chimera | 1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01-03-2024 09:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Trojan-Ransom.Win32.Chimera.exe
Size

232KB
MD5

60fabd1a2509b59831876d5e2aa71a6b
SHA1

8b91f3c4f721cb04cc4974fc91056f397ae78faa
SHA256

1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838
SHA512

3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a
SSDEEP

3072:BMhIBKH7j7DzQi7y5bvl4YAbdY9KWvwn7XHMzqEOf64CEEl64HBVdGXPKD:BMh5H7j5g54YZKXoxOuEEl64HZAi

Score

10^/10

chimera ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

Trojan-Ransom.Win32.Chimera.exe

description	ioc	process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Components\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jre7\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jre7\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Swirl\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OneNote\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Microsoft Games\Mahjong\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jre7\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Microsoft Games\Purble Place\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Windows Sidebar\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

Processes:

resource	yara_rule
behavioral1/memory/3040-3-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Detects Reflective DLL injection artifacts 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3040-9-0x0000000000630000-0x000000000064A000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader
behavioral1/memory/3040-10-0x0000000000630000-0x000000000064A000-memory.dmp	INDICATOR_SUSPICIOUS_ReflectiveLoader

Renames multiple (2020) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 37 IoCs

Processes:

Trojan-Ransom.Win32.Chimera.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	Trojan-Ransom.Win32.Chimera.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 bot.whatismyipaddress.com

flow	ioc
3	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

Processes:

Trojan-Ransom.Win32.Chimera.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-progress-ui.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\RSSFeeds.html	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.simpleconfigurator.nl_zh_4.4.0.v20140623020002.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\1047x576black.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-annotations-common_zh_CN.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_few-showers.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\button_left.gif	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyMainToScenesBackground_PAL.wmv	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-waning-gibbous_partly-cloudy.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_hov.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\picturePuzzle.html	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\library.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\shadowonlyframe_videoinset.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-charts.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql70.xsl	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_black_moon-waning-crescent_partly-cloudy.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\keypad\keypadbase.xml	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.w3c.dom.svg_1.1.0.v201011041433.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jre7\lib\alt-rt.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_choosecolor.gif	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_blue_sun.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\calendar.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\dial_lrg.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\activity16v.png	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\Java\jdk1.7.0_80\db\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\lib\derbyLocale_pl.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\row_over.png	Trojan-Ransom.Win32.Chimera.exe
File created	C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\flyout.html	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\images\add_down.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\redStateIcon.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Circle_SelectionSubpictureB.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-attach.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\settings.html	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\icon.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.text.nl_zh_4.4.0.v20140623020002.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\settings.html	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\4.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\item_hover_floating.png	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\access-bridge-64.jar	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js	Trojan-Ransom.Win32.Chimera.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationLeft_SelectionSubpicture.png	Trojan-Ransom.Win32.Chimera.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc233000000000200000000001066000000010000200000003a73dcc3700d174bc837edbc14f95106dbfdfeff5bfe671d02a9cd46a6c4b0a7000000000e8000000002000020000000b1b630c8fe8edbc147aca7d36cc21a07d8d54cc5c29fd6a109898cdf7ebac4a520000000083f45cc730d4673b2c810343371f7522ebe2169fc37616b47476b6a345fb88e40000000c194115cc8e92d255bc6b44e457573f01cedb68c1dc19150cb449183b1472c396da8b742549488289717fccda962962f2476bc3caf54ff1f09769a329f8db061	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70faa6c6b76bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000844fe12858a5b873a1b3741dac2f61c6729494e945453fdc9f7daa70040c8693000000000e8000000002000020000000e336a960bffab70754afaa79e5f4b1ea48aa97ed2ab21a0163f910a1fa9140ab90000000645f38c96dd1cf8a0dd4507d89295354356bf25611d3e0148b54f6fab43b9a7bbb1f99d8c447de0a72a1962904fbbbd7185f46abc8a1ea3a4343d56f369e7d5d35c051fc8c909f813fc2bb2b5aeef784a192c1dcaf3a68c534a5e84b158297fd98c141c60c4804a008000c898b3d418547484ce56b7cbbb3b359c89c9402ee2ba0e77f4c4f87ce15a9ce678eec84df9b400000007075537bac9d8bda2e56f8f7e5e103e4ac86cec4566d1a84c8db894c9db9c46b0aa42601518b2e3340e3f777b16715a4bfa4477d03a9396f963b1f9133d5e29b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "415445836"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F17CF331-D7AA-11EE-831B-46E11F8BECEB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Trojan-Ransom.Win32.Chimera.exe

description pid process

Token: SeDebugPrivilege 3040 Trojan-Ransom.Win32.Chimera.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

