chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
135s
max time network
148s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
25-10-2023 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HawkEye.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

HawkEye.exe

description	ioc	process
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre7\lib\deploy\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-tw.txt	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
3	bot.whatismyipaddress.com
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\skins\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Games\Purble Place\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jre7\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Games\Chess\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/2628-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Renames multiple (2010) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 37 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 bot.whatismyipaddress.com

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

HawkEye.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-favorites_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-profiler_ja.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.artifact.repository.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_cloudy.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\buttonDown_Off.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-heapdump_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\NavigationLeft_SelectionSubpicture.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfralm.dat	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.publisher_1.3.0.v20140911-0143.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.commons.codec_1.6.0.v201305230611.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\currency.js	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\epl-v10.html	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\open_original_form.gif	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\SplashScreen.bmp	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground.wmv	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.ja_5.5.0.165303.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\icon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\timeZones.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-full_partly-cloudy.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\localizedStrings.js	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Blue_Gradient.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\gadget.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.help.ui.nl_zh_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ConnectionManager.xml	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bNext-hot.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\novelty_s.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-lib-profiler-charts_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\weather.html	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-today.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.manipulator_2.0.0.v20131217-1203.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-snaptracer_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\settings.html	HawkEye.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\16_9-frame-highlight.png	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-heapwalker_zh_CN.jar	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\init.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp	HawkEye.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrenalm.dat	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\cpu.js	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\mc.jar	HawkEye.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml	HawkEye.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000bea98d763df7e95c20c20757cdc1f8c014f38c3a3d421be361ee517a32dad105000000000e80000000020000200000003bc2659b8ee3dce9f951d8681031bd7a39d16adc731d3f9dac49ae0724fa51be90000000877969c555d96691f15f12b68bb6c440a0cabf786911241f244001b5ee3e0cca0510b25a30d308e1bda631923347b7837a06116ae1183678e20e7d28e95c7d36f87c7d2873c98a2c3509f0915ba3cbbba3a196bb6921d87c3f983c8d4dd09b40b2a5a2537fd5ca77bdc466199318e256a23a36ee6c3f817d57048162152be2c41e598a1b7b29fc0269ebc25db79de5d2400000003bf2e1bb6450f5b07f67d234431b4dc588feb4ab92ef3fd12781f43d81a2cf46ae7731b1343c876d3af18ddb8c2a166e97a81b7b697d9c4d4022001a9addc9a0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{123C1041-7367-11EE-BDF7-CA9958541264} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e8d5e77307da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005718aef034e0654ab00265bd8f8b2f5400000000020000000000106600000001000020000000adbc337981842ecde47a13e44df143af86c3178d53908abda06c278e11111844000000000e8000000002000020000000c22ff7bc9904f2cd0a68256a5c664c87221a6fa075d94931a0321f041871488320000000923f6b2ca762e2cfa530da9a478e71f0b0d2382c0433b42b0f69ff7b9cb74ec6400000007708283d62a139bb78d45e46f9f0668a1f8ba20184f2f00dc88e842334e9f855ad19deda14530a0c45602be11ebfbcae5091dfa164bc1ea1565e05ec00320c93	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "404421570"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HawkEye.exe

description pid process

Token: SeDebugPrivilege 2628 HawkEye.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1052 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1052 iexplore.exe
1052 iexplore.exe
1080 IEXPLORE.EXE
1080 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2628	HawkEye.exe

pid	process
1052	iexplore.exe

pid	process
1052	iexplore.exe
1052	iexplore.exe
1080	IEXPLORE.EXE
1080	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

HawkEye.exeiexplore.exe

description	pid	process	target process
PID 2628 wrote to memory of 1052	2628	HawkEye.exe	iexplore.exe
PID 2628 wrote to memory of 1052	2628	HawkEye.exe	iexplore.exe
PID 2628 wrote to memory of 1052	2628	HawkEye.exe	iexplore.exe
PID 2628 wrote to memory of 1052	2628	HawkEye.exe	iexplore.exe
PID 1052 wrote to memory of 1080	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 1080	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 1080	1052	iexplore.exe	IEXPLORE.EXE
PID 1052 wrote to memory of 1080	1052	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\HawkEye.exe
"C:\Users\Admin\AppData\Local\Temp\HawkEye.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
9d3c0a8509d6f85d07a24aa46ccd48e8

SHA1
a341eaa2aeb6d5df69461a0c750611234e3940a9

SHA256
d38bd379b5bb46ca6f3d8ddb7382d3708970900eb0af9a04dcb615b33fb22aa8

SHA512
7efeb902f926a72dd83979f443ade74d77c986712ea1da35c7386fc7da0f0ee8d97e176e7e69293152d8034549b5dad991aeac4d0db76c9524ce599f11d493ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b24f205ca7d48cdfdce49da872a9d57

