chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
140s
max time network
146s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08734899.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	08734899.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jre7\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jre7\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jre7\lib\images\cursors\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jre7\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	08734899.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/1736-54-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (2010) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies extensions of user files 7 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertGrant.tiff => C:\Users\Admin\Pictures\AssertGrant.tiff.crypt	08734899.exe
File opened for modification	C:\Users\Admin\Pictures\WatchTest.tiff	08734899.exe
File renamed	C:\Users\Admin\Pictures\WatchTest.tiff => C:\Users\Admin\Pictures\WatchTest.tiff.crypt	08734899.exe
File renamed	C:\Users\Admin\Pictures\RestartDeny.crw => C:\Users\Admin\Pictures\RestartDeny.crw.crypt	08734899.exe
File renamed	C:\Users\Admin\Pictures\CompressUnprotect.raw => C:\Users\Admin\Pictures\CompressUnprotect.raw.crypt	08734899.exe
File renamed	C:\Users\Admin\Pictures\CompareRegister.png => C:\Users\Admin\Pictures\CompareRegister.png.crypt	08734899.exe
File opened for modification	C:\Users\Admin\Pictures\AssertGrant.tiff	08734899.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops desktop.ini file(s) 37 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Links\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	08734899.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	08734899.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	08734899.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	08734899.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	08734899.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	08734899.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\circleround_selectionsubpicture.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\9.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\play_hov.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationLeft_SelectionSubpicture.png	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\library.js	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\NavigationLeft_ButtonGraphic.png	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\specialmainsubpicture.png	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_close_up.png	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-highlight.png	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-new_partly-cloudy.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\jaccess.jar	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\license.html	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiling_zh_CN.jar	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\library.js	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\graph_up.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_double.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-io_ja.jar	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\gadget.xml	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\system_h.png	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Postage_SelectionSubpicture.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\bg_FormsHomePageBlank.gif	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\attention.gif	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_Buttongraphic.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waxing-gibbous_partly-cloudy.png	08734899.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\ko-kr.xml	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-editor-mimelookup-impl.jar	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\main.js	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\10.png	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_windy.png	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\RSSFeeds.html	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\divider-horizontal.png	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\content-background.png	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rssLogo.gif	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\combo-hover-middle.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\system_dot.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services_3.4.0.v20140312-2051.jar	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help_3.6.0.v20130326-1254.jar	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-autoupdate-cli_ja.jar	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\service.js	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\button-highlight.png	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\bandwidth.png	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationRight_SelectionSubpicture.png	08734899.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_right_disabled.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\bg_SlateBlue.gif	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	08734899.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-background.png	08734899.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\tile_drop_shadow.png	08734899.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net_1.2.200.v20140124-2013.jar	08734899.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b6fc6ced5ea60c4aa24e1598f7cabf3800000000020000000000106600000001000020000000106cccd646a6c77d195fc86eef33dbd33fa9fbb2dbeef607b68818d74034602c000000000e800000000200002000000059cfde5dde49cf865afd120b9269354978d74391b6146833ce1c59a07b2c372190000000d4ede19b0917096c342aeb397e04a025da8db346ad277f1766ddf3c05ac3d32dac16540e01ae79cc8902c633c8339d85ef4639724733d99bb667961c422456fd7deae966b830c05dea503b6f7fb785b597453bcb9e11d31ff9c28986fb914e079c327cbb4b45f2f0eff21de2e6a7eb4df464df3e02fb16cc37e81ac0c14e31939ae425f4c53d99308584a0cf6b5ebdc3400000004fd65c359d9483f53d56338eab7f233d240ae8920ee8ba6a8d947503c8435e1f3fb4838fca0dc41883aa186eca01ceb722835510cbc23d80ee53c97402c6978e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{907F5D51-0692-11EE-8572-7E8ED113D2E8} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60ed43689f9ad901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b6fc6ced5ea60c4aa24e1598f7cabf38000000000200000000001066000000010000200000009fd8db33ad4734013c1dd6d6a89960e8ccec60c69c593b9ade304258274d8dd9000000000e800000000200002000000054e6704ab2dc8a665131a39a8a8c5f08cdc1dd086f7e03a3d2bbb6c5cc96703020000000e4b5704c8ac7177be15da590b201e935eceaa78f549569c807613927d9e55cb840000000d56315f73be5afc65bafcaa195af7f84f41f7de58343df3562a151b53b4427a5910f243e5aeac7a6fe865cfa933358671411ca1a50599107a47d7ab788e609da	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "393058680"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1736	08734899.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1628	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1628	iexplore.exe
1628	iexplore.exe
1384	IEXPLORE.EXE
1384	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 1628	1736	08734899.exe	31
PID 1736 wrote to memory of 1628	1736	08734899.exe	31
PID 1736 wrote to memory of 1628	1736	08734899.exe	31
PID 1736 wrote to memory of 1628	1736	08734899.exe	31
PID 1628 wrote to memory of 1384	1628	iexplore.exe	32
PID 1628 wrote to memory of 1384	1628	iexplore.exe	32
PID 1628 wrote to memory of 1384	1628	iexplore.exe	32
PID 1628 wrote to memory of 1384	1628	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\08734899.exe
"C:\Users\Admin\AppData\Local\Temp\08734899.exe"
1⤵
- Chimera
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1628 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
b7985f11b8125b9274fde32c298b97cd