884 iexplore.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

884 iexplore.exe
884 iexplore.exe
2028 IEXPLORE.EXE
2028 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	3040	Trojan-Ransom.Win32.Chimera.exe

pid	process
884	iexplore.exe

pid	process
884	iexplore.exe
884	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Trojan-Ransom.Win32.Chimera.exeiexplore.exe

description	pid	process	target process
PID 3040 wrote to memory of 884	3040	Trojan-Ransom.Win32.Chimera.exe	iexplore.exe
PID 3040 wrote to memory of 884	3040	Trojan-Ransom.Win32.Chimera.exe	iexplore.exe
PID 3040 wrote to memory of 884	3040	Trojan-Ransom.Win32.Chimera.exe	iexplore.exe
PID 3040 wrote to memory of 884	3040	Trojan-Ransom.Win32.Chimera.exe	iexplore.exe
PID 884 wrote to memory of 2028	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 2028	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 2028	884	iexplore.exe	IEXPLORE.EXE
PID 884 wrote to memory of 2028	884	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan-Ransom.Win32.Chimera.exe"
1⤵
- Chimera
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:884
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
f80d7be1ebc088a4b09d02d41ed5ea83

SHA1
8bd20bf288400350544e95bd6e337d86a4b74c9a

SHA256
942b88346dde13c8b059111640decb143737a2e62b63b07a621649357286740d

SHA512
77bc331fdd4ccb30347537b1c667a564c1f712cc019aeb5533154ac46977b423269bbb4b1136151b7f1a3cc043a175edc45224778f2c13b92ebfc3205da7f2bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2363167468df4c3034fe522f50a58a39

SHA1
bcb1f58b911a306bf278562c351d73acb32cd8ae

SHA256
8ba5ccd06c989d924047e0462476bc00df87d2ccfab0fbbc6779583d44402814

SHA512
64d537f76017cc4278e5596c3d0e70a6759d0cf4388230147cb9b6e948730665ee84c321f5ff4293e15124382a7fc7b18458c198d0b6e658a4c1c4ff329c79ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c8737ae232e7634fffb9679e1f2afb18

SHA1
389db8bef53f029db7f06ded6136bd3da5f030c6

SHA256
67379bd3c7e360b65e189bce2a2318b8429b3f29288cc8db9c5241e4a3cd6115

SHA512
3ab1499fcb8d853e066b524ae2b7abea41277f97b444662a143d3c6f14d67a6ab7aada9a65abeb883083bc29d836106db8bb6a9c5c5a5959c0f4a1c4415f73d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
bcb30afb876af628e1c57348cf9fc392

SHA1
8d787c6d9118b0412f9fcee3eb47f4706da253e1

SHA256
51e317429ece3dbbed7747478edc405ca9dc45c6f5efff48fd4a384dd7f21a54

SHA512
f32a00b60fc041e54713fb5efb18f00685e2a713533b1cef45d76163b3dded229b845fdf6759dd774c2880e6adf9d5f14e537bc9ff7c36142414a5a4eb55f5ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
839675e57f0de0fb7738953ee5f9bf56

SHA1
6e73d8a0f93dbd1c864b901ee1d3f57489e2cbe4

SHA256
b2dce2e0b71765e9b6c61219821bb7dde12983a062baa7ca8308f2caa495b10f

SHA512
bb3542af8c9388125e6faa171453283575c0cdaa7d1116fe6223e87aef99a173efe025167d2ac735cbe715655a6dfcef1e88f256df7f77491687365ed968e434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7cc44c2a7a26bcb676f6f90375889102

