874c00ccb12bd40f76e5fe59ff5e25be338f0a6e5727e8b4d4474e42bba4d9ce24fba78939c3263abd908ad2ded9df74037a262c100c12d741c24ac4ea06757f267e6c5934e53ceb5fa2de1509dbc97ff13a2971156ba5acfe88594000000064843e345b1a1b825460c1e8656c4f5ab11ccb9bc3d1583214400b04193c0f7b716d3f527a29da6a7721b77a28300b73b03bc55a31cee171671dd6b27a5d569c iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d04a80731c0724289715f6d8feebdf600000000020000000000106600000001000020000000c021cddae6be0b90e35139e52e9c537497ba0567f012d73467cfeb7e9a5ef7eb000000000e8000000002000020000000f5836b7b050a66fee95eece9bc752b47b40d5af7af527b7e3cadc24928a8643620000000ae00832241e6c01cbb36c155dc4651ca2f3cafac93ed7e504287298715db269040000000d8d2493e0b5c1c262788d418442d8f668abe22d8a820a828aad24597b69c2f72ee5b21cf1e64045eb31853655ade7f093c726d3b4ef3baffd736e623d8f6d20e iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "392079663" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0f2f1f4b791d901 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1720 HawkEye.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1140 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1140 iexplore.exe 1140 iexplore.exe 836 IEXPLORE.EXE 836 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1140 1720 HawkEye.exe 32 PID 1720 wrote to memory of 1140 1720 HawkEye.exe 32 PID 1720 wrote to memory of 1140 1720 HawkEye.exe 32 PID 1720 wrote to memory of 1140 1720 HawkEye.exe 32 PID 1140 wrote to memory of 836 1140 iexplore.exe 33 PID 1140 wrote to memory of 836 1140 iexplore.exe 33 PID 1140 wrote to memory of 836 1140 iexplore.exe 33 PID 1140 wrote to memory of 836 1140 iexplore.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"1⤵
- Chimera
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:836
-
-
Network
-
Remote address:8.8.8.8:53Requestbot.whatismyipaddress.comIN AResponse
-
Remote address:8.8.8.8:53Requestwww.veryicon.comIN AResponsewww.veryicon.comIN A172.67.128.251www.veryicon.comIN A104.21.1.97
-
Remote address:216.58.208.106:80RequestGET /css?family=Audiowide HTTP/1.1
Accept: text/css, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: fonts.googleapis.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
Expires: Sun, 28 May 2023 20:58:11 GMT
Date: Sun, 28 May 2023 20:58:11 GMT
Cache-Control: private, max-age=86400
Cross-Origin-Opener-Policy: same-origin-allow-popups
Cross-Origin-Resource-Policy: cross-origin
Content-Encoding: gzip
Transfer-Encoding: chunked
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
-
Remote address:172.67.128.251:80RequestGET /icon/png/Flag/Flag%204/Germany.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.veryicon.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 28 May 2023 21:58:11 GMT
Location: https://www.veryicon.com/icon/png/Flag/Flag%204/Germany.png
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=dQcizxQORKy%2Bl2DOeGkVtOCZJosozaE2WmihcPGp7o1YOvr8iZ7c6Q0BXiXeO5XvQ1WbaxOYUpipJPr1kuakWA0NoYGrGkoYYCTf8oWhjQPLZrDTrNqUCfksXl0g%2B3g%2Fb7L2"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7ce96a0c38c30ae0-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.128.251:80RequestGET /icon/png/Flag/Flag%204/United%20Kingdom.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.veryicon.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Sun, 28 May 2023 21:58:11 GMT
Location: https://www.veryicon.com/icon/png/Flag/Flag%204/United%20Kingdom.png
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y7udMhNGmJBQN0gp%2FUj3o0qANUrboDWaqSEtiRP0eZhiSsNSPtr5IeHYdRKPIIaqfX7c80mg4BOGP6hm%2B1DULs4GIpEBm12rVGkUjONEupFxVFZUzPH0a8M1ICJktb4bRUWQ"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7ce96a0c3f581c96-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.128.251:443RequestGET /icon/png/Flag/Flag%204/United%20Kingdom.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.veryicon.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 3739