SHA1
5ab9a6ffd624cf24d11084e10bfc8aa6d617aaf7

SHA256
4118129645e84258966851a794205544426e3ea3274c9722fb5cd5a987047551

SHA512
dadf3c0b4c46b2a98e3c1ec7759db5da6cd3f732c7cb844f325b27ae4f5d25a369f1bdff1325830ff6b9c5f09d87135c5d64455ab8dc3da532208801a0627cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
893ec1a003f9d5e9b1cdbeaf01818f4e

SHA1
7c4c4aea3400c2c4d2a6224d416a16a6cf470c02

SHA256
c2a16d7eb97c6b347fca8c0f8c7ea5d8ee31cf503685f7cd47714220999d8592

SHA512
d3b91249c8f92043f686445d197148841e4012dffd4c90f7d64675eacc9e76e586f95e374bedacbf4d3a002cfe3e59bb0c334272cf9629dcbf16a1cb1bfb1bc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f8a140ef5b16f92a0ed6e7ac7635919b

SHA1
b84d534e9d1b7711f2b53fad8caa1f0359fa6d42

SHA256
cb3f2936d55c6a2ab369414ec4f1045ce1db8e701e7b0126d0f0f06b42e05b23

SHA512
0c22948c555ec07190e242df80260e30faf82db5667803b855abfbead13110ea26f14ebf53cedbd110b4bea29398893ac72009f84d27a8800edafe771d62abfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1195fe9be69e27e7338b832d8fd48efc

SHA1
80538358f9a8f3e44eb21f688d73291e07fb9abe

SHA256
a7aad85d6f43a4ca39ba534b41b6cbd211ed37ac3e5d11e6c49a551474fc9319

SHA512
87a25210b0950424570e5b125800e930230fbf33a443c63f35281114a34b8e673b05b7543becefaeba857d44db356a70784d939c7f78024c68b19940c95a301c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ac62a199e0f7da243706262afdab6fa2

SHA1
c56411365ed2ccb45517fdb92927e3546b44e824

SHA256
f7f0b1ed2dcda8ecc25892941a1d89b6d7bcdf7bedd2ac91a60b1bf9443fec72

SHA512
26c655e73bf447f3b18e402394b76568221b5d547b62a0b5156f8592eebc46577ba6c5e02566e89614817c1ff311aa933556ddc68707b0954146a81456f3b786

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9894ce128a671218d1eced8906ff6ca

SHA1
b47ee5b5e544ec1030e0b8a4451870576cc3a8d7

SHA256
3fa2a1aef50203cd69293714ddff50b417dac2da166ae49f1840f8605140529a

SHA512
7ccb7cbdaf84aec6bf7b665cc1d4ba434ce537491f380a31e888ba4915f5f4e67a42a39ab22bc182b8a50e2094205da710e2f6ed586eb1b25da393b407dc0512

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c3a4edd6de01d2e30f01fc09ebce006

SHA1
684a4c13a889e882d4a3feccdf2ae6c820433629

SHA256
8d3221eb98b0272d6d0eeb3bcc5a2bedab3a6dd0e802b9dcfe503584ecb7d103

SHA512
52e888b557781b4f4e0ce203c5a1d9623d8d66a67f8623a67c1429e7b4397bcd89c530920f90c9b7b34020b05820c69c90e5534b1e338acd6776cb2fe267f475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47d898784a9660f341da2b7c428644a4

SHA1
7ba69f3c30fa608caab817732f995a7e6f756cee

SHA256
b6483dadaa12024ad964772f15ed95a9770652d08f4057a2601cae4af2d32562

SHA512
dc70fe032e6f40aa86f9779b5b67dac50ace4333cdf8d5ce459a4b4fb6343bd0e93fd5d3743d0b2fb7a7c97b835b6d7e444401d1a28d8a091022c5cc9415fd5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7355c7eac22ccb57dea086655fe9baf

SHA1
96c9799e6d6bbbd224f7c10c3dcd9b07e0ebaeaf

SHA256
694fc8ca5b1c6fdbce176e519785335ad34fd1427f819fc15880358125c90772

SHA512
94cc4e4972a0584eda21f59a4c26b67e621c18f93e75852bc5d569cb5de016690a881605134f22cba7287734ad67a2ecf197869ec4fa0f1c893f67805fcebe8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81e9f95c10c6993b108633d094cc16ab

SHA1
6752860d4ff6d84134c6058ce2be55076cf3fef2

SHA256
2d787fee84f8f6593077233fafe5e67d0f164cae4ca244890280f98ad45be22f

SHA512
d14e783053666d57097f93138517cfbecfba98e26f0de006bfaa9c27c86cf820e38eb6d7c19831bd9ef14979d4f1369d34575bdc7e38c9e56b6ead1132531d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83a2bdc2d72c969f2815854ca0b1bce0

SHA1
5f94863e65c8bb291218e59be50b8e6a0f30e805

SHA256
1b73a3ad5b196b3af6e88ca03105df75b75484244e4c18ad255f4b75a626801d

SHA512
96dc88e41bbbcd3f0eb72c148fb83cbcdd36ca7e0894145c76a8142815d19285033072aa9eb6d59c0d21410f862b03db4010918591e201eae74b40a3624ccbbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65af45be5a1a28461843d17b54acdcc3