SHA1
ab176b713a638c36406c71c22a60cbcadf960f87

SHA256
ac64cef38b0e8212b900e298b63d257978c0c357fd00b530ac9dab41e778d665

SHA512
00d4393b7c5f27ad759d2ad0b8d5943a01c85d8d77d9ce6ca5e57f6008c156d2f1eda6b2b1a639f379399f2a2dd55a795c556f216da3638012f3adb3788dc23a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c0f16fb10dca76113f11978e53834060

SHA1
a5c8e30fd4fb194eb7086eb1b4d03886a3d16802

SHA256
d70a932703b52edbbf764a764a1ccd4d6e5b36adf52c48580d9c65fd1f420770

SHA512
c68c71acb97675d46564a475929faa675a7431124edc0a4d600db6bf706aa4d997bf6eb6ca249c57af74c434b51598926b294bbccb891629e4c513f3247ac899

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c888c33b49bafbccab3313e8f6839c53

SHA1
01c82e8c3fe7b12d0d015522fea0740ab62c175f

SHA256
a4c82dc003cc78c6c0f7c446b02780870244968fea3a8a8404796460a7e24c46

SHA512
fc7a0c122a7e823f58f2dc22b8c8c27a158bf1e3a84517d5a0ab7bb3874a392e452c197f19420031e5e6c438899866a6e56ca654a46d130c0f267c10cdb58f74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
84539249d35aeabbd53344a8bcb5b478

SHA1
2981e99e0b2bc69aa194435170dc52dc4298b3c2

SHA256
4b48e5d22b46d5feeb583fafae1ea37d81c1f7cffd245b7f0c5f7c72aee83440

SHA512
661a1dcc559e9a476edde43c8afb4b091549de3ec536582361f3d59380a870399ab168aeed9ca166218dd409b0b1666b365e23c53273993cc4c641a8e9c0279b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5aacbb431188d85823fdc77de999bc69

SHA1
297d0ef61dd529b2a10b234a233d04c388aed1c3

SHA256
fa56083e05d3bad179954e663752e299be15af7f48a4e12b7dc1e7b0a4ffd86b

SHA512
395bfdb8ee83010cfeafa5ab8d7a0e111066572125a0f7e216c764c5be119a51b48ad65567a2712764377f936ef14d9600c935bf0d2038976ddb1198fccabceb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
df7581161e5a715bbec1e783b686e624

SHA1
a38d0a0f9a6be2b5674a07b460fc925f361eedc1

SHA256
e749fb2186eb356c644894cfda79cfb4f2bba1fe68ed62cc975b6cd5c2b54952

SHA512
7b1358825f8034bc163d2f41754fb2b9678e34f436b421b14453826656fbb37e48d07b5940f4db6d4613a6a42848da63d58a2f97e41cf1d5035f321517bba598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
69850797f61a3ca67cb4710ba1a79f27

SHA1
c43dadf7754c605a6a1935b1414d5312958492ed

SHA256
fc2f4ec307b712e915785359072a38a4d5326130af897d9e97fd43f8a2335275

SHA512
575502dce29e819ec4bd057306f9339867eba2ce6cbab8849612b1e82800130dfe76d4b5cc31573806ce8b3f345ac6339e25354dcf990b5f2b627e6cd49eb492

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3a39acb5d3c10de1ec5bfe3d36ef3fc0

SHA1
829203b951bd3fb8b1a56eef84a2bec6a58b6315

SHA256
f3d55de2b492baa0dda79aa60d1b3863fc90d14b59021356e3152045311dd6f2

SHA512
6f5e932017b7400f69986c316613e045cdd210ff4d83e91c19c0b86b113368b51209e5c1cbc275cf8aa6c460ab56d4a36298630659808c9ab69d15005792b81b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7660a7545638d2bbdd673a041ace0e2e

SHA1
f6e1b3698250538743808da1ecbaa3667c506a47

SHA256
b2b6af558afdc004059884451882a709482ba85de3aef699a861511e286d60c2

SHA512
6cd1a91c18132660b18767d00692c237df1aea6aabf1315c7174375ee2e834cee016235542c217d981f99dd8e79a93ac8218e3298c725777b6989edba2974d78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
49dc211822b40df6da9443a899c639fb