Connection: keep-alive
Last-Modified: Tue, 16 Apr 2019 12:40:36 GMT
ETag: "1d4f45196caf49b"
CF-Cache-Status: MISS
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=QLR5suNVloPlMP9PdaLkW3YJKmDyH4hWPItrXzbatX%2FGTYlakz1PBVqRqB0seVrUVIb%2B%2FH6MfpMYOcHUyYkxiuXozXpL88%2BCk7TQ31Jh4QJ3YtH2d%2FhKtMiPWF%2FdIeGSmB3C"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7ce96a162aa21b09-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:172.67.128.251:443RequestGET /icon/png/Flag/Flag%204/Germany.png HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: www.veryicon.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 1340
Connection: keep-alive
Last-Modified: Tue, 16 Apr 2019 12:40:37 GMT
ETag: "1d4f451976395bc"
CF-Cache-Status: MISS
Accept-Ranges: bytes
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=XLbYn1RmPfxHfRE%2FV3rZuKg5eXSbLjfblVtfCnVNHEZA9kd5sbGsEcv0KXnkQfN8y37RIlm39GjOIecX4EjftrcGxGRyEnjtrZ9xAiDtvgHIWLEwFHSsNv5Bnu%2F%2BDPZKa34e"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15552000; includeSubDomains; preload
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 7ce96a12bdc41caa-AMS
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Requesti.imgur.comIN AResponsei.imgur.comIN CNAMEipv4.imgur.map.fastly.netipv4.imgur.map.fastly.netIN A199.232.148.193
-
Remote address:199.232.148.193:80RequestGET /zHNCk2e.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: i.imgur.com
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
Content-Length: 0
Retry-After: 0
Location: https://i.imgur.com/zHNCk2e.gif
Accept-Ranges: bytes
Date: Sun, 28 May 2023 20:58:15 GMT
X-Served-By: cache-ams12722-AMS
X-Cache: HIT
X-Cache-Hits: 0
X-Timer: S1685307495.029853,VS0,VE0
Strict-Transport-Security: max-age=300
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
Server: cat factory 1.0
-
Remote address:142.250.179.131:80RequestGET /s/audiowide/v16/l7gdbjpo0cum0ckerWCdlg_I.woff HTTP/1.1
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Origin: file:
Accept-Encoding: gzip, deflate
Host: fonts.gstatic.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: font/woff
Access-Control-Allow-Origin: *
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/apps-themes
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="apps-themes"
Report-To: {"group":"apps-themes","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/apps-themes"}]}
Timing-Allow-Origin: *
Content-Length: 17832
Date: Sun, 28 May 2023 20:58:15 GMT
Expires: Mon, 27 May 2024 20:58:15 GMT
Cache-Control: public, max-age=31536000
Last-Modified: Tue, 19 Apr 2022 18:12:56 GMT
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
-
Remote address:199.232.148.193:443RequestGET /zHNCk2e.gif HTTP/1.1
Accept: image/png, image/svg+xml, image/*;q=0.8, */*;q=0.5
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept-Encoding: gzip, deflate
Host: i.imgur.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Length: 1555
Content-Type: image/gif
Last-Modified: Sat, 19 Oct 2013 15:05:36 GMT
ETag: "071b5a717594fd473a331a24ccf83e3e"
X-Amz-Cf-Pop: IAD12-P2
X-Amz-Cf-Id: f_Sq4PVV8A42T1pvOeLuQnWQPMz4iIKOsTHOXQLBZ-Pr9UseLVMWSQ==
cache-control: public, max-age=31536000
Accept-Ranges: bytes
Date: Sun, 28 May 2023 20:58:15 GMT
Age: 997481
X-Served-By: cache-iad-kiad7000031-IAD, cache-ams12733-AMS
X-Cache: Miss from cloudfront, HIT, HIT
X-Cache-Hits: 18, 1
X-Timer: S1685307496.972381,VS0,VE1