SHA1
ca8f2f46f220d0c86d15b29b62eb91884e93d972

SHA256
beaf096b646794f70c3162278520879dd1f86ac45740b6486624a57127cbc399

SHA512
ed7cbd3a393b8008b3c1a4f18a572bcd3bc7e4fa23ecef661f3beb814e85551c41e68fa28278c274c7be21b962c77e049dc84e5b095c9741a448da6ff96873c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f3a097b17edb8ee928bc224600d79396

SHA1
a5fb5bb4adf52d0a0193937afba64c7ac95f8ceb

SHA256
8ff014f3372527b72d084370f463de007672b9dd4adef508f4bfc215d6bf41b4

SHA512
1810ee8113b0042cf60fd8a0e3a2bc6e4612fe7259b3ed60472e15239aa885345e86bfcd94b855eaca5ca59deac9c395a7179efd7a47c8761e667612a928786f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a2f1010e5461874f71d73a81a8b8dcf

SHA1
19d1af4e9f4a9be36f6a2c00ffd7eb71d8e72faa

SHA256
3e7424f015a1c3f7187045387b0ed1e753792f5b47cac11d887d093d50218f7c

SHA512
78f0e21d06bd041c382e70b9af2d76e52cfaf58012dce4e80a9a014d98a03bfd4c1ad19cba05174b3531abba8efbd48f2439745a9f575e79307ee556443373a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4b7066d973daf41218571b2efeed0b48

SHA1
5c7bcd9f7699718ba2e9cd50fc170ce91081136f

SHA256
1785e1b9f41a306b6e07b884329e2b76ab72f1b7c8a8596ed94a9f33739051a7

SHA512
5f2e9333987dd57d1d3ba0761a1fe6a372d39d148e06a821e4a1e018a1b1d01cd95100b995c67c911742993eb2e9983287ab00b3812aebe85e2465c9f6e94ffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7098394b263ea63e04a3740380f7184

SHA1
cfb6c7f6b4cc8d478e8536296b1b138e64f362a6

SHA256
ab91497d38e4184f16fd2347623d5a0b6efdeda70a3a986540791eefb580bbe7

SHA512
2abfbaa03bdc81441bcece11043853c8ad5f941a0be7668ef00ec4bca0868b576ebb2a27119d6b232e0e5824d8f97cafd91b49172f35461eb6beefa4e4792d0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2590989861eb672f12f4c7b8023c4cd

SHA1
4c64eb140830e0e20ca9d2fed5c8d1e290205d08

SHA256
fda797291b3f45db9d855c050028ef71948d164e0bd192b8f6af08f47dd16d17

SHA512
1cf205d9f13621c3b93d19ca89622df9a63ccde5bce015b37211f9f5023482ae82c191829a84c9283793daf5aba28d6216f9ab531a7c8568fbd7732baf7237fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4f71f11be7a160b78c717e6c0489a4f

SHA1
99e5b24690af66adfd8fd19d9737ea5a12924d8d

SHA256
57be4300ad82a19496d728366ef9325a4701ffde82a814ab7cd5f04c44e04b04

SHA512
0f2b2df64b4714f1871bdcde08d83071cd0c87fdd4463826e26ce7a55d511ac104d5a36b513230eaa0dc86e1de03961699cc1937de62183c19db8a8268aa4400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ef17e5d71a90a249a0b8c74fbdab1e00

SHA1
ed51f4aadb81753e0d45986308083db1b8e211c7

SHA256
e90dfb361f1b01b4580d8a8019795d623cbeb7674810440744800f28778fb147

SHA512
9e085fdf396bca4203350749897b46650ea8ededcd671e92280027e3b22f6c9da15c08ef402aa7fe2436721637545ef4f6b13222568a3d144ac9a6e2b9a7a52a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
238cba91b24eeb72216b12e034d7c49c

SHA1
4a5ee1248ea9ae19ee3d500f7a7db17bf294b04d

SHA256
bd594a383504856e641748f3749127c5c3745429328964144ebde775235b7342

SHA512
672235dbe8954baa81d5414bc02e88b2fd3b50425e2b9cf9f25845fcb15d9129ecb2c613f55781c006effab911a7f2dd24c511b7172c60d405b4fd82cc89cefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab457B.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45DB.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\Music\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
9d3c0a8509d6f85d07a24aa46ccd48e8

SHA1
a341eaa2aeb6d5df69461a0c750611234e3940a9

SHA256
d38bd379b5bb46ca6f3d8ddb7382d3708970900eb0af9a04dcb615b33fb22aa8

SHA512
7efeb902f926a72dd83979f443ade74d77c986712ea1da35c7386fc7da0f0ee8d97e176e7e69293152d8034549b5dad991aeac4d0db76c9524ce599f11d493ca

Download Submit
memory/2628-2-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2628-1-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-9-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/2628-0-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-8-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2628-682-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2628-610-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2628-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2628-94-0x0000000074DD0000-0x000000007537B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-10-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download