SHA1
a85667937ae7bde043c9af0aafdff4510b210da3

SHA256
8dafef47ea5f6bf20d2ec0250fc067521bfe3e7bb5d344d33fc7f1e955211294

SHA512
7456bcfd35dfaac224f5e8dad6ad4c4a10bf333d0c1f3738c9ab7fc26acc88ad5bd7d001bd812b19cd6b97da30b7bcacc2881dfcc23b07e9bd7c64251e5013ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a434b79e2b47ed9577db0f7069c83f29

SHA1
7a9ce262a507dcf8ed7d0c019cf63e8aeccc6a1c

SHA256
3b6a2c1b462c92df95d9da493e8f114e0c376ad0ee59c3f1c9d4adca29c05178

SHA512
4899bb900df226fe9d53640c287f7e2ce535675fb0785da93e354f040b90f4b74c7066f694dd6e232bdc1bcba8f23c9349e9bbbb554d10ae5815e24426f2f4a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7880275e15ae383b617706f2e9172ca

SHA1
bacca7e1890af40952fbc3848820aa78879916b1

SHA256
c26ac6dd36ef2033688762f3d80e306ae362659667ce5e22898a915c464290c5

SHA512
e0f7065fcb872f4426f4a8ee8c79cd15bc02522503b24641b318f5ad1e94c20c21b10d1b88e6fdafd8e0e5e4ee8149e10a397c418ff4bf03426e97d65f475f1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b7f63602f7b2cc26216aff71d4c888b

SHA1
aae88216432a05b87dcc4d36fe061d6d320b0cb8

SHA256
250d1d27b34ceee3344df0078c6e6ae0025c126f4899b974077bbd5fb9ef4c4c

SHA512
ecb748dafeccc498f7fe851abd61c3cd407faa7df7572f06a33c2fbe5b00b27ea93b64a5b81323a5066cfc72331d61316c04d6a20780f56eda3ab81043f16adc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b15b90a89ce0f00ccea4664b8ff76f46

SHA1
d1f5bb4237f62b2ddd5dd5f52441c00b562a3537

SHA256
53b7e5ce06612b165cc12a705bdb2fff9dea3064be5be8acffb368b568470dcb

SHA512
1031149086a891d6427ac6fcf29d63dd13291d38953a073f5960aee2bca611acb11abb2bcd8a4439316099b9d58a6daa276c36978f3e55d7c43de2a571cd9baf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8990ce6b57e07049bc557af9ab568618

SHA1
315c44ea35067c098253aeefc572ccdb13e1dfbd

SHA256
e64598c9e9b717f0ed634569e29cc695934b57f2cbc922a19d597446efa10cf4

SHA512
051a87048fb6f35b1a790c76f4ef9f59965d52d3b941307fc037ef51a7db633d328a30a30734e98a9aa422ee4d3e97f874a5bc3694f8fb7d8dec0420efc7b0ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8cfcf700d8d483d7b907cc9c1f3e833e