Strict-Transport-Security: max-age=300
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
Server: cat factory 1.0
X-Content-Type-Options: nosniff
-
Remote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A173.223.113.131
-
152 B 3
-
435 B 835 B 4 4
HTTP Request
GET http://fonts.googleapis.com/css?family=AudiowideHTTP Response
200 -
488 B 1.6kB 4 4
HTTP Request
GET http://www.veryicon.com/icon/png/Flag/Flag%204/Germany.pngHTTP Response
301 -
98 B 52 B 2 1
-
172.67.128.251:80http://www.veryicon.com/icon/png/Flag/Flag%204/United%20Kingdom.pnghttpIEXPLORE.EXE497 B 1.6kB 4 4
HTTP Request
GET http://www.veryicon.com/icon/png/Flag/Flag%204/United%20Kingdom.pngHTTP Response
301 -
172.67.128.251:443https://www.veryicon.com/icon/png/Flag/Flag%204/United%20Kingdom.pngtls, httpIEXPLORE.EXE1.2kB 10.6kB 11 15
HTTP Request
GET https://www.veryicon.com/icon/png/Flag/Flag%204/United%20Kingdom.pngHTTP Response
200 -
172.67.128.251:443https://www.veryicon.com/icon/png/Flag/Flag%204/Germany.pngtls, httpIEXPLORE.EXE1.1kB 8.8kB 10 13
HTTP Request
GET https://www.veryicon.com/icon/png/Flag/Flag%204/Germany.pngHTTP Response
200 -
152 B 3
-
150 B 104 B 3 2
-
500 B 644 B 5 5
HTTP Request
GET http://i.imgur.com/zHNCk2e.gifHTTP Response
301 -
142.250.179.131:80http://fonts.gstatic.com/s/audiowide/v16/l7gdbjpo0cum0ckerWCdlg_I.woffhttpIEXPLORE.EXE784 B 19.2kB 11 16
HTTP Request
GET http://fonts.gstatic.com/s/audiowide/v16/l7gdbjpo0cum0ckerWCdlg_I.woffHTTP Response
200 -
98 B 52 B 2 1
-
1.1kB 8.7kB 9 13
HTTP Request
GET https://i.imgur.com/zHNCk2e.gifHTTP Response
200 -
152 B 3
-
152 B 3
-
707 B 7.6kB 8 11
-
152 B 3
-
152 B 3
-
71 B 130 B 1 1
DNS Request
bot.whatismyipaddress.com
-
62 B 94 B 1 1
DNS Request
www.veryicon.com
DNS Response
172.67.128.251104.21.1.97
-
57 B 112 B 1 1
DNS Request
i.imgur.com
DNS Response
199.232.148.193
-
63 B 230 B 1 1
DNS Request
www.microsoft.com
DNS Response
173.223.113.131
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55b35be697d97daaae6df66d1c70e9b9e
SHA1bc3b7c77c37c30dbfd4be6c78dd078d9dc134896
SHA256a4177ab0c37e5ac131e753c6c82a9c0ba3169be7443e9cffc49ef5700b063295
SHA512dd4ae0938cdca7c988a482e9efe098871e51affb7105719a5ac451da7c9db278a2131418062b43bee58e47a948e9eaa6683c9f04dcf2fe666d5a9df46d38c607
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a85b97219f9ef7b7a4df6c423d7aecef
SHA1a750a05636bfd2a44f1a711e0561f841e207ce13
SHA256b832288519632bfd30438b692f02356da0f518f97262d445551f1aa9cb9601f2
SHA5121a474f54143a041f4e2fdef5504214c6dfe37eafe787fa422f5d0ac2e181de168910e2e7972f0d530703957b78cc998be066efd68bc847fd8cd6783ad378bf98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f4632f6e4baf43180bc37b867513cac2
SHA150deefed6592fcaf819b31c24c3d39e3c0c68837
SHA256e528af3c6070f1a3563ae90cd529bac8602c54ad126396f23308dc7f50b57307
SHA5126d458d7ec5f87911d8e94347e4e52299fe321c0a902a1dbdc9816f33663b2448c90bdebb8d9c88f9a3b969746dcc5bed28349b14ce4e89f0650dab4452ce96f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD555697c472d318ab1f0981abbcd79cc56
SHA15088b191440e1a211e32332113b5730ed273569b
SHA256be23fb09e72b11c864c7b378c3d7a6a882af3b172a9b4b699a3c03959ab7ebc8
SHA512558f363dda261542cf95213095c2f9c14a0179c8cba62729ed830a42facb293318d4f02c43c0e5b3bbc52c4d2394be0100b81cd0e81fa824a45d729f2d38b074
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD595660a7b08c1d954188c8af8b80638d1
SHA13f45ee7a6efcae38e88d675d9d2f1992b85e84eb
SHA2568efa47082e4b1305b6cb477770db897a8c777d3649844b6ffe4ebbe63b9c90ca
SHA5128550225eca7012fa77f6e11cf4078accbb42a5440c8e7a3ee4c686d5406624d5c26bee5ac86379257342a26dd0cfed0e59815201b96dded9b784ea3eb25ba2e6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c6b227ae464651279fe3365d7a5f026a