SHA1
2cccb4feecc5745d5984163df013b594a8f8be79

SHA256
a4aa9012ba5e9bb9ee1af69011ea595830b0ec0a9dc250eb0857c1ccb8b63f1c

SHA512
01a4988371490a2240f2b00c9b2841075cf042c6dae7941db925a222fbb39cc91b642088df01b90cb245e572812a74c4307d3df541c1bc469e632ffec43b57ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ce799c7191031a0518785ba762baf3a2

SHA1
58dc38a4d929ec8d3cb2be9dd5c2b82121e37259

SHA256
2cdb4785df0f3f7b3ed6f7a85992d0e3513f6d9b49c7bfb16f177f5cbf5ad04a

SHA512
2cdf34d91507439060fa96b0c444f6336933e109592d56dbfab0e23d6f1f160a9df0a425bf090fc3197cf9a7b5a5ec0a29121a3bdd5bdf9dc47651444c2626c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
242a895a12eb5f620e62bbbda0a944aa

SHA1
0a13a69544b42644e2c3c9fc8399ea94db6ec057

SHA256
433cda23d52e443d724630a463a310419bd8f52f16cfa46f9ee0bd265b74758f

SHA512
342374f197f460e257f40f7f437739bbd911dbdccc6f5f9aaede7946f87ea656852738ab75c98a9a2b444e77e0afd42652524e3fc97c3f138c36ae973ebc67aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
203ee07ff97a0f0a7188e3bf4aae8a93

SHA1
90165c8b551bcacacf7001a303ccd2b1d52f27c2

SHA256
8996a44af2439ee561fc31fc8052622bb29acc5aebfdf4db7b859a18298d33c8

SHA512
c761e3d1c99002f7258dc09c5cfdffefeaa65db1d4c05acf32ac48727444854241d6202988d6c68a85d3b44efd659786705fa29e6d8cef1dbdff66545f17b822

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f4d6dd5947dd11f73cc41d7c75b8a423

SHA1
1c6ea724d7928f0162886482e7bb405db8d044b4

SHA256
4c8c0063dbaf26a34f86fc6dc145285de6d7902a745439373192029fd9156bd3

SHA512
26a906021060ce6a2ddf6aa836c0f37c0c837bdd157787f00e06d445e4ec70b3a3cfbec68ffa7861c4f469889ae4384fed845c822f02566563a9ce934caa3a1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
3855cc4a3f230e84b7d19411cd4007ff

SHA1
5da906f940d5a6a81b51f6a0b1ba1ae94fb98a20

SHA256
3c08b3e6d5ffcce87d70f9199d18e533a5f5e208e1899a475f00b8c5218c2157

SHA512
dc6e567d0ca888a75e5f352024eb9db01779c9ff468c1becad19456318b4a99e47d7192e2991fcdaa3adb0958daa123bd3c8ad475dde4debfacbdf306445b4f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
7a3914eb5a929162d80caad6f0bd3915

SHA1
8962ec08bd60b0c095ddeed433530443f77d329b

SHA256
e3ad4b0cc0879b0b3c5c4c6f7a57cee882d0cbdba95c7ffae96ff98b9f4c1e8b

SHA512
b8a2092ee313ea31e727ce85af74667dc43cf07a8aa77c3829cd5ce1082ec1099368d8d4faf22203103f3cb57ed430e1031e7390390419c8404f8e0d1288b940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab456B.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar456E.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar468D.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
memory/3040-4797-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/3040-4796-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download
memory/3040-4795-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-0-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-10-0x0000000000630000-0x000000000064A000-memory.dmp

Filesize
104KB

Download
memory/3040-8-0x0000000000430000-0x0000000000530000-memory.dmp

Filesize
1024KB

Download
memory/3040-9-0x0000000000630000-0x000000000064A000-memory.dmp

Filesize
104KB

Download
memory/3040-3-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3040-2-0x00000000743E0000-0x000000007498B000-memory.dmp

Filesize
5.7MB

Download
memory/3040-1-0x0000000000160000-0x00000000001A0000-memory.dmp

Filesize
256KB

Download