SHA1
3fe38084839fec4c0ed5e6ab8fee9311e57bd873

SHA256
11bbbc14543c4409f263758ff1412d94fd498aea5ed87cd4198c8e5de6c508fa

SHA512
2366a70a3d801419843d5f1993b91d435ef795c01b437c1dd8b49cc67acbc14bb8dc9669590012e5a09d9c51b0ce58163c4db518e7f4af05f6e554c14d2c833d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
95889e349e02891b266c152ef57c797d

SHA1
e50422e594c1b6b8368bf8ca42952e3aa4ff7f3f

SHA256
2355e1cf1b8baaffe4eea4bdda3e3dbb17ea7f3e176b717ad1d4b0b22522ffe1

SHA512
0fa536d2c41a2ab2af2859e4960c2903d652c11fb06b48f317ed7fc8cc21f5727dce7790eed058e05e1b29844c5164143a8d24f304abe9b51a2b75646cb48389

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73581af4fdfa4dd47c924d357f5d4187

SHA1
b1645962b07b32a4fca99fd9fada4e368924f2da

SHA256
640d791938f46486c1381f7d42c8dfc85eb352fe7e833bafc86b7cbede2d6ec7

SHA512
5c5615e662da1dbdbd3edaeeec9a4b18e1f4723648c68a4dc1b91edc1327edcc6c1865c0883b5890f7caf78e3b14aeb9975b37abee9a16e2adb39dd0d24fae02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
325ed75c32f5eb2c2513eebe6ce911e5

SHA1
55af2de77ef01b430ed1fd46ed630ca4d6fd568a

SHA256
a38633e1a827c62f7a89715ad982d2d5fc36d5816299031955e1dfa81905e791

SHA512
27f51d64b33c38a5191218c47c3e1df9ed4dfe3b61b4756477ce71959091bb26fc3d0692c66fd38b25b30999a83e63987056385ea597ece80aba66c7ab9bae66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
805a2bd2b49001cae1a2cd16bf55c8cc

SHA1
5b52e22b5b328f15ad33c180251454754ec1d410

SHA256
ba82ec5e337289ca420fb24006bdeef00ca54722732fa285592c6ebfde1fc940

SHA512
d9f71a7375557e81957eada8e9ba81a6f4786bbab71f45704bb5d4cc193c12b59dcd5ef822e184ab8ac7c72abd03236984c2dc71a722f900b8257e958af387de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80b94a5ef41214e407917d04aa63912a

SHA1
5a97b81f64b738adc1d03cfa37e1e6ec1095c895

SHA256
7897e1b38d31f6d87e54d495a44c40fc0e14fc9ca902bd074278f2432ffcdca5

SHA512
9774b4b7d1e073305fcd498109821469bcbcfba8eed8ee56363384544d6d48a6e10bb149663e8ad498fb1d7ab8246ceadd9ad24b054c4a00bb19b996c74d463c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TF0W5LQL\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB5AC.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA54.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\D99EOK25.txt

Filesize
605B

MD5
87ee8fc902d5b53556f12561c1c64bbb

SHA1
1e5ecfbfe09cb1995ad4c475db804b30e5c78686

SHA256
1d0deb65e7e6f31e3ce4f5c3b9b38fc2a26df07800649636012ac2832d7938e1

SHA512
236b0b9e8fcab27642323c765f0835cd3522ebbab0909268a07f712a63f7cddefc610a6031340df5c37e2ef12f8f308a3de3d35ced76f45aabd5221cfaf87728

Download Submit
C:\Users\Admin\Desktop\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
b7985f11b8125b9274fde32c298b97cd

SHA1
a85667937ae7bde043c9af0aafdff4510b210da3

SHA256
8dafef47ea5f6bf20d2ec0250fc067521bfe3e7bb5d344d33fc7f1e955211294

SHA512
7456bcfd35dfaac224f5e8dad6ad4c4a10bf333d0c1f3738c9ab7fc26acc88ad5bd7d001bd812b19cd6b97da30b7bcacc2881dfcc23b07e9bd7c64251e5013ca

Download Submit
memory/1736-61-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download
memory/1736-54-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1736-59-0x0000000002050000-0x0000000002090000-memory.dmp

Filesize
256KB

Download
memory/1736-60-0x0000000000560000-0x000000000057A000-memory.dmp

Filesize
104KB

Download