SHA1d5dbaad6ab8c0f2e80ddf82b5c66e552368792a3
SHA256fe3fca7039f327fd5c47f84eebe8d865e99b689b2fbac49edb4f3de1494dc7a0
SHA512b6992584d0af5074ba5fc7752fee68a7d8c82aaee2e0f924bbc67dc7d491403ef2aaa115b287a4bfd3801cc8564793ce6b4218acae02cfafc15c2497eb96c0cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD59b7ff4d5e7ed2e266a60846ec87ed30a
SHA16f058ae9ba0b207702b8c778c95d3633c6c1e17f
SHA2569c410cf6e8aecc70d79644503caf9077db564be6044070ffb32fcbf30818904c
SHA5123ecf5c87007c1175f4ab243f6bc03ed7840a85028fda60d096a79c3458fd91ec7267772f85b5cdeb33f036904920aeb2b40c6f2a83d5c2dd33d432ae6fbb0df4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54c98d6787758bce6752a23e026d8778c
SHA12cff16f21f62bc5cf4c16b807044badcf61cf5ee
SHA256e4cb7672150f0dca8867f4f43d4c2060d2101abc9518960c9728514f44ccb9a0
SHA512d294eeef4e08971e2612d93f236bb7b473d42918b08d4e4afba9324b77567fbd1e43fe3bc6d40e922dd28c5b78ec56d03201816def477d989373a9fa704ea590
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD589e4440d0df8827bab5b9ecfcc14d77c
SHA17b0333ca6d1c19f4308f58b973e31f3bb8ee2176
SHA25620b8107cb18033b2fcd42e7228739ea5d0d60fd1a2a668dfcc13147ea36cbf74
SHA5125ecab3d05fcb6f367075476234431a4aab243d2c96a5b7001b87676151644f1e001935860ca73aa88d06b2ef8608aa504e7be3bc7c110b2a76a6c6432283823a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d15ba847a9654ceb9c5dc90ef5fc093e
SHA1dd0884bc0acb5f363cf9504761e2c7a62b269b17
SHA256eb98c65c9dc9e5cf04ac9f70d26d7e49f8e0ddb02fce51cee802aa69a2563b67
SHA51284378a60acf3689d9caaa9bd302dd5de3cede7f0352cbb76ce6d4c79d4d7262c81eb2b13becb0270f599ef7d24c0f55c2732b6e377a41fe8be85799dc7a80024
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a87ea005e997a4d90fc1bb8b78c0a795
SHA12dfed601890c8370dce88038a023bfdb2438c996
SHA256fe9b47df97646729e0a3b420329b34d48b76c7c88f7be49c0010aaf126f5915f
SHA512b9a83bb89a2a8d199e84faf38d2dd7cd54437108c178c42c1fc33ee4c720100a3b5cd66d66800599537590d4ae1b9ca3687df3f276ffc3b0f9b4fa13cbb91ec7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD515cd80c2dece9bc3a95d7c93bca0cf57
SHA1eb5f0e04a5606c9d9c0aaf2f55186a7f079ff4a2
SHA256f995f5f27bd94a68db8d8a642a1b5076afc78c782c1a7ff1a456b2e1b2fb7430
SHA5121d0da9cf1967a3f39b37885725a43ef376a3eb0bb43bc16b3055d36c0893a5d1a677a3e9458b5bf47940720f443389b98783ae7dfa557818122c3339fd073670
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad032f15fe735d54131481a648999fb9
SHA10627ce8cb21a685a0b6cfc687e830d1950eb2c9e
SHA256eb403119863bdba015a293931897445a46ca66f5f69227f9f26c79dc33816d7f
SHA512faacbd8c1088847b47ce92dfef42237877045655e28f47ae495bd717520648e931f1d9c9b14fb59d443b85d909182a81b0ae324f0e714b42e6ab77455c7dde99
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5385ffec116a14c7ca4d71170756a5d60
SHA1f22c180e7d60b06550eac812026744f8d76cf2da
SHA256138d965dd1603997030b8664c6b404422272262a11b5a74e227a4b8603c9340d
SHA51252637acf9a9aa83381b969b5fb00fa2ee821e8aa0513707480b903cc04e8ecc808ea2065b74bed145deefbd169f5f975389d406aa7e60f9e3dc85a8db66bde00
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
Filesize
599B
MD5425191d1b01d5fa6e8414c990e5d5d14
SHA1d9d404b2970d18965f5ac6918579fcb7f3a5d279
SHA256e92619c84f24314292b41a3aaf42243ca8f948dbd2ef12f104c2da5cd58b20e3
SHA5121a0bb6525b78a342fc588d8c60e35d2676f6581292f32129d29ac26c6d218eac50109769e1150c88615857d18b4e4f59544da97e3a9c3be632e53bf531fd7439
-
Filesize
4KB
MD55b35be697d97daaae6df66d1c70e9b9e
SHA1bc3b7c77c37c30dbfd4be6c78dd078d9dc134896
SHA256a4177ab0c37e5ac131e753c6c82a9c0ba3169be7443e9cffc49ef5700b063295
SHA512dd4ae0938cdca7c988a482e9efe098871e51affb7105719a5ac451da7c9db278a2131418062b43bee58e47a948e9eaa6683c9f04dcf2fe666d5a9df46d